Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

A

Agitated

11 Posts

1172

April 16th, 2008 03:00

Cannot remove all trojan.vundo

I recently was infected with trojan.vundo yet norton did not remove all the problem. Im still getting the nasty popup pages when I search the web.

After reading several support forums I found that XoftSpySe and Spyhunter3 were good programs to continue to remove this nasty problem. XoftSpySe does not show to find any problem other than some adware. Support has sent me couple registry fixes yet nothing has actually been done. Spyhunter3 detects several files marked infected with trojan.vundo yet does not remove them. Tells me could not remove till after reboot yet after reboot nothing happens. Support also has sent a couple fixes yet no resolution yet. So here I am with hijackthis to see if we can get a little further along with this problem. 

 

Here are a some of the problems Spyhunter finds but does not remove:

mlJCVlJy.dll  - Trojan.vundo - Memory

{8E1BFC0E-8AD2-424D-AC8A-06038481516E} -Trojan.vundo - registry key

{8E1BFC0E-8AD2-424D-AC8A-06038481516E} - Trojan.vundo - registry value

{8E1BFC0E-8AD2-424D-AC8A-06038481516E}- Trojan.vundo - registry key again

InprocServer32 - Trojan.vundo - registry value

Below is my hijackthis log:

 

Logfile of HijackThis v1.99.1
Scan saved at 10:43:23 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.instafinder.com/addsearch.asp?err=ADD&url=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://37.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://37.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://37.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Instafinder] C:\Program Files\Instafinder\instafinder.exe
O4 - HKLM\..\Run: [e435bda0] rundll32.exe "C:\WINDOWS\system32\lgterdcl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177987668671
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177991148140
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

 

Any help would be greatly appreciated. 

 

 

 

 

bamajim

10.4K Posts

April 16th, 2008 12:00

Agitated

I disagree with your assessment of XoftSpySe.

Please download Combofix and save to your desktop:
  • Note: It is important that it is saved directly to your desktop
    Close any open browsers.
    Double click on combofix.exe and follow the prompts.
    When it's finished it will produce a log.
    Post the contents of the C:\ComboFix.txt into your next reply.
    Note: Do not mouseclick combofix's window whilst it's running.
    That may cause the program to freeze/hang.
















Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Sylwyn

10 Posts

April 16th, 2008 15:00

I would suggest running Combofix from Safe Mode. It's usually more effective.  Also, if there are certain files you are having trouble removing, you can create a script file to point combofix at any other file that it may not pickup on its own.  This is especially useful when dealing with infections that generate random file names. Also, clear your temp files with a tool such as ATF Cleaner or CCleaner before hand, or your combofix scan could take extremely long.  It should only be 10-15 minutes.

 

 

Bugbatter

20.5K Posts

April 16th, 2008 15:00

Sylwyn, we appreciate your wanting to help, but bamajim knows exactly what he is doing. Combofix should not be used unless you have been instructed to do so by a Malware Removal Expert such as bamajim. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use.

Sylwyn

10 Posts

April 16th, 2008 16:00

Bugbatter, I appreciate the fact that both you and bamajim have fancy signatures, thousands of posts, and lots of experience dealing with malware; however I do not appreciate being talked down to based on the fact that I am missing the first two elements in the equation.  I myself am a Malware Removal Expert, however I have only reached out to dellcommunity.com today, thus resulting in my post count. I much prefer real time "expert supervision" such as over the phone, remote desktops, or working on the system in person. Either way, I'm not here to gripe, simply share my insight and experience.  Also, even if you don't accept my "status" as an "expert" I never gave instructions or specific direction on what programs to use, how to use them, and what to do afterwards. I simply suggested running from Safe Mode and clearing temp files as quick steps to set the scan up for success.

Agitated

11 Posts

April 16th, 2008 18:00

Sorry Im haveing DNS issues resolveing to dellcommunity.com/ at the moment from my home ISP.


Tracing route to dellcommunity.com [208.74.204.75]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  172.25.185.1
  2    25 ms    25 ms    25 ms  172.25.187.102
  3    83 ms    82 ms    83 ms  172.23.10.1
  4    82 ms    82 ms    85 ms  172.16.110.1
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.

 


Pinging dellcommunity.com [208.74.204.75] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.

 As soon as I can access the site again I will download and run file.

 

Thank you again for your help!

bamajim

10.4K Posts

April 16th, 2008 18:00

@Sylwyn

I myself am a Malware Removal Expert,

Then you should know that it is not a good idea for more than one person to work with one poster at a time. Getting a number of people trying to fix the same infection is confusing.

I would suggest running Combofix from Safe Mode. It's usually more effective.

Not so. It may be quicker at times, depending on the infection, but has nothing to do with the effectiveness of the tool.

Having addressed these 2 items, and chosing to ignore the rest. Suffice it to say I would appreciate it if you would not interfere in the threads that I have posted the first answer to. The Hijackthis board is not a discussion forum, nor a free for all.









Thanks

@Agitated

Please continue with the instructions I have provided







Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Bugbatter

20.5K Posts

April 16th, 2008 18:00

Sylwyn, we can always use trained, experienced helpers and would love to have you join us on this board. This is not a discussion thread, so please check your PM's for more information. Thanks. :)

Agitated

11 Posts

April 16th, 2008 23:00

ComboFix 08-04-15.8 - Owner 2008-04-16 17:36:36.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Desktopvirii
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Downloaded Program Files\temp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afaypnsu.dll
C:\WINDOWS\system32\eNoWDJjl.ini
C:\WINDOWS\system32\eNoWDJjl.ini2
C:\WINDOWS\system32\geBTjKDw.dll
C:\WINDOWS\system32\ljJDWoNe.dll
C:\WINDOWS\system32\mlJCVlJy.dll
C:\WINDOWS\system32\pbinlukl.dll
C:\WINDOWS\system32\phqfxwfa.dll
C:\WINDOWS\system32\rwfcnnqa.dll
C:\WINDOWS\system32\scdafodt.dll
C:\WINDOWS\system32\tdofadcs.ini
C:\WINDOWS\system32\wDKjTBeg.ini
C:\WINDOWS\system32\wDKjTBeg.ini2
C:\WINDOWS\system32\Xcite.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\Web\def.htm

.
(((((((((((((((((((((((((   Files Created from 2008-03-16 to 2008-04-16  )))))))))))))))))))))))))))))))
.

2008-04-16 17:37 . 2008-04-16 17:37 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-04-16 06:20 . 2008-04-16 12:46 1,118 ---hs---- C:\WINDOWS\system32\wympeecd.ini
2008-04-16 06:17 . 2008-04-16 17:30 101,188 --a------ C:\WINDOWS\BMe7068e3c.xml
2008-04-15 22:10 . 2002-07-26 23:24 

 d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\WINDOWS
2008-04-15 22:10 . 2002-07-26 23:23   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Application Data\VERITAS
2008-04-15 22:10 . 2002-07-26 23:23   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Application Data\Symantec
2008-04-15 22:10 . 2002-07-26 23:23   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Application Data\Share-to-Web Upload Folder
2008-04-15 22:10 . 2002-07-26 23:23   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Application Data\InterTrust
2008-04-15 22:10 . 2008-04-15 22:10   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV
2008-04-15 06:20 . 2008-04-16 00:22 826 --ahs---- C:\WINDOWS\system32\lcdretgl.ini
2008-04-14 06:17 . 2008-04-14 06:18 2,002 --ahs---- C:\WINDOWS\system32\itlprbxh.ini
2008-04-13 01:00 . 2008-04-14 06:17 1,942 --ahs---- C:\WINDOWS\system32\bxhdbrpq.ini
2008-04-12 23:43 . 2008-04-13 00:51 766 ---hs---- C:\WINDOWS\system32\weavoqbx.ini
2008-04-12 23:38 . 2008-04-12 23:38 586 ---hs---- C:\WINDOWS\system32\quqrkhql.ini
2008-04-12 22:56 . 2008-04-12 23:24 526 ---hs---- C:\WINDOWS\system32\wceswpfe.ini
2008-04-12 00:19 . 2008-04-12 22:20 998 --ahs---- C:\WINDOWS\system32\jiddpnwm.ini
2008-04-11 00:16 . 2008-04-12 00:16 766 ---hs---- C:\WINDOWS\system32\orpyanqe.ini
2008-04-10 12:15 . 2008-04-10 12:45   d-------- C:\Program Files\XoftSpySE
2008-04-10 00:19 . 2008-04-10 17:55 414 --ahs---- C:\WINDOWS\system32\ibxdcvjj.ini
2008-04-09 00:44 . 2008-04-09 00:44   d-------- C:\HJT
2008-04-08 21:20 . 2008-04-08 21:20 294 ---hs---- C:\WINDOWS\system32\xljglqxf.ini
2008-04-07 21:47 . 2008-04-07 21:47   d-------- C:\VundoFix Backups
2008-04-07 06:17 . 2008-04-07 17:29 474 ---hs---- C:\WINDOWS\system32\rqrxjpxo.ini
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\Desktopfwebd.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\Desktopfkwp2.0.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\Desktopfkwp1.5.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe
2008-04-06 20:08 . 2008-04-06 20:08 4,096 --a------ C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe
2008-04-06 18:08 . 2008-04-07 12:17   d-------- C:\Documents and Settings\All Users\Application Data\atmhsfoz

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:54 --------- d-----w C:\Program Files\Three Rings Design
2008-04-13 20:11 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-04-13 06:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 06:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 05:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-10 18:02 --------- d-----w C:\Program Files\RegCure
2008-04-10 17:33 --------- d-----w C:\Program Files\Lycos
2008-03-25 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-07 00:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-06 19:25 --------- d-----w C:\Program Files\MSBuild
2008-03-06 19:13 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-06 19:09 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-02 17:09 1,728 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-02 16:40 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-02 16:37 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-02 16:04 --------- d-----w C:\Program Files\ZooVet_at
2008-03-02 05:12 86,016 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-01 05:48 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-02-19 20:23 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-19 20:23 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-02-19 19:44 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-19 19:44 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-19 19:44 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-19 19:44 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-19 19:44 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-19 19:44 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-19 19:44 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-19 19:44 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-19 19:44 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-19 19:44 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-02-12 01:49 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2006-05-13 21:01 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-10-04 02:16 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-11 20:52 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"NvCplDaemon"="NvQTwk" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 10:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 05:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 18:39 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53 714608]
"LTMSG"="LTMSG.exe" [2003-07-14 11:52 40960 C:\WINDOWS\ltmsg.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCVlJy]
mlJCVlJy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a--c--- 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-05-15 05:29 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-05-03 19:06 364544 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]
--a--c--- 2005-05-14 16:14 1802240 C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-05-09 10:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 16:01]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 21:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-16 21:22:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-16 06:57:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 10:39:57 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
"2008-04-16 08:30:01 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
"2008-04-16 22:58:50 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-10 08:00:01 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-16 23:06:49 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-16 10:39:27 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 17:59:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SoftwareDistribution\Download\d61766d223927760d60364c3824ce500\update\update.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-16 18:22:46 - machine was rebooted
ComboFix-quarantined-files.txt  2008-04-16 23:22:00

Pre-Run: 34,214,789,120 bytes free
Post-Run: 34,257,448,960 bytes free
.
2008-02-13 01:47:10 --- E O F --- 

bamajim

10.4K Posts

April 17th, 2008 00:00

Agitated

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\WINDOWS\system32\wympeecd.ini
C:\WINDOWS\BMe7068e3c.xml
C:\WINDOWS\system32\lcdretgl.ini
C:\WINDOWS\system32\itlprbxh.ini
C:\WINDOWS\system32\bxhdbrpq.ini
C:\WINDOWS\system32\weavoqbx.ini
C:\WINDOWS\system32\quqrkhql.ini
C:\WINDOWS\system32\wceswpfe.ini
C:\WINDOWS\system32\jiddpnwm.ini
C:\WINDOWS\system32\orpyanqe.ini
C:\WINDOWS\system32\ibxdcvjj.ini
C:\WINDOWS\system32\xljglqxf.ini
C:\WINDOWS\system32\rqrxjpxo.ini
C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
C:\Documents and Settings\Owner\Desktopfwebd.exe
C:\Documents and Settings\Owner\Desktopfkwp2.0.exe
C:\Documents and Settings\Owner\Desktopfkwp1.5.exe
C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe

Folder::
C:\Documents and Settings\All Users\Application Data\atmhsfoz

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCVlJy]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image
  • You will be prompted to run Combofix again, Do so
    Following the same rules as indicated in my first post
    Then post the contents of the C:\ComboFix.txt log in your reply

2. Rerun Hijackthis and post a fresh Hijackthis log as well






Microsoft MVP Consumer-Security

 


"The world is what you make of it"

Agitated

11 Posts

April 17th, 2008 01:00

Results posted in two posts.

ComboFix 08-04-15.8 - Owner 2008-04-16 20:38:57.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
C:\Documents and Settings\Owner\Desktopfkwp1.5.exe
C:\Documents and Settings\Owner\Desktopfkwp2.0.exe
C:\Documents and Settings\Owner\Desktopfwebd.exe
C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\BMe7068e3c.xml
C:\WINDOWS\system32\bxhdbrpq.ini
C:\WINDOWS\system32\ibxdcvjj.ini
C:\WINDOWS\system32\itlprbxh.ini
C:\WINDOWS\system32\jiddpnwm.ini
C:\WINDOWS\system32\lcdretgl.ini
C:\WINDOWS\system32\orpyanqe.ini
C:\WINDOWS\system32\quqrkhql.ini
C:\WINDOWS\system32\rqrxjpxo.ini
C:\WINDOWS\system32\wceswpfe.ini
C:\WINDOWS\system32\weavoqbx.ini
C:\WINDOWS\system32\wympeecd.ini
C:\WINDOWS\system32\xljglqxf.ini
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\atmhsfoz
C:\Documents and Settings\Owner\Desktopblackbird.jpg
C:\Documents and Settings\Owner\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Owner\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Owner\Desktopfilemanagerclient.exe
C:\Documents and Settings\Owner\Desktopfkwp1.5.exe
C:\Documents and Settings\Owner\Desktopfkwp2.0.exe
C:\Documents and Settings\Owner\Desktopfwebd.exe
C:\Documents and Settings\Owner\DesktopFWebdEditor.exe
C:\Documents and Settings\Owner\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\BMe7068e3c.xml
C:\WINDOWS\system32\bxhdbrpq.ini
C:\WINDOWS\system32\ibxdcvjj.ini
C:\WINDOWS\system32\itlprbxh.ini
C:\WINDOWS\system32\jiddpnwm.ini
C:\WINDOWS\system32\lcdretgl.ini
C:\WINDOWS\system32\orpyanqe.ini
C:\WINDOWS\system32\quqrkhql.ini
C:\WINDOWS\system32\rqrxjpxo.ini
C:\WINDOWS\system32\wceswpfe.ini
C:\WINDOWS\system32\weavoqbx.ini
C:\WINDOWS\system32\wympeecd.ini
C:\WINDOWS\system32\xljglqxf.ini

.
(((((((((((((((((((((((((   Files Created from 2008-03-17 to 2008-04-17  )))))))))))))))))))))))))))))))
.

2008-04-15 22:10 . 2002-07-26 23:24 

 d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\WINDOWS
2008-04-15 22:10 . 2002-07-26 23:23   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Application Data\VERITAS
2008-04-15 22:10 . 2002-07-26 23:23   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Application Data\Symantec
2008-04-15 22:10 . 2002-07-26 23:23   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Application Data\Share-to-Web Upload Folder
2008-04-15 22:10 . 2002-07-26 23:23   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Application Data\InterTrust
2008-04-15 22:10 . 2008-04-15 22:10   d-------- C:\Documents and Settings\Administrator.YOUR-US67PI6LUV
2008-04-10 12:15 . 2008-04-10 12:45   d-------- C:\Program Files\XoftSpySE
2008-04-09 00:44 . 2008-04-09 00:44   d-------- C:\HJT
2008-04-07 21:47 . 2008-04-07 21:47   d-------- C:\VundoFix Backups

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 22:54 --------- d-----w C:\Program Files\Three Rings Design
2008-04-13 20:11 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-04-13 06:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-13 06:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 05:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-10 18:02 --------- d-----w C:\Program Files\RegCure
2008-04-10 17:33 --------- d-----w C:\Program Files\Lycos
2008-03-25 02:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-07 00:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-06 19:25 --------- d-----w C:\Program Files\MSBuild
2008-03-06 19:13 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-06 19:09 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-02 16:40 --------- d-----w C:\Program Files\Enigma Software Group
2008-03-02 16:37 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-02 16:04 --------- d-----w C:\Program Files\ZooVet_at
2008-02-19 19:44 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-19 19:44 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-19 19:44 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-19 19:44 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-19 19:44 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-19 19:44 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-19 19:44 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-19 19:44 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-19 19:44 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-19 19:44 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2006-05-13 21:01 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-10-04 02:16 32 -c--a-r C:\Documents and Settings\All Users\hash.dat

Agitated

11 Posts

April 17th, 2008 01:00

-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-11 20:52 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 10:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 05:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 18:39 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 23:53 714608]
"LTMSG"="LTMSG.exe" [2003-07-14 11:52 40960 C:\WINDOWS\ltmsg.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a--c--- 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 16:24 54840 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-05-15 05:29 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-05-03 19:06 364544 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]
--a--c--- 2005-05-14 16:14 1802240 C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a--c--- 2002-05-09 10:01 155648 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 16:01]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 21:09:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-17 01:22:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-16 06:57:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 10:39:57 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-04-16 08:30:01 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
"2008-04-17 01:25:25 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-10 08:00:01 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-17 01:27:19 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-16 10:39:27 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 20:49:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-16 21:03:51
ComboFix-quarantined-files.txt  2008-04-17 02:03:43
ComboFix2.txt  2008-04-16 23:22:53

Pre-Run: 34,106,097,664 bytes free
Post-Run: 34,094,080,000 bytes free
.
2008-04-17 00:27:23 --- E O F --- 

Agitated

11 Posts

April 17th, 2008 01:00

Make that 3 posts still too large :).

 

(((((((((((((((((((((((((((((   snapshot@2008-04-16_18.20.16.18   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2008-02-20 05:19:35 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsapi.dll
+ 2008-02-20 18:49:36 45,568 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\updspapi.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
- 2008-04-16 22:58:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-17 01:24:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-12-07 02:21:45 124,928 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 23:01:06 347,136 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 02:21:45 214,528 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 02:21:45 133,120 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 02:21:45 63,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 11:00:57 70,656 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 02:21:45 153,088 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 02:21:45 230,400 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 04:59:51 161,792 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 02:21:45 383,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 02:21:45 384,512 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 02:21:46 6,066,176 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 02:21:46 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 02:21:46 267,776 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-12-06 11:00:58 13,824 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 11:01:25 625,664 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 02:21:47 27,648 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 02:21:47 459,264 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 02:21:47 52,224 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 05:21:48 3,592,192 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 02:21:47 478,208 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 02:21:48 193,024 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 02:21:48 671,232 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 02:21:48 102,912 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 05:53:32 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 02:21:48 105,984 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 02:21:48 1,159,680 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 02:21:48 233,472 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 02:21:48 824,832 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
- 2007-12-07 02:21:45 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-12-07 02:21:45 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 45,568 -c----w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 02:21:45 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-07 02:21:45 63,488 -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-03-01 13:06:21 63,488 -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-12-06 11:00:57 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-12-07 02:21:45 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-12-06 04:59:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-12-07 02:21:45 383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-12-07 02:21:46 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-12-07 02:21:46 267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-03-01 13:06:25 267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-12-06 11:00:58 13,824 -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-12-06 11:01:25 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-02-29 08:55:46 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-12-07 02:21:47 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 02:21:47 459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-12-07 02:21:47 52,224 -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-03-01 23:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 02:21:47 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 02:21:48 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 02:21:48 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 02:21:48 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-01-11 05:53:32 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 02:21:48 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-12-07 02:21:48 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-07 02:21:48 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 02:21:48 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 05:56:44 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
- 2007-12-19 23:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 02:21:45 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 02:21:45 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-07 00:00:01 156,360 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-16 23:37:22 156,360 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-12-07 02:21:45 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-12-06 11:00:57 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-12-07 02:21:45 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-12-07 02:21:45 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-12-06 04:59:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-12-07 02:21:45 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-12-07 02:21:45 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-12-07 02:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-12-07 02:21:46 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-12-07 02:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-12-06 11:00:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-12-07 02:21:47 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-06 03:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 02:21:47 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-12-07 02:21:47 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-12-08 05:21:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-01 23:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 02:21:47 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 02:21:48 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 02:21:48 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 02:21:48 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-01-11 05:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 02:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-12-07 02:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-07 02:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
- 2007-12-07 02:21:48 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
- 2008-04-16 22:58:51 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2008-04-17 01:25:29 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
- 2008-04-16 22:58:51 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2008-04-17 01:25:29 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
- 2008-04-16 22:58:51 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-17 01:25:29 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
.

Agitated

11 Posts

April 17th, 2008 01:00

Logfile of HijackThis v1.99.1
Scan saved at 9:28:51 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://37.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://37.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177987668671
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177991148140
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

 

bamajim

10.4K Posts

April 17th, 2008 11:00

Agitated

Nicely done.

1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.


  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.

2. Please perform an Ewido Online Malware Scan


  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes it will produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.












Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Agitated

11 Posts

April 17th, 2008 21:00

__________________________________________________
ewido anti-spyware online scanner
 http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\Owner\Cookies\owner@ssl-hints.netflame[1].txt
Risk: Medium

Name: Adware.RXToolbar
Path: HKU\S-1-5-21-2771580065-1597234714-2502462651-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
Risk: Medium

Name: Adware.Aws
Path: C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Risk: Medium

Name: Not-A-Virus.Adware.Virtumonde
Path: C:\QooBox\Quarantine\C\WINDOWS\system32\mlJCVlJy.dll.vir
Risk: Low

Name: Not-A-Virus.Adware.Virtumonde
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP13\A0011538.dll
Risk: Low

Name: Adware.TopSearch
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000119.exe
Risk: Medium

Name: Adware.Altnet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000123.dll
Risk: Medium

Name: Adware.P2PNet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000132.DLL
Risk: Medium

Name: Adware.P2PNet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000133.cpl
Risk: Medium

Name: Adware.P2PNet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000134.exe
Risk: Medium

Name: Adware.RXBar
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000153.dll
Risk: Medium

Name: Adware.RXToolbar
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000154.dll
Risk: Medium

Name: Adware.Altnet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000168.dll
Risk: Medium

Name: Adware.Altnet
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000169.exe
Risk: Medium

Name: Not-A-Virus.Adware.Virtumonde
Path: C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP8\A0000217.dll
Risk: Low

Name: Not-A-Virus.Downloader.Win32.PopCap.a
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll
Risk: Low

Name: Not-A-Virus.Downloader.Win32.PopCap.a
Path: C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Risk: Low

Name: Adware.BargainBuddy
Path: C:\WINDOWS\system32\Lycos.dll
Risk: Medium

 

View More

View All

No Events found!

Top