‎Vundo variant | DELL Technologies

Responses(49)
Solutions(0)

1972vet

3.3K Posts

0

December 24th, 2007 06:00

Message Edited by 1972vet on 02-27-2008 12:38 PM

hawk8060

72 Posts

0

December 25th, 2007 15:00

1972vet, thank you for your response and assistance,

I located the application named hijackthis.exe & renamed it Analyze.exe

here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:58 AM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedc.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {907614DE-975F-4316-987A-E9D5249C4ED1} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\ddcbbxy.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cris Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O20 - Winlogon Notify: ddcbbxy - C:\WINDOWS\SYSTEM32\ddcbbxy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

1972vet

3.3K Posts

0

December 25th, 2007 23:00

Message Edited by 1972vet on 02-27-2008 12:38 PM

hawk8060

72 Posts

0

December 26th, 2007 18:00

1972vet,

thanks for the direction and all of your help to date,

looks like it may have worked, it took 3 passes to get the files deleted....

there is one file "C:\WINDOWS\system32\ddcbbxy.dll that could not be deleted.

below are the logfiles for VundoFix & HJT

do you have any idea what the last line entry is on the HJT logfile?, I have no clue what this is

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

here is the VundoFix logfile:
VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 12:33:10 PM 12/26/2007

Listing files found while scanning....

C:\windows\system32\awvtt.dll
C:\WINDOWS\system32\awvtt.exe
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\ddcbbxy.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.exe
C:\windows\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awvtt.dll
C:\windows\system32\awvtt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvtt.exe
C:\WINDOWS\system32\awvtt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\cdeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcbbxy.dll
C:\WINDOWS\system32\ddcbbxy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\geedc.exe
C:\WINDOWS\system32\geedc.exe Has been deleted!

Attempting to delete C:\windows\system32\ttvwa.ini
C:\windows\system32\ttvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\ttvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 1:28:22 PM 12/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\ddcbbxy.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\cdeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcbbxy.dll
C:\WINDOWS\system32\ddcbbxy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedc.exe
C:\WINDOWS\system32\geedc.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcbbxy.dll
C:\WINDOWS\system32\ddcbbxy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

______________________________________________________________________________

here is the latest hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:19:52 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\geedc.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {8163C9F4-0ECD-48DD-BF43-1400F1F99B0E} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {C8BFC464-E776-4F17-9D4E-3EBC3607E7C4} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\ddcbbxy.dll
O2 - BHO: (no name) - {D9B10C88-70B4-40E1-BD06-C04879DA25EC} - C:\WINDOWS\system32\awvtt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cris Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

1972vet

3.3K Posts

0

December 26th, 2007 20:00

Message Edited by 1972vet on 02-27-2008 12:38 PM

hawk8060

72 Posts

0

December 26th, 2007 22:00

1972vet,

please forgive me if this response is a duplicate, the earlier post didn't seem to hit the board.

I ran ComboFix as instructed, it hung up while creating the logfile, I had to reboot

I am now getting prompted to install malware s/w - this is something new

from this url

http://scanner2.malware-scan.com/10_swp/?ax=1&ed=2&tmn=null&aid=nm_ff_ma_kw1_ma10&lid=msn.com&affid=nm_151076_8fd704b2b0ee11dca55a151076dcffff_8f8066ccc6f543c5bad58c2688c6a216&ax=1&ed=2&mt_info=4586_0_10992

here is the logfile from ComboFix

I had to edit the word "cr(a)p" below - message board didn't like it being used

ComboFix 07-12-21.4 - Billy Hawkins 2007-12-26 16:56:20.1 - NTFSx86
Running from: C:\Documents and Settings\Billy Hawkins\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\asembl~1\a?sembly\
C:\Program Files\Common Files\asembl~1\dllhost .exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\montorgueil
C:\Program Files\montorgueil\14.03579
C:\Program Files\montorgueil\Film-Pamela-Anderson\Film-Pamela-Anderson.ico
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\cr(a)p.1193191137.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\ddcbbxy.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\pcs
C:\WINDOWS\system32\pcs\License.txt
C:\WINDOWS\system32\stlbdist.XML

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 17:16 . 2007-12-26 17:16 319 --ahs---- C:\WINDOWS\system32\cdeeg.ini2
2007-12-26 17:16 . 2007-12-26 17:16 319 --ahs---- C:\WINDOWS\system32\cdeeg.ini
2007-12-26 14:14 . 2007-12-26 17:16 338,432 --a------ C:\WINDOWS\system32\geedc.exe
2007-12-26 14:06 . 2007-12-26 14:06 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-26 12:33 . 2007-12-26 14:09 d-------- C:\VundoFix Backups
2007-12-23 16:48 . 2007-12-23 16:48 344,064 --a------ C:\WINDOWS\system32\RCX107.tmp
2007-12-22 19:19 . 2007-12-25 11:37 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 19:06 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-22 18:47 . 2007-12-22 18:47 344,064 --a------ C:\WINDOWS\system32\RCX23.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 23:16 20,480 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-26 22:50 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-25 21:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-25 21:20 --------- d-----w C:\Program Files\AIM6
2007-12-23 01:30 3,140 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-07 02:14 --------- d-----w C:\Documents and Settings\Patti Hawkins\Application Data\U3
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:25 --------- d-----w C:\Documents and Settings\Lindsey Hawkins\Application Data\acccore
2007-11-04 20:43 --------- d-----w C:\Program Files\Google
2007-10-31 19:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-26 20:40 --------- d-----w C:\Program Files\Enigma Software Group
2007-10-26 01:27 --------- d-----w C:\Program Files\Windows Defender
2007-10-04 05:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-08-26 23:23 66,120 ----a-w C:\Documents and Settings\Lindsey Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2007-05-20 19:15 66,120 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2006-03-28 22:27 63,184 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2005-10-17 01:36 3,932 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\LMLayout.dat
2005-10-17 01:36 268 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\LMCPaper.dat
2005-07-06 14:44 3,932 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\LMLayout.dat
2005-07-06 14:44 268 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\LMCPaper.dat
2004-01-27 19:23 3,149 ----a-w C:\Program Files\Common Files\remove_tools.html
2002-01-18 12:52 3,932 ------w C:\Documents and Settings\LocalService\Application Data\LMLayout.dat
2002-01-18 12:52 3,932 ------w C:\Documents and Settings\Lindsey Hawkins\Application Data\LMLayout.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

1972vet

3.3K Posts

0

December 27th, 2007 21:00

Message Edited by 1972vet on 02-27-2008 12:39 PM

1972vet

3.3K Posts

0

December 28th, 2007 01:00

Message Edited by 1972vet on 02-27-2008 12:39 PM

hawk8060

72 Posts

0

December 28th, 2007 18:00

1972vet,

Followed your instructions, here is the latest logfiles for ComboFix & HJT:

had to edit the word cr(a)p in:

C:\Program Files\WinBudget\bin\cr(a)p.1193191137.old

ComboFix 07-12-21.4 - Billy Hawkins 2007-12-28 13:30:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.58 [GMT -6:00]Running from: C:\Documents and Settings\Billy Hawkins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Billy Hawkins\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini2
.
---- Previous Run -------
.
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\asembl~1\a?sembly\
C:\Program Files\Common Files\asembl~1\dllhost .exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\montorgueil
C:\Program Files\montorgueil\14.03579
C:\Program Files\montorgueil\Film-Pamela-Anderson\Film-Pamela-Anderson.ico
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\cr(a)p.1193191137.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\ddcbbxy.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\pcs
C:\WINDOWS\system32\pcs\License.txt
C:\WINDOWS\system32\stlbdist.XML

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 04:29 . 2007-12-28 13:31 344,064 --a------ C:\WINDOWS\system32\awvtt.exe
2007-12-27 12:23 . 2007-12-27 12:23 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-26 19:46 . 2007-12-28 04:28 d-------- C:\Program Files\AIM6
2007-12-26 14:14 . 2007-12-28 04:29 338,432 --a------ C:\WINDOWS\system32\geedc.exe
2007-12-26 14:06 . 2007-12-26 14:06 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-26 12:33 . 2007-12-26 14:09 d-------- C:\VundoFix Backups
2007-12-23 16:48 . 2007-12-23 16:48 344,064 --a------ C:\WINDOWS\system32\RCX107.tmp
2007-12-22 19:19 . 2007-12-25 11:37 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 19:06 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-22 18:47 . 2007-12-22 18:47 344,064 --a------ C:\WINDOWS\system32\RCX23.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 10:29 --------- d-----w C:\Program Files\Windows Defender
2007-12-28 10:29 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-28 10:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-27 01:47 --------- d-----w C:\Program Files\Viewpoint
2007-12-27 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-27 01:46 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-27 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-27 01:18 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-07 02:14 --------- d-----w C:\Documents and Settings\Patti Hawkins\Application Data\U3
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:25 --------- d-----w C:\Documents and Settings\Lindsey Hawkins\Application Data\acccore
2007-11-04 20:43 --------- d-----w C:\Program Files\Google
2007-08-26 23:23 66,120 ----a-w C:\Documents and Settings\Lindsey Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2007-05-20 19:15 66,120 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2006-03-28 22:27 63,184 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2005-10-17 01:36 3,932 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\LMLayout.dat
2005-10-17 01:36 268 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\LMCPaper.dat
2005-07-06 14:44 3,932 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\LMLayout.dat
2005-07-06 14:44 268 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\LMCPaper.dat
2004-01-27 19:23 3,149 ----a-w C:\Program Files\Common Files\remove_tools.html
2002-01-18 12:52 3,932 ------w C:\Documents and Settings\LocalService\Application Data\LMLayout.dat
2002-01-18 12:52 3,932 ------w C:\Documents and Settings\Lindsey Hawkins\Application Data\LMLayout.dat
.

(((((((((((((((((((((((((((((   snapshot@2007-12-26_17.21.33.93   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-25 07:05:22 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
+ 2007-12-27 01:47:16 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
- 2007-12-26 23:16:37 20,480 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2004-08-04 07:56:48 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2004-08-04 07:56:48 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe1191455425
- 2006-12-12 16:45:04 1,474,864 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-08 20:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w            67,160 2005-08-05 20:08:26 C:\Program Files\AIM\bak\aim.exe

----a-w 180,269 2005-12-11 02:59:22 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 67,184 2004-12-10 23:02:26 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 417,280 2007-12-28 10:29:07 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 172,122 2001-08-30 06:00:00 C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\bak\DIAGENT.EXE

----a-w 102,400 2001-03-28 01:00:00 C:\Program Files\Creative\SBLive\Program\bak\AHQInit.exe

----a-w 229,952 2006-09-12 06:58:54 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 241,714 2001-07-25 15:00:00 C:\Program Files\Microsoft Money\System\bak\Activation.exe

----a-w 282,624 2006-09-01 20:57:48 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 120,640 2004-12-30 19:19:40 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 471,040 2007-12-28 10:29:09 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 1,231,872 2007-12-28 10:29:12 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 2,502,656 2004-08-06 20:33:46 C:\Program Files\Yahoo!\Messenger\bak\ypager.exe

----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\Updreg.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-28 04:28]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~4.exe" []
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"DIAGENT"="C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.exe" []
"UpdReg"="C:\WINDOWS\Updreg.exe" []
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" []
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" []
"nwiz"="nwiz.exe" [2003-10-06 13:16 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-28 04:29]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-28 04:29]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-12-28 04:29]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-12-28 04:29]

C:\Documents and Settings\Patti Hawkins\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1997-10-24 10:01:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 19:50:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 13:48:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 13:56:14 - machine was rebooted [Billy Hawkins]
.
2007-12-28 00:12:02 --- E O F ---

________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 2:00:41 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~4.EXE" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cris Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

1972vet

3.3K Posts

0

December 29th, 2007 00:00

Message Edited by 1972vet on 02-27-2008 12:40 PM

hawk8060

72 Posts

0

December 29th, 2007 12:00

1972vet,

here is the logfile:


Ran on Sat 12/29/2007 -  8:26:18.39

----a-w           307,200 2007-12-27 00:17:10 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w            63,712 2007-12-29 04:35:54 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w            50,528 2007-12-29 04:36:06 C:\Program Files\AIM6\aim6 .exe
----a-w            67,184 2007-12-29 04:35:45 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w         1,694,208 2007-12-29 04:36:18 C:\Program Files\Messenger\msmsgs .exe
----a-w           120,640 2007-12-29 04:35:50 C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w           866,584 2007-12-29 04:36:10 C:\Program Files\Windows Defender\MSASCui .exe
----a-w         4,670,704 2007-12-25 17:37:28 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w         4,670,704 2007-12-27 01:49:04 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w         1,266,936 2007-12-29 04:36:36 C:\Valve\Steam\Steam .exe
----a-w            15,360 2007-12-29 04:36:09 C:\WINDOWS\system32\ctfmon .exe

Entries:               11 (11)
Directories:            0 Files:            11
Bytes:         13,793,760 Blocks:       26,945

1972vet

3.3K Posts

0

December 29th, 2007 15:00

Message Edited by 1972vet on 02-27-2008 12:41 PM

hawk8060

72 Posts

0

December 29th, 2007 16:00

1972vet,

list is shorter but still contains 5 files:


Ran on Sat 12/29/2007 - 12:03:58.43

------w            50,528 2007-12-29 04:36:06 C:\Program Files\AIM6\aim6 .exe
------w           120,640 2007-12-29 04:35:50 C:\Program Files\Symantec AntiVirus\VPTray .exe
------w           866,584 2007-12-29 04:36:10 C:\Program Files\Windows Defender\MSASCui .exe
------w         4,670,704 2007-12-25 17:37:28 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
------w            15,360 2007-12-29 04:36:09 C:\WINDOWS\system32\ctfmon .exe

Entries:                5 (5)
Directories:            0 Files:             5
Bytes:          5,723,816 Blocks:       11,181

1972vet

3.3K Posts

0

December 29th, 2007 17:00

Message Edited by 1972vet on 02-27-2008 12:41 PM

hawk8060

72 Posts

0

December 29th, 2007 19:00

here are the logfiles:

Logfile of HijackThis v1.99.1
Scan saved at 3:20:44 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~4.EXE" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cris Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

________________________________________________________________________________


Ran on Sat 12/29/2007 - 15:17:00.64

------w            50,528 2007-12-29 04:36:06 C:\Program Files\AIM6\aim6 .exe
------w           120,640 2007-12-29 04:35:50 C:\Program Files\Symantec AntiVirus\VPTray .exe
------w           866,584 2007-12-29 04:36:10 C:\Program Files\Windows Defender\MSASCui .exe
------w         4,670,704 2007-12-25 17:37:28 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
------w            15,360 2007-12-29 04:36:09 C:\WINDOWS\system32\ctfmon .exe

Entries:                5 (5)
Directories:            0 Files:             5
Bytes:          5,723,816 Blocks:       11,181

________________________________________________________________________________

ComboFix 07-12-21.4 - Billy Hawkins 2007-12-29 14:50:08.3 - NTFSx86
Running from: C:\Documents and Settings\Billy Hawkins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Billy Hawkins\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\ttvwa.ini
C:\WINDOWS\system32\ttvwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 22:36 . 2007-12-28 22:37 0 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-27 12:23 . 2007-12-27 12:23 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-26 19:46 . 2007-12-29 12:16 d-------- C:\Program Files\AIM6
2007-12-26 14:06 . 2007-12-26 14:06 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-26 12:33 . 2007-12-26 14:09 d-------- C:\VundoFix Backups
2007-12-23 16:48 . 2007-12-23 16:48 344,064 --a------ C:\WINDOWS\system32\RCX107.tmp
2007-12-22 19:19 . 2007-12-28 22:36 15,360 --------- C:\WINDOWS\system32\ctfmon .exe
2007-12-22 19:06 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-22 18:47 . 2007-12-22 18:47 344,064 --a------ C:\WINDOWS\system32\RCX23.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 21:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-29 20:53 --------- d-----w C:\Program Files\Windows Defender
2007-12-29 18:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-29 04:36 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-27 01:47 --------- d-----w C:\Program Files\Viewpoint
2007-12-27 01:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-27 01:46 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-27 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-27 01:18 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-27 00:23 3,140 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-07 02:14 --------- d-----w C:\Documents and Settings\Patti Hawkins\Application Data\U3
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:25 --------- d-----w C:\Documents and Settings\Lindsey Hawkins\Application Data\acccore
2007-11-04 20:43 --------- d-----w C:\Program Files\Google
2007-10-31 19:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-04 05:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-08-26 23:23 66,120 ----a-w C:\Documents and Settings\Lindsey Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2007-05-20 19:15 66,120 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2006-03-28 22:27 63,184 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\GDIPFONTCACHEV1.DAT
2005-10-17 01:36 3,932 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\LMLayout.dat
2005-10-17 01:36 268 ----a-w C:\Documents and Settings\Billy Hawkins\Application Data\LMCPaper.dat
2005-07-06 14:44 3,932 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\LMLayout.dat
2005-07-06 14:44 268 ----a-w C:\Documents and Settings\Patti Hawkins\Application Data\LMCPaper.dat
2004-01-27 19:23 3,149 ----a-w C:\Program Files\Common Files\remove_tools.html
2002-01-18 12:52 3,932 ------w C:\Documents and Settings\LocalService\Application Data\LMLayout.dat
2002-01-18 12:52 3,932 ------w C:\Documents and Settings\Lindsey Hawkins\Application Data\LMLayout.dat
.

(((((((((((((((((((((((((((((   snapshot@2007-12-26_17.21.33.93   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-25 07:05:22 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
+ 2007-12-27 01:47:16 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
- 2004-08-04 07:56:48 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2007-12-29 04:36:09 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
- 2006-12-12 16:45:04 1,474,864 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-08 20:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~4.exe" [2007-08-30 17:43]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-28 22:36]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"DIAGENT"="C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.exe" []
"UpdReg"="C:\WINDOWS\Updreg.exe" []
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" []
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" []
"nwiz"="nwiz.exe" [2003-10-06 13:16 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" []

C:\Documents and Settings\Patti Hawkins\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1997-10-24 10:01:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 21:12:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 15:12:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 15:15:09 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-28 13:56
.
2007-12-28 00:12:02 --- E O F ---

1
2
3
4

View All

No Events found!

Virus & Spyware

Was this post helpful?