Issues With "RECYCLER" Folder.: Virus trouble - moved from XP by Murray

[Shleeby]

I am not very computer-smart but I recently found a few trojans and something called "Virtumonde" on my computer, all of which I think I have managed to remove.. Or at least I thought I had until now.

The problem has been suggested to trace back to a folder C:\RECYCLER on my computer. It has one file in it that I am able to see, called "S-1-5-21-854245398-1580818891-682003330-1003" which I am not able to delete. It originally had 3 files in it, all the same name with a different 4-digit number at the end, and I had managed to delete two of them, and finally, the final one last night. Now it has come back. When I look at the properties of the RECYCLER folder, it says it has 1 folder and 3 files inside it. The folder is the file with the numbers for the name, and it has the same symbol as my Recycle bin. The properties say it has 3 files inside it, but the folder shows no files. I have the folder options set to show everything I know how to make it show, but I still am not able to see any folders within this.

Could anyone help me with how to see this, and better yet, how to get rid of them WITHOUT it being able to come back? My virus scans come up as clean, as well as any spyware scans. If anyone is able to help me with this it would be greatly appreciated. Thank you.

Edit: I'm sorry if this is in the wrong section, I am new to these forums as well as I am not sure if this actually IS part of a virus or just part of my computer that I don't know about. Please move this if it is in the wrong section. Thank you.

[dahli]

Hello Shleeby and welcome to CTH,

First, please change your folder options to prevent viewing of hidden files and folders.

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


After the reboot, Disable your antivirus program and go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here, along with the contents of C:\vundofix.txt and a new HijackThis log please.

[Shleeby]

Thank you Dahli. I used the VundoFix last night and it didn't detect anything. I also tried Virtmundobegone which, again, did not detect anything.

It sounds as though this will take a while, so I'll report back when I finish what you suggested, thanks again.

Also: What is a HijackThis log? I've never heard of it :s

[dahli]

HijackThis:
http://www.cybertechhelp.com/downloa...this-installer

Did you use VundoFix or FixVundo?

[Shleeby]

I used VundoFix last night, which I believe is the same one you suggested, the program looks exactly the same. It came up with nothing last night, and so far has come up with nothing again, although it is still scanning.

[dahli]

ok - please download the HijackThis installer and post the log it creates.

[Shleeby]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:40 PM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WBINST~1.EX E
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shel\Desktop\VundoFix.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Shel\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe

/nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [WindowBlinds] C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbconfig.ex e
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth

Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -

http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -

http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -

http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsu...?1167202643078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsof...?1167469399000
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...t.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -

http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) -

http://messenger.zone.msn.com/binary/Chess.cab55200.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32

Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 10966 bytes




There's the HijackThis log.
EDIT: VundoFix came up with nothing again.

[dahli]

Download combofix.exe to your Desktop.

Doubleclick on combofix.exe and follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes, Disk Cleanup will run and then a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.


Also go here and download Silent Runners.vbs (use IE to download it) to a new folder on your drive and run it. It generates a log too. It takes a minute or two and it will notify you with a popup when your log is ready (it will be in the new folder you created). Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious.

[Shleeby]

ComboFix log:

ComboFix 07-11-19.3 - Shel 2007-11-22 21:01:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256 [GMT -6:00]
Running from: C:\Documents and Settings\Shel\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\jkhff.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-22 13:23 <DIR> d-------- C:\Program Files\iTunes
2007-11-22 13:23 <DIR> d-------- C:\Program Files\iPod
2007-11-22 13:20 <DIR> d-------- C:\Program Files\QuickTime
2007-11-22 00:57 <DIR> d-------- C:\VundoFix Backups
2007-11-22 00:32 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-22 00:30 <DIR> d-------- C:\Documents and Settings\Shel\.housecall6.6
2007-11-21 22:23 64 --a------ C:\WINDOWS\system32\SNDSYS.log
2007-11-21 22:23 64 --a------ C:\WINDOWS\system32\SNDIDS.log
2007-11-21 22:23 64 --a------ C:\WINDOWS\system32\SNDFW.log
2007-11-21 22:23 64 --a------ C:\WINDOWS\system32\SNDDBG.log
2007-11-21 22:23 64 --a------ C:\WINDOWS\system32\SNDCON.log
2007-11-21 22:23 64 --a------ C:\WINDOWS\system32\SNDALRT.log
2007-11-21 18:01 <DIR> d-------- C:\Documents and Settings\Shel\Application Data\Symantec
2007-11-21 15:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-21 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-11-21 13:11 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-21 07:43 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-11-18 11:43 <DIR> d-------- C:\Documents and Settings\Shel\Application Data\NoNameScript
2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-14 15:54 <DIR> d-------- C:\Program Files\Ventrilo
2007-11-09 17:19 <DIR> d-------- C:\Program Files\Poppit To Go
2007-11-08 16:17 30,728 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-11-08 16:10 27,656 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-11-08 16:09 33,800 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-10-31 18:20 <DIR> d-------- C:\Program Files\Second Sight Software
2007-10-31 14:34 <DIR> d-------- C:\Program Files\Happy Hour
2007-10-27 14:58 <DIR> d-------- C:\Program Files\Big Island Blends
2007-10-24 20:11 <DIR> d-------- C:\Program Files\AlienGUIse
2007-10-24 18:58 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-27 22:07 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-22 17:04 --------- d-----w C:\Program Files\mIRC
2007-11-22 17:04 --------- d-----w C:\Program Files\Common Files\stardock
2007-11-21 05:16 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-21 05:16 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-21 05:16 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-21 05:16 --------- d-----w C:\Program Files\Symantec
2007-11-21 05:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-19 02:32 --------- d-----w C:\Program Files\SwiftSwitch
2007-11-15 04:12 --------- d-----w C:\Documents and Settings\Shel\Application Data\teamspeak2
2007-11-15 00:11 --------- d-----w C:\Documents and Settings\Shel\Application Data\Ventrilo
2007-11-14 21:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 22:49 --------- d-----w C:\Program Files\Nanny Mania
2007-10-28 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\SwiftSwitch
2007-10-27 03:19 --------- d-----w C:\Documents and Settings\Shel\Application Data\dvdcss
2007-10-25 00:07 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-10-19 02:16 --------- d-----w C:\Program Files\TimeLeft3
2007-10-19 02:16 --------- d-----w C:\Documents and Settings\Shel\Application Data\NesterSoft
2007-10-13 05:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2007-10-13 05:28 --------- d-----w C:\Program Files\TechSmith
2007-10-13 05:28 --------- d-----w C:\Program Files\Common Files\TechSmith Shared
2007-10-11 21:35 --------- d-----w C:\Program Files\PCFriendly
2007-10-10 20:45 --------- d-----w C:\Program Files\Java
2007-10-07 19:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-03 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-25 20:58 --------- d-----w C:\Program Files\Apple Software Update
2007-01-11 01:01 0 ----a-w C:\Documents and Settings\Shel\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED203331-9C33-49D8-8714-D24A366A04EC}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 10:24]
"Gadwin PrintScreen 3.5"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2006-07-08 02:57]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"WhatPulse"="C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE " [2004-12-05 04:20]
"Sonic RecordNow!"="" []
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-08-24 16:37]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 01:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 04:43]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-06 21:00]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 01:01]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 19:22]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 22:56 C:\WINDOWS\system32\bthprops.cpl]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-08 16:13]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]

C:\Documents and Settings\Shel\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
Alienware Dock.lnk - C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe [2007-10-24 20:12:02]
TimeLeft.lnk - C:\Program Files\TimeLeft3\TimeLeft.exe [2007-10-18 20:16:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-09-18 17:43:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkhghi]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 22:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjv32]
winbjv32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhff.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.s ys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfw tdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
S3 CCCP106;CIF USB Camera (2110A);C:\WINDOWS\system32\DRIVERS\cccp106.sys
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 18:45:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-17 02:00:28 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Shel.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2007-11-22 00:01:24 C:\WINDOWS\Tasks\Norton AntiVirus - TrojanChecker - Shel.job"
- C:\PROGRA~1\NORTON~1\Navw32.exed/SE- /TASK:
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 21:11:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
Completion time: 2007-11-22 21:15:13 - machine was rebooted
.
--- E O F ---




Running the Silent Runners thing now.

[Shleeby]

My apologies for the double-post but this was too big to edit into my previous post. Here are the results for the Silent Runners scan:

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"MSMSGS" = ""C:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]
"Gadwin PrintScreen 3.5" = "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash" ["Gadwin Systems, Inc."]
"Aim6" = "(empty string)" [file not found]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"WhatPulse" = "C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE" [null data]
"Sonic RecordNow!" = "(empty string)" [file not found]
"Veoh" = ""C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide" ["Veoh Networks"]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Lexmark X1100 Series" = ""C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"StorageGuard" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Program Files\Norton AntiVirus\osCheck.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"egui" = ""C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice" ["ESET"]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor"
-> {HKLM...CLSID} = "Monitor Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btncopy.dll" ["Broadcom Corporation."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" ["Sonic Solutions"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension"
-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {HKLM...CLSID} = "DisplayCplExt Class"
\InProcServer32\(Default) = "C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll" ["Stardock.Net, Inc"]

HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
-> {HKLM...CLSID} = "MCPShellInstantiator Class"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll" ["Stardock"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> MCPClient\DLLName = "C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll" ["Stardock"]
<<!>> WBSrv\DLLName = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv. dll" ["Stardock"]
<<!>> winbjv32\DLLName = "winbjv32.dll" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Shel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Shel" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Shel\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Alienware Dock" -> shortcut to: "C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe" ["Stardock"]
"TimeLeft" -> shortcut to: "C:\Program Files\TimeLeft3\TimeLeft.exe" ["NesterSoft Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Bluetooth" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Norton AntiVirus - Run Full System Scan - Shel" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - TrojanChecker - Shel" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /SE- /TASK:"C:\Documents and Settings\Shel\Application Data\Symantec\Norton AntiVirus\Tasks\30.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-12650"
"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Eset Service, ekrn, ""C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"" ["ESET"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
LiveUpdate, LiveUpdate, ""C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"" ["Symantec Corporation"]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\ehome\ehSched.exe" [MS]
spkrmon, spkrmon, "C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe" [empty string]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


---------- (launch time: 2007-11-22 21:22:03)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 60 seconds, including 18 seconds for message boxes)

[dahli]

Run F-Secure's online scanner here. You will need to use IE and allow the activeX controls to load. Click Full System Scan and allow the components to download and the scan to complete. If malware is found during the scan, check Submit samples to F-Secure then select Automatic cleaning. When the scan has finished, click the Show Report button and copy and paste the entire report in your next reply.

[Shleeby]

Thank you once again, Dahli.
I've just now gotten the time to work on the BitDefender scan due to having to restart a couple of times with the other scans, so should I quit this scan again, or should I wait and then run the F-Secure scan?

[dahli]

Continue with the Bitdefender scan first.

[Shleeby]

My BitDefender scan is still going, and for some reason it has scanned 105257 files out of 101918 files and still going.. is it normal that it's going past the number it said it was scanning?
So far it has found and deleted 3 infections so I think that's a good sign.

EDIT: My BitDefender scan is done, results -

BitDefender Online Scanner







Scan report generated at: Thu, Nov 22, 2007 - 23:01:31









Scan path: C:\;D:\;E:\;















Statistics

Time


01:26:21

Files


362560

Folders


7635

Boot Sectors


4

Archives


8258

Packed Files


11032







Results

Identified Viruses


2

Infected Files


3

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


3







Engines Info

Virus Definitions


878555

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


14

Archive plugins


38

Unpack plugins


7

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.39_07.25.26_swiftswitch(update) .exe


Infected with: Trojan.Downloader.BZW

C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.39_07.25.26_swiftswitch(update) .exe


Disinfection failed

C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.39_07.25.26_swiftswitch(update) .exe


Deleted

C:\Program Files\Common Files\Symantec Shared\SecurityHistory\MCRES.loc


Clean

C:\Program Files\Common Files\Symantec Shared\SecurityHistory\MCUI32.exe


Clean

C:\Program Files\Common Files\Symantec Shared\SEVINST.EXE


Clean

C:\Program Files\Common Files\Symantec Shared\SHAxRes.loc


Clean

C:\Program Files\Common Files\Symantec Shared\SMNLnch.exe


Clean

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log


Clean

C:\Program Files\Common Files\Symantec Shared\SNDCON.log


Clean

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log


Clean

C:\Program Files\Common Files\Symantec Shared\SNDFW.log


Clean

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log


Clean

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


Clean

C:\Program Files\Common Files\Symantec Shared\SNDSvc.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log


Clean

C:\Program Files\Common Files\Symantec Shared\SNDunin.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\2007-11-21-3861.kc


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\bbRGen.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\ccTrstPc.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\init.kc


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCCli.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.cat


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.inf


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCEvt.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPLVPlug.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPLVPRes.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\TPDef.dat


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\TProcPlg.dll


Clean

C:\Program Files\Common Files\Symantec Shared\SPBBC\UpdMgr.exe


Clean

C:\Program Files\Common Files\Symantec Shared\SPManifests\


Clean

C:\Program Files\Common Files\Symantec Shared\SPManifests\AlertEng.grd


Clean

C:\Program Files\Common Files\Symantec Shared\SPManifests\AlertEng.sig


Clean

C:\Program Files\Common Files\Symantec Shared\SPManifests\AlertEng.spm


Clean

C:\Program Files\Common Files\Symantec Shared\SPManifests\AppCore.grd


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TCSCAN7.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TCSCAN8.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TCSCAN9.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TECHNOTE.TXT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TINF.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TINFIDX.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TINFL.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TSCAN1.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\TSCAN1HD.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\V.GRD


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\V.SIG


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\VIRSCAN.INF


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\VIRSCAN1.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\VIRSCAN2.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\VIRSCAN3.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\VIRSCAN4.DAT


Clean

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070308.018\VIRSCAN5.DAT


Clean

C:\System Volume Information\_restore{95ADA633-F660-403C-9C87-FDC600C3FFA2}\RP324\A0068534.exe


Infected with: DeepScan:Generic.Virtob.1.0D06FC6E

C:\System Volume Information\_restore{95ADA633-F660-403C-9C87-FDC600C3FFA2}\RP324\A0068534.exe


Disinfection failed

C:\System Volume Information\_restore{95ADA633-F660-403C-9C87-FDC600C3FFA2}\RP324\A0068534.exe


Deleted

C:\System Volume Information\_restore{95ADA633-F660-403C-9C87-FDC600C3FFA2}\RP327\A0072131.exe


Infected with: Trojan.Downloader.BZW

C:\System Volume Information\_restore{95ADA633-F660-403C-9C87-FDC600C3FFA2}\RP327\A0072131.exe


Disinfection failed

C:\System Volume Information\_restore{95ADA633-F660-403C-9C87-FDC600C3FFA2}\RP327\A0072131.exe


Deleted

[Shleeby]

Once again my apologies for the double-post but it doesn't fit.. here's the results for the F-Secure scan:

Scanning Report
Thursday, November 22, 2007 23:22:25 - 01:03:29

Computer name: SHELBY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 13 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System

Statistics
Scanned:

* Files: 42127
* System: 4940
* Not scanned: 3

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 12
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{BF1B62 CD-8F0A-47EF-B68B-D98440921C3D}.BIN

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-11-22
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0614-150-72
* F-Secure Libra: 2.4.2, 2007-11-22
* F-Secure Orion: 1.2.37, 2007-11-23
* F-Secure Pegasus: 1.19.0, 2007-10-21

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics