Strider

The processes in both the cases are the same. Either this tool is running as a rootkit or its already there even if that password prompt is closed.

Btw: This message box is the characteristic property of PcPandora Keylogger.
http://pcpandora.com/

If you have it installed in your PC, remove it.

__________________




Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

stuartbe

Would have to agree with strider, or its something thats utilised there code. If its not installed as strider sugests then run the blacklight link I gave you.

Stu.

__________________
There are only 10 types of people in the world, those who understand binary and those who dont !

griff_2

i will thanks, i also noticed in task manager if i click ''applications'' it says among other things, red dot in task bar or password box if i click that.
when i right click it and select go to process,it highlights iexplorer.
does this mean anything?.

i have read about pcpandora in other threads, but have never downloaded it' but i would agree it sounds exactly the same.

i'll let you know how i go on with the scan.

thanks.

griff_2

just had a thought if it is a legitimate piece of Pandora, do you think if i downloaded the full version then removed it , it may remove the dot at the same time?.

griff_2

the scan reveald this virus, but once remved it made no difference to the dot.


C:\WINDOWS\SYSTEM32\BASSMOD.DLL (virus )

Strider

Since somebody installed it in your machine, you should be able to remove it. But Keyloggers work in strange ways such as no processinfo in task manager, no startup entries etc.

Make sure to clean up all un-necessary softwares from Add/Remove programs. Try with different root kit detectors mentioned in the following page:

http://www.pcsupportadvisor.com/rootkits.htm

eg: RootkitRevealer v1.71

http://www.microsoft.com/technet/sys...tRevealer.mspx

Now download ESET NOD32 Smart security (30 day free trial) and check with it:

http://www.eset.com/download/download_NT.php

__________________




Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

griff_2

ok thanks,

cheers, griff.

griff_2

hi,
i ran rootkit revealer and a few other tools recommended on PC support.com and removed a couple of viruses, but i still have the dot, i did manage however to get combofix to run and save a log. could you please have a look to see if you can spot anything.
cheers griff.

ComboFix 07-12-15.1 - John 2007-12-14 17:10:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.643 [GMT 0:00]
Running from: C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\OR03CN4X\ComboFix[1].exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\ipnet.dll


((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-14 16:41 . 2007-12-15 17:10 8,693,760 --a------ C:\WINDOWS\system32\{800940E5-41DF-7FC5-1ABF-F67F7317FC7F}.dat
2007-12-14 16:41 . 2007-12-15 17:10 1,093,632 --a------ C:\WINDOWS\system32\{BFADF71E-F624-4061-E108-524092A05840}.dat
2007-12-14 16:41 . 2007-12-15 17:10 1,093,632 --a------ C:\WINDOWS\system32\{20041AF6-09DF-DFC8-09E5-FBDF794DF1DF}.dat
2007-12-12 19:31 . 2007-12-15 17:10 4,885,504 --a------ C:\WINDOWS\system32\{83392C56-FAFF-7CC6-A9D3-C67CDD69CC7C}.dat
2007-12-10 21:32 . 2007-12-14 16:41 8,693,760 --a------ C:\WINDOWS\system32\{6ED3272E-8A86-93C6-D1D8-2C91B8662691}.dat
2007-12-10 21:23 . 2007-12-14 16:41 1,093,632 --a------ C:\WINDOWS\system32\{3BD633C2-FC6C-C6C3-3DCC-29C44A7123C4}.dat
2007-12-10 21:13 . 2007-12-14 16:41 2,177,024 --a------ C:\WINDOWS\system32\{076BBA3E-47F3-FA7E-C145-94F8B5F99EF8}.dat
2007-12-10 20:37 . 2007-12-14 16:41 8,742,912 --a------ C:\WINDOWS\system32\{668E3EE1-85A7-9B98-1EC1-719977797B99}.dat
2007-12-10 20:00 . 2007-12-14 16:41 1,093,632 --a------ C:\WINDOWS\system32\{A3C55C68-89AB-5EDD-97A3-3A5CE710305C}.dat
2007-12-10 19:47 . 2007-12-14 16:41 8,726,528 --a------ C:\WINDOWS\system32\{C2744F7B-AF3F-3F6C-84B0-8B3DED02813D}.dat
2007-12-10 19:42 . 2007-12-14 16:41 1,093,632 --a------ C:\WINDOWS\system32\{B72430AB-21E9-4A3D-54CF-DB48277ED148}.dat
2007-12-10 17:45 . 2007-12-14 16:41 8,742,912 --a------ C:\WINDOWS\system32\{66F9FCCC-35D9-9BE4-3303-06995AA70C99}.dat
2007-12-10 17:20 . 2007-12-14 16:41 2,193,408 --a------ C:\WINDOWS\system32\{888C0261-CF48-7592-9EFD-7377EA5C7977}.dat
2007-12-10 16:45 . 2007-12-14 16:41 8,710,144 --a------ C:\WINDOWS\system32\{F8912623-BAFD-05B1-DCD9-6E07B5446407}.dat
2007-12-09 22:16 . 2007-12-14 16:41 8,775,680 --a------ C:\WINDOWS\system32\{EC417FDF-E117-113C-2080-BE13499EB413}.dat
2007-12-09 21:45 . 2007-12-14 16:41 1,110,016 --a------ C:\WINDOWS\system32\{45B6B8DF-8B79-B836-2047-49BA575D43BA}.dat
2007-12-09 20:59 . 2007-12-14 16:41 8,808,448 --a------ C:\WINDOWS\system32\{81A53DAD-64C4-7C24-52C2-5A7E3BD7507E}.dat
2007-12-09 20:39 . 2007-12-14 16:41 1,110,016 --a------ C:\WINDOWS\system32\{FB697D5D-833B-06EB-A282-9604D1919C04}.dat
2007-12-09 19:43 . 2007-12-14 16:41 2,193,408 --a------ C:\WINDOWS\system32\{842115F5-E563-79A4-0AEA-DE7B7EE7D47B}.dat
2007-12-09 19:01 . 2007-12-14 16:41 8,775,680 --a------ C:\WINDOWS\system32\{D7FE596C-8E9B-2A78-93A6-0128FAAE0B28}.dat
2007-12-09 18:37 . 2007-12-13 18:22 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-09 16:55 . 2007-12-14 16:41 8,775,680 --a------ C:\WINDOWS\system32\{9D869C11-89FD-600D-EE63-796287497362}.dat
2007-12-09 14:58 . 2007-12-14 16:41 8,792,064 --a------ C:\WINDOWS\system32\{EFC9E8B9-B4C2-1247-4617-36102F0A3C10}.dat
2007-12-09 10:53 . 2007-12-14 16:41 1,110,016 --a------ C:\WINDOWS\system32\{E24105E5-9B82-1FD8-1AFA-BE1D6AFBB41D}.dat
2007-12-09 10:40 . 2007-12-09 10:40 9,957,376 --a------ C:\WINDOWS\system32\POX
2007-12-09 08:51 . 2007-12-14 16:41 2,193,408 --a------ C:\WINDOWS\system32\{8E8CE78F-F7C2-7324-7018-737104EC7971}.dat
2007-12-09 08:26 . 2007-12-14 16:41 8,742,912 --a------ C:\WINDOWS\system32\{38103615-19A0-C5BB-EAC9-EFC78338E5C7}.dat
2007-12-09 07:55 . 2007-12-14 16:41 1,110,016 --a------ C:\WINDOWS\system32\{B192A197-774B-4C3C-685E-6D4E1BB0674E}.dat
2007-12-09 06:18 . 2007-12-14 16:41 1,110,016 --a------ C:\WINDOWS\system32\{B4D19622-9311-496B-DD69-2E4BAA8A244B}.dat
2007-12-08 10:59 . 2007-12-08 10:59 <DIR> d-------- C:\fsaua.data
2007-12-07 18:29 . 2007-01-18 12:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-12-03 19:57 . 2007-12-03 19:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-03 19:55 . 2007-12-03 19:56 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-03 15:42 . 2007-12-03 15:42 <DIR> d-------- C:\Program Files\SymNetDrv
2007-12-03 15:36 . 2007-12-03 15:37 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-03 15:36 . 2007-12-03 15:36 2,397 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-12-01 10:44 . 2007-12-01 10:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-01 10:44 . 2007-12-01 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-01 09:44 . 2007-12-01 09:44 <DIR> d-------- C:\PLAYSKL
2007-12-01 03:34 . 2007-12-01 03:34 <DIR> d-------- C:\Documents and Settings\John\Application Data\ieSpell
2007-12-01 03:33 . 2007-12-01 03:33 <DIR> d-------- C:\Program Files\ieSpell
2007-11-30 19:07 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-30 18:20 . 2007-11-30 19:11 <DIR> d-------- C:\Documents and Settings\John\.housecall6.6
2007-11-27 01:45 . 2007-12-14 16:41 2,193,408 --a------ C:\WINDOWS\system32\{E6CACA1C-E29E-18D1-E335-3519971D3F19}.dat
2007-11-26 21:27 . 2007-12-14 16:41 1,093,632 --a------ C:\WINDOWS\system32\{6B7ED93D-E7B6-9553-C226-8194A92C8B94}.dat
2007-11-26 17:22 . 2007-12-14 16:41 1,110,016 --a------ C:\WINDOWS\system32\{3B76C4E1-7CC3-C546-1E3B-89C46E7883C4}.dat
2007-11-25 18:09 . 2007-11-12 06:51 158,066 --a------ C:\WINDOWS\system32\nvapps.nvb
2007-11-25 14:33 . 2007-12-14 16:41 2,767,872 --a------ C:\WINDOWS\system32\{3753E22A-AB0A-C9C2-D51D-ACC8A21CA6C8}.dat
2007-11-25 13:16 . 2007-11-25 13:16 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-11-25 12:52 . 2007-11-25 12:52 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-11-24 21:40 . 2007-12-14 16:41 4,212,736 --a------ C:\WINDOWS\system32\{EF4A5040-DAE2-11B9-BFAF-B510CF9EBF10}.dat
2007-11-24 00:05 . 2007-12-14 16:41 3,211,264 --a------ C:\WINDOWS\system32\{13461C7E-4538-EC40-81E3-B9ECF6AEB3EC}.dat
2007-11-21 21:08 . 2007-11-26 17:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-21 18:19 . 2007-11-21 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2007-11-21 17:00 . 2007-11-29 19:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-21 17:00 . 2007-11-29 19:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-20 00:23 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-20 00:23 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-20 00:23 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-20 00:23 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-11-20 00:22 . 2007-12-03 23:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-20 00:22 . 2007-11-20 00:22 <DIR> d-------- C:\Documents and Settings\John\Application Data\PC Tools
2007-11-19 23:55 . 2007-12-14 16:41 2,177,024 --a------ C:\WINDOWS\system32\{C95D2296-9ABB-36B1-69DD-A23604DEA836}.dat
2007-11-19 23:55 . 2007-12-14 16:41 1,093,632 --a------ C:\WINDOWS\system32\{0CE90A79-B254-F305-86F5-16F3E3F61CF3}.dat
2007-11-19 23:28 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-18 15:26 . 2007-12-15 17:10 1,930,240 --a------ C:\WINDOWS\system32\{745662AE-9D51-8BA9-519D-A98B269FA38B}.dat
2007-11-18 15:26 . 2007-12-14 16:41 1,093,632 --a------ C:\WINDOWS\system32\{9CF35254-ADAB-630C-ABAD-0C63CDAF0663}.dat
2007-11-17 19:10 . 2007-11-23 21:38 1,998 --a------ C:\LevelParTimes.csv
2007-11-17 18:00 . 2007-11-17 18:00 <DIR> d-------- C:\Program Files\Empire Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-14 07:27 --------- d-----w C:\Documents and Settings\John\Application Data\BitTorrent
2007-12-13 17:53 --------- d-----w C:\Documents and Settings\John\Application Data\Skype
2007-12-12 17:45 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-12 17:45 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-10 18:56 --------- d-----w C:\Program Files\nbpro
2007-12-09 21:41 --------- d-----w C:\Documents and Settings\Niall\Application Data\MSN6
2007-12-05 20:50 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-12-03 15:42 --------- d-----w C:\Program Files\Symantec
2007-12-03 15:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-03 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 16:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-26 18:00 --------- d-----w C:\Program Files\Common Files\Command Software
2007-11-22 18:05 --------- d-----w C:\Documents and Settings\John\Application Data\Vso
2007-11-21 17:36 --------- d-----w C:\Program Files\BitTorrent
2007-11-12 08:03 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-11-12 06:51 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-11-12 06:51 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-11-12 06:51 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-11-12 06:51 757,760 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-11-12 06:51 7,433,504 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-11-12 06:51 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-11-12 06:51 6,537,216 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-11-12 06:51 5,770,880 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-11-12 06:51 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-11-12 06:51 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-11-12 06:51 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-11-12 06:51 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-11-12 06:51 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-11-12 06:51 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-11-12 06:51 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-11-12 06:51 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-11-12 06:51 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-11-12 06:51 3,698,688 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-11-12 06:51 3,407,872 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-11-12 06:51 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-11-12 06:51 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-11-12 06:51 2,486,272 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-11-12 06:51 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-11-12 06:51 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-11-12 06:51 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-11-12 06:51 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-11-12 06:51 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-11-12 06:51 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-11-12 06:51 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-11-12 06:51 1,212,416 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-11-12 06:51 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-11-12 06:51 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-11-08 20:35 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-11-07 20:02 22,328 ----a-w C:\Documents and Settings\John\Application Data\PnkBstrK.sys
2007-11-07 19:51 --------- d-----w C:\Program Files\activision
2007-11-04 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-10-29 19:06 --------- d-----w C:\Program Files\Common Files\snpstd3
2007-10-29 18:29 --------- d-----w C:\Documents and Settings\John\Application Data\InstallShield
2007-10-29 17:45 --------- d-----w C:\Program Files\Common Files\InterVideo
2007-10-21 18:12 --------- d-----w C:\Documents and Settings\John\Application Data\Symantec
2007-10-21 12:42 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-10-21 12:42 47,360 ----a-w C:\Documents and Settings\John\Application Data\pcouffin.sys
2007-10-15 18:06 --------- d-----w C:\Documents and Settings\John\Application Data\LEAPS
2007-10-15 18:04 --------- d-----w C:\Documents and Settings\John\Application Data\Pegasys Inc
2007-10-15 18:01 --------- d-----w C:\Program Files\Pegasys Inc
2007-10-15 18:00 56,976 ----a-w C:\WINDOWS\system32\GenSvcInst.exe
2007-10-15 18:00 33,408 ----a-w C:\WINDOWS\system32\drivers\CDRBSDRV.SYS
2007-10-15 18:00 122,512 ----a-w C:\WINDOWS\system32\bgsvcgen.exe
2006-08-07 19:49 267,909 --sh--w C:\WINDOWS\system32\jjjlm.bak1
2006-08-06 11:22 268,046 --sh--w C:\WINDOWS\system32\jjkmp.bak1
2007-02-09 21:52 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-19 20:09 6,530 --sh--w C:\WINDOWS\system32\pqstv.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Ac tfax]
@={52523A1C-0814-4FD9-A230-6B78971456C7}

[HKEY_CLASSES_ROOT\CLSID\{52523A1C-0814-4FD9-A230-6B78971456C7}]
C:\WINDOWS\system32\ipnet.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-31 16:40]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-09-07 23:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-12-03 15:42]
"nwiz"="nwiz.exe" [2007-11-12 06:51 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 03:59]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2003-08-17 23:33]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Enable Wireless Keyboard Driver.lnk - C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe [2005-01-28 14:41:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"FixCamera"=C:\WINDOWS\FixCamera.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"tsnpstd3"=C:\WINDOWS\tsnpstd3.exe

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVC D.sys
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SY S
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys
S3 3f8ab4ch;3f8ab4ch;\??\C:\DOCUME~1\Niall\LOCALS~1\T emp\VgnCVX0
S3 IKUDG;IKUDG;C:\DOCUME~1\John\LOCALS~1\Temp\IKUDG.e xe
S3 RSPHOOKANALYZER;RSPHOOKANALYZER;\??\C:\DOCUME~1\Jo hn\LOCALS~1\Temp\rspsc32.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM. sys

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{3ef56260-6415-11d9-b096-806d6172696f}]
\Shell\AutoRun\command - E:\pczone.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23F8E329-C93D-498C-9C66-B2232605A303}]
winscore

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DBC97B72-C637-C0AF-A380-A42F280ECA5E}]
C:\WINDOWS\system32\My_Server.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 20:00:09 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2007-11-20 19:51:35 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-12-14 16:38:15 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-12-14 17:00:01 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-13 18:18:37 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
************************************************** ************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 17:12:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-12-15 17:12:59
.
2007-10-13 11:42:35 --- E O F ---

Strider

Any idea about these files:

C:\WINDOWS\system32\My_Server.exe
E:\pczone.exe
C:\WINDOWS\system32\PnkBstrA.exe

__________________




Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

stuartbe

hmm... the last two look very dodgey but I cant find anything referenced in the net. Maybe its time to make a restore point and then remove those files and the registry entries.

NB strider I wonder if the machine is being re-infected due to a modified hosts file !!

__________________
There are only 10 types of people in the world, those who understand binary and those who dont !