As you may, or may not know I am currently at geeks to go training in malware removal, I have reached the stage where I have access to a lot of information and highly experienced people. Basically the exe association is being reset and the lineage infection is being removed with a tool designed to remove it. In fact if you download the tool and just run it it from the desktop with no run switches this is the report you get obviously mine is clean so there will be no deletions
Martin - 06-11-03 23:20:56.78 Service Pack 2
ComboFix 06.10.19 - Running from: "D:\Downloads"
((((((((((((((((((((((((((((((( Files Created from 2006-10-03 to 2006-11-03 ))))))))))))))))))))))))))))))))))
2006-11-02 09:48 8,704 --a------ C:\WINDOWS\system32\CNMVS7K.DLL
2006-11-02 09:48 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-11-02 09:48 140,288 --a------ C:\WINDOWS\system32\CNMLM7K.DLL
2006-11-02 09:47 69,632 --a------ C:\WINDOWS\system32\CNCI150.DLL
2006-11-02 09:47 49,152 --a------ C:\WINDOWS\system32\cncisco.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-03 23:06 -------- d-------- C:\Program Files\Big Kahuna Reef
2006-11-02 17:45 -------- d-------- C:\Program Files\Charm Solitaire
2006-08-11 20:42 155715 --a------ C:\WINDOWS\system32\nvsvc32.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
Note empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe”
“ccleaner”=“"C:\Program Files\CCleaner\ccleaner.exe" /AUTO”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“Zone Labs Client”=“"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"”
“SoundMan”=“SOUNDMAN.EXE”
“SpeedTouch USB Diagnostics”=“"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon”
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“Windows Defender”=“"C:\Program Files\Windows Defender\MSASCui.exe" -hide”
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
“DeskHtmlVersion”=dword:00000110
“DeskHtmlMinorVersion”=dword:00000005
“Settings”=dword:00000001
“GeneralFlags”=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”
“Flags”=dword:00000002
“Position”=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,00,00,00,
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
“CurrentState”=hex:04,00,00,40
“OriginalStateInfo”=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,
00,00,04,00,00,40
“RestoredStateInfo”=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,df,02,
00,00,01,00,00,00
[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
“{438755C2-A8BA-11D1-B96B-00A0C90312E1}”=“Browseui preloader”
“{8C7461EF-2B13-11d2-BE35-3078302C2030}”=“Component Categories cache daemon”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=“”
“{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}”=“Microsoft AntiMalware ShellExecuteHook”
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
“NoLogoff”=hex:01,00,00,00
“NoRecentDocsMenu”=hex:01,00,00,00
“NoRecentDocsHistory”=hex:01,00,00,00
“NoRecentDocsNetHood”=hex:01,00,00,00
“NoComputersNearMe”=hex:01,00,00,00
“NoSMMyDocs”=hex:01,00,00,00
“NoSMMyPictures”=hex:01,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“dontdisplaylastusername”=dword:00000000
“legalnoticecaption”=“”
“legalnoticetext”=“”
“shutdownwithoutlogon”=dword:00000001
“undockwithoutlogon”=dword:00000001
[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
“PostBootReminder”=“{7849596a-48ea-486e-8937-a2a3009f31a9}”
“CDBurn”=“{fbeb8a05-beee-4442-804e-409d6c4515e9}”
“WebCheck”=“{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”
“SysTray”=“{35CEC8A3-2BE6-11D2-8773-92E220524153}”
“WPDShServiceObj”=“{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“nwiz”=“nwiz.exe /install”
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20061008-172253-527
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
backup-20061008-172204-605
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061008-172203-925
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20061005-163948-607
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
backup-20061005-163948-690
R3 - Default URLSearchHook is missing
backup-20060929-184442-810
O4 - HKCU..\Run: [SandboxieControl] C:\Program Files\Sandboxie\Control.exe
Contents of the ‘Scheduled Tasks’ folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: 06-11-03 23:21:52.20
C:\ComboFix.txt … 06-11-03 23:21