Need help with Virtumonde removal

[hobbes]

One of my PCs appears to be infected with Virtumonde and other viruses. I did what was stated in the top post in this forum. Below are my logs from the Kaspersky and HJT scans. When I was in safe mode running Spybot S&D it would find Virtumonde and I would fix selected problems but the next time I would run S&D it would find it again. I did this 3 times.

Thanks in advance for help with this.

tom.


Note: The Kaspersky log would not fit in 2 posts (It was over 61000 characters large) so I will only paste the beginning of the log. Let me know how I can get the entire log to you.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 24, 2007 6:46:19 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/10/2007
Kaspersky Anti-Virus database records: 443579
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 97156
Number of viruses found: 66
Number of infected objects: 368
Number of suspicious objects: 0
Duration of the scan process: 01:17:00

Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Long slow road itch\Four Ford.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Juliana\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Juliana\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Juliana\History\History.IE5\MSHist012007102420071025\index.dat Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\AOL OCP\AIM\Storage\data\smallfry2348\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Juliana\Local Settings\Temp\ICD2.tmp\f3Setup1.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.aw skipped
C:\Documents and Settings\Juliana\Local Settings\Temp\lgprlgtu.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Juliana\Local Settings\Temp\phewmrnv.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Juliana\Local Settings\Temp\Temporary Directory 1 for diner dash flo on the go LimeWire Download Accelerator_all.zip\LimeWire Download Accelerator.exe/data0006 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Juliana\Local Settings\Temp\Temporary Directory 1 for diner dash flo on the go LimeWire Download Accelerator_all.zip\LimeWire Download Accelerator.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Juliana\Local Settings\Temp\Temporary Directory 2 for diner dash flo on the go LimeWire Download Accelerator_all.zip\LimeWire Download Accelerator.exe/data0006 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Juliana\Local Settings\Temp\Temporary Directory 2 for diner dash flo on the go LimeWire Download Accelerator_all.zip\LimeWire Download Accelerator.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Juliana\Local Settings\Temp\~DF2C42.tmp Object is locked skipped
C:\Documents and Settings\Juliana\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Juliana\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Juliana\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Juliana\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\WinTouch\WTUninstaller.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01234567\acdt-pid70[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01234567\acdt-pid70[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01234567\wr-1-2000201[1].exe Infected: Trojan-Downloader.Win32.Small.fxy skipped


The rest of the Kaspersky log has been left out because of its size.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:36 AM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hmmtwyhi.dll",sitypnow
O4 - HKLM\..\Run: [ROAD ITCH AMOK PING] C:\Documents and Settings\All Users\Application Data\Long slow road itch\Four Ford.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
O4 - HKCU\..\Run: [deleteone] C:\DOCUME~1\Juliana\APPLIC~1\VGADUM~1\16 Mail Real.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Noodmvts] C:\WINDOWS\system32\??crosoft\n?tdde.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Noodmvts] C:\WINDOWS\system32\??crosoft\n?tdde.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZSzim029YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/din...2.1.0.0.67.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/din...g.1.0.0.33.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Catalyst Installer (wcimsvc) - Unknown owner - C:\WINDOWS\system\wcisvc.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\InstallShield Installation Information\divoqynol.html

--
End of file - 10883 bytes

[Shaba]

Hi hobbes

Rename HijackThis.exe to hobbes.exe and post back a fresh HijackThis log, please

[hobbes]

Thanks for the quick reply. I renamed HijackThis.exe to hobbes.exe. This is the new log.

tom.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:07 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Trend Micro\HijackThis\hobbes.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {232D28C5-80AA-4521-806B-2DD7D20DE890} - C:\WINDOWS\system32\ddaby.dll
O2 - BHO: (no name) - {29CAB3E1-7D84-49CC-8A2F-A970472A1B6E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\ikmdcwph.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll
O2 - BHO: (no name) - {CEF54497-1F79-49ED-8B59-97E68E9CE83F} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\hmmtwyhi.dll",sitypnow
O4 - HKLM\..\Run: [ROAD ITCH AMOK PING] C:\Documents and Settings\All Users\Application Data\Long slow road itch\Four Ford.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [My Web Search Community Tools] "C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
O4 - HKCU\..\Run: [deleteone] C:\DOCUME~1\Juliana\APPLIC~1\VGADUM~1\16 Mail Real.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Noodmvts] C:\WINDOWS\system32\??crosoft\n?tdde.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Noodmvts] C:\WINDOWS\system32\??crosoft\n?tdde.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZSzim029YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/din...2.1.0.0.67.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/din...g.1.0.0.33.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Catalyst Installer (wcimsvc) - Unknown owner - C:\WINDOWS\system\wcisvc.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\InstallShield Installation Information\divoqynol.html

--
End of file - 11801 bytes

[Shaba]

Hi

We need to temporarily disable TeaTimer that it doesn't intefere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

After that:

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

• First close any other programs you have running as this will require a reboot
• Double click NoLop.exe to run it.
• Now click the button labelled "Search and Destroy"
  <<your computer will now be scanned for infected files>>
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the "REBOOT" Button.
• A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.--

Post:

- a fresh HijackThis log
- combofix report
- nolop.log

[hobbes]

Shaba,

I ran ComboFix per the instructions and it scanned the computer and then automatically rebooted. During the reboot I saw the ComboFix window that stated that the log file was being created and then the computer froze. I waited 15 minutes with no harddrive activity and then manually rebooted the PC. I ran ComboFix again after the reboot but first saved the partial log from the first run. I pasted both the first partial log and the second complete log below.

tom.


First ComboFix log (partial)

ComboFix 07-10-23.1 - Juliana 2007-10-25 6:37:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.553 [GMT -4:00]
Running from: C:\Documents and Settings\Juliana\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\LocalService\Application Data\WinTouch
C:\Documents and Settings\LocalService\Application Data\WinTouch\config.cfg.c3d8d9a8e54600782eb6b29b5810715f
C:\Documents and Settings\LocalService\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\LocalService\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo
C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Insider
C:\Program Files\InstallShield Installation Information\divoqynol.html
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive5.dll
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\targets.gz
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\afigttwq.exe
C:\WINDOWS\system32\bfvugvxt.dll
C:\WINDOWS\system32\bsxykuen.ini
C:\WINDOWS\system32\cbtinxms.ini
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\crosof~1\n?tdde.exe
C:\WINDOWS\system32\cubyknjc.exe
C:\WINDOWS\system32\cwkxssoc.exe
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dobe~1\?dobe\
C:\WINDOWS\system32\emxpbqho.exe
C:\WINDOWS\system32\goemawtw.dll
C:\WINDOWS\system32\gxxcvoyq.exe
C:\WINDOWS\system32\hmuklrta.exe
C:\WINDOWS\system32\ifflfokx.exe
C:\WINDOWS\system32\ikmdcwph.dll
C:\WINDOWS\system32\ikwwxerb.exe
C:\WINDOWS\system32\iuquvrxu.exe
C:\WINDOWS\system32\iwbpcwfx.exe
C:\WINDOWS\system32\jdpuaupu.exe
C:\WINDOWS\system32\kxnsoisj.exe
C:\WINDOWS\system32\mclppxdc.exe
C:\WINDOWS\system32\msquyktt.dll
C:\WINDOWS\system32\mtowslgu.ini
C:\WINDOWS\system32\neukyxsb.dll
C:\WINDOWS\system32\nfxromik.exe
C:\WINDOWS\system32\nnnkkii.dll
C:\WINDOWS\system32\nxxjytvv.exe
C:\WINDOWS\system32\otblymog.exe
C:\WINDOWS\system32\rdmchhbv.dll
C:\WINDOWS\system32\rqrrpnk.dll
C:\WINDOWS\system32\rryfbmbe.exe
C:\WINDOWS\system32\rsbkchya.exe
C:\WINDOWS\system32\smxnitbc.dll
C:\WINDOWS\system32\ttkyuqsm.ini
C:\WINDOWS\system32\txvguvfb.ini
C:\WINDOWS\system32\uglswotm.dll
C:\WINDOWS\system32\vbhhcmdr.ini
C:\WINDOWS\system32\wfmqkqoc.exe
C:\WINDOWS\system32\wjrcrfpq.exe
C:\WINDOWS\system32\wnsintit.exe
C:\WINDOWS\system32\wtwameog.ini
C:\WINDOWS\system32\wvurolm.dll
C:\WINDOWS\system32\xoslffdv.exe
C:\WINDOWS\system32\xotallsx.dll
C:\WINDOWS\system32\xsllatox.ini
C:\WINDOWS\system32\xtgwoace.exe
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\yinyncdv.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

Second ComboFix log

ComboFix 07-10-23.1 - Juliana 2007-10-25 7:02:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.563 [GMT -4:00]
Running from: C:\Documents and Settings\Juliana\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\check_LSA7.txt
C:\Documents and Settings\LocalService\Application Data\WinTouch
C:\Documents and Settings\LocalService\Application Data\WinTouch\config.cfg.c3d8d9a8e54600782eb6b29b5810715f
C:\Documents and Settings\LocalService\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\LocalService\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo
C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\LocalService\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Insider
C:\Program Files\InstallShield Installation Information\divoqynol.html
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive5.dll
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\targets.gz
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\afigttwq.exe
C:\WINDOWS\system32\bfvugvxt.dll
C:\WINDOWS\system32\bsxykuen.ini
C:\WINDOWS\system32\cbtinxms.ini
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\crosof~1\n?tdde.exe
C:\WINDOWS\system32\cubyknjc.exe
C:\WINDOWS\system32\cwkxssoc.exe
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dobe~1\?dobe\
C:\WINDOWS\system32\emxpbqho.exe
C:\WINDOWS\system32\goemawtw.dll
C:\WINDOWS\system32\gxxcvoyq.exe
C:\WINDOWS\system32\hmuklrta.exe
C:\WINDOWS\system32\ifflfokx.exe
C:\WINDOWS\system32\ikmdcwph.dll
C:\WINDOWS\system32\ikwwxerb.exe
C:\WINDOWS\system32\iuquvrxu.exe
C:\WINDOWS\system32\iwbpcwfx.exe
C:\WINDOWS\system32\jdpuaupu.exe
C:\WINDOWS\system32\kxnsoisj.exe
C:\WINDOWS\system32\mclppxdc.exe
C:\WINDOWS\system32\msquyktt.dll
C:\WINDOWS\system32\mtowslgu.ini
C:\WINDOWS\system32\neukyxsb.dll
C:\WINDOWS\system32\nfxromik.exe
C:\WINDOWS\system32\nnnkkii.dll
C:\WINDOWS\system32\nxxjytvv.exe
C:\WINDOWS\system32\otblymog.exe
C:\WINDOWS\system32\rdmchhbv.dll
C:\WINDOWS\system32\rqrrpnk.dll
C:\WINDOWS\system32\rryfbmbe.exe
C:\WINDOWS\system32\rsbkchya.exe
C:\WINDOWS\system32\smxnitbc.dll
C:\WINDOWS\system32\ttkyuqsm.ini
C:\WINDOWS\system32\txvguvfb.ini
C:\WINDOWS\system32\uglswotm.dll
C:\WINDOWS\system32\vbhhcmdr.ini
C:\WINDOWS\system32\wfmqkqoc.exe
C:\WINDOWS\system32\wjrcrfpq.exe
C:\WINDOWS\system32\wnsintit.exe
C:\WINDOWS\system32\wtwameog.ini
C:\WINDOWS\system32\wvurolm.dll
C:\WINDOWS\system32\xoslffdv.exe
C:\WINDOWS\system32\xotallsx.dll
C:\WINDOWS\system32\xsllatox.ini
C:\WINDOWS\system32\xtgwoace.exe
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\yinyncdv.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR




((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-25 06:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 07:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 23:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-23 20:05 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-10-23 07:02 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-10-23 06:54 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-23 06:54 <DIR> d-------- C:\Program Files\CA
2007-10-22 16:57 <DIR> d-------- C:\WINDOWS\pss
2007-10-22 00:13 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-11 03:04 <DIR> d-------- C:\WINDOWS\uzuf
2007-10-11 03:04 <DIR> d-------- C:\Program Files\Common Files\uzuf
2007-10-10 22:28 34,816 --a------ C:\WINDOWS\system32\ljjhfdd.dll
2007-10-10 20:51 34,816 --a------ C:\WINDOWS\system32\ddcbxxx.dll
2007-10-09 23:01 34,816 --a------ C:\WINDOWS\system32\cbxwxvs.dll
2007-10-09 20:54 34,816 --a------ C:\WINDOWS\system32\ljjhhfd.dll
2007-10-09 20:45 34,816 --a------ C:\WINDOWS\system32\xxyaaaw.dll
2007-10-09 16:37 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 17:58 34,816 --a------ C:\WINDOWS\system32\pmnoppp.dll
2007-10-08 02:46 <DIR> d-------- C:\Program Files\vga dumb license
2007-10-05 20:22 34,816 --a------ C:\WINDOWS\system32\opnmkkk.dll
2007-10-04 20:22 34,816 --a------ C:\WINDOWS\system32\ljjiijh.dll
2007-10-04 20:18 34,816 --a------ C:\WINDOWS\system32\iifgfgd.dll
2007-10-04 20:07 <DIR> d--hs---- C:\Documents and Settings\NetworkService\Temporary Internet Files
2007-10-04 20:07 <DIR> d--hs---- C:\Documents and Settings\NetworkService\History
2007-10-03 23:14 34,304 --a------ C:\WINDOWS\system32\xxyvusq.dll
2007-10-03 20:18 34,304 --a------ C:\WINDOWS\system32\ljjgdbb.dll
2007-10-02 23:27 34,304 --a------ C:\WINDOWS\system32\gebbxyx.dll
2007-10-02 20:25 34,304 --a------ C:\WINDOWS\system32\fccaxuu.dll
2007-10-02 20:18 34,304 --a------ C:\WINDOWS\system32\byxwxvv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 10:57 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-10-25 10:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 11:02 879,832 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-10-23 11:02 108,360 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-10-23 10:55 74,864 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-10-23 10:55 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-10-23 10:55 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-10-23 10:55 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-10-23 10:55 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-10-23 10:55 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-10-23 10:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 10:06 --------- d-----w C:\Program Files\Google
2007-10-23 02:37 --------- d-----w C:\Program Files\Yahoo!
2007-10-23 00:23 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-23 00:23 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-23 00:22 --------- d-----w C:\Program Files\HP
2007-10-17 00:23 --------- d-----w C:\Documents and Settings\Juliana\Application Data\LimeWire
2007-10-07 22:32 --------- d-----w C:\Program Files\AIM6
2007-10-07 22:25 --------- d-----w C:\Program Files\Viewpoint
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-27 04:30 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-06-28 20:24 272 ----a-w C:\Documents and Settings\Juliana\Application Data\wklnhst.dat
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CAB3E1-7D84-49CC-8A2F-A970472A1B6E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEF54497-1F79-49ED-8B59-97E68E9CE83F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2007-10-23 06:55]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-10-23 06:55]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-10-23 06:55]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2005-01-26 03:43]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 01:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"ROAD ITCH AMOK PING"="C:\Documents and Settings\All Users\Application Data\Long slow road itch\Four Ford.exe" [2007-10-23 23:17]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 12:52]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 13:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-30 22:01]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-19 18:14]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 14:33]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 19:30]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-22 16:17]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-22 16:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-22 16:13]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 01:58]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 11:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" []
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 13:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 07:51]
"deleteone"="C:\DOCUME~1\Juliana\APPLIC~1\VGADUM~1\16 Mail Real.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 00:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Noodmvts"=C:\WINDOWS\system32\??crosoft\n?tdde.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"comHost"=3 (0x3)
"ccISPwdSvc"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S2 wcimsvc;Windows Catalyst Installer;"C:\WINDOWS\system\wcisvc.exe"
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 07:05:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????^??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 7:07:09
.
--- E O F ---




NoLop and HijackThis logs will be in the next post...

[hobbes]

Continuation of previous post...



NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Juliana\Desktop
[10/25/2007]
[7:11:30 AM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Intuit
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\16 New Ping Long -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Ca
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Digstream
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Long Slow Road Itch
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Playfirst
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Sonic
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Wildtangent
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Intuit
C:\Documents and Settings\Default User\Application Data\Macromedia
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Juliana\Application Data\Acccore
C:\Documents and Settings\Juliana\Application Data\Adobe
C:\Documents and Settings\Juliana\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Juliana\Application Data\Cyberlink
C:\Documents and Settings\Juliana\Application Data\Google
C:\Documents and Settings\Juliana\Application Data\Hp
C:\Documents and Settings\Juliana\Application Data\Identities
C:\Documents and Settings\Juliana\Application Data\Intuit
C:\Documents and Settings\Juliana\Application Data\Leadertech
C:\Documents and Settings\Juliana\Application Data\Limewire
C:\Documents and Settings\Juliana\Application Data\Macromedia
C:\Documents and Settings\Juliana\Application Data\Microsoft
C:\Documents and Settings\Juliana\Application Data\Mozilla
C:\Documents and Settings\Juliana\Application Data\Netscape
C:\Documents and Settings\Juliana\Application Data\Playfirst
C:\Documents and Settings\Juliana\Application Data\Real
C:\Documents and Settings\Juliana\Application Data\Sonic
C:\Documents and Settings\Juliana\Application Data\Sun
C:\Documents and Settings\Juliana\Application Data\Talkback
C:\Documents and Settings\Juliana\Application Data\Template
C:\Documents and Settings\Juliana\Application Data\Viewpoint
C:\Documents and Settings\Juliana\Application Data\Wildtangent
C:\Documents and Settings\Localservice\Application Data\Google -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:18 AM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\hobbes.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29CAB3E1-7D84-49CC-8A2F-A970472A1B6E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {CEF54497-1F79-49ED-8B59-97E68E9CE83F} - (no file)
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ROAD ITCH AMOK PING] C:\Documents and Settings\All Users\Application Data\Long slow road itch\Four Ford.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [deleteone] C:\DOCUME~1\Juliana\APPLIC~1\VGADUM~1\16 Mail Real.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Noodmvts] C:\WINDOWS\system32\??crosoft\n?tdde.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Noodmvts] C:\WINDOWS\system32\??crosoft\n?tdde.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZSzim029YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/din...2.1.0.0.67.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/din...g.1.0.0.33.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Catalyst Installer (wcimsvc) - Unknown owner - C:\WINDOWS\system\wcisvc.exe (file missing)

--
End of file - 10967 bytes

[Shaba]

Hi

Much better

Open HijackThis, click do a system scan only and checkmark these:

O23 - Service: Windows Catalyst Installer (wcimsvc) - Unknown owner - C:\WINDOWS\system\wcisvc.exe (file missing)

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\ljjhfdd.dll
C:\WINDOWS\system32\ddcbxxx.dll
C:\WINDOWS\system32\cbxwxvs.dll
C:\WINDOWS\system32\ljjhhfd.dll
C:\WINDOWS\system32\xxyaaaw.dll
C:\WINDOWS\system32\pmnoppp.dll
C:\WINDOWS\system32\opnmkkk.dll
C:\WINDOWS\system32\ljjiijh.dll
C:\WINDOWS\system32\iifgfgd.dll
C:\WINDOWS\system32\xxyvusq.dll
C:\WINDOWS\system32\ljjgdbb.dll
C:\WINDOWS\system32\gebbxyx.dll
C:\WINDOWS\system32\fccaxuu.dll
C:\WINDOWS\system32\byxwxvv.dll

Folder::
C:\Documents and Settings\All Users\Application Data\16 New Ping Long
C:\Documents and Settings\All Users\Application Data\Long Slow Road Itch
C:\WINDOWS\uzuf
C:\Program Files\Common Files\uzuf
C:\Program Files\vga dumb license

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29CAB3E1-7D84-49CC-8A2F-A970472A1B6E}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEF54497-1F79-49ED-8B59-97E68E9CE83F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ROAD ITCH AMOK PING"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"deleteone"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Noodmvts"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

[hobbes]

Shaba,

Thanks again for working on this for me. Below are the ComboFix and HijackThis logs.


ComboFix 07-10-23.1 - Juliana 2007-10-25 17:07:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.566 [GMT -4:00]
Running from: C:\Documents and Settings\Juliana\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Juliana\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\byxwxvv.dll
C:\WINDOWS\system32\cbxwxvs.dll
C:\WINDOWS\system32\ddcbxxx.dll
C:\WINDOWS\system32\fccaxuu.dll
C:\WINDOWS\system32\gebbxyx.dll
C:\WINDOWS\system32\iifgfgd.dll
C:\WINDOWS\system32\ljjgdbb.dll
C:\WINDOWS\system32\ljjhfdd.dll
C:\WINDOWS\system32\ljjhhfd.dll
C:\WINDOWS\system32\ljjiijh.dll
C:\WINDOWS\system32\opnmkkk.dll
C:\WINDOWS\system32\pmnoppp.dll
C:\WINDOWS\system32\xxyaaaw.dll
C:\WINDOWS\system32\xxyvusq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\16 New Ping Long
C:\Documents and Settings\All Users\Application Data\Long Slow Road Itch
C:\Documents and Settings\All Users\Application Data\Long Slow Road Itch\Four Ford.exe
C:\Program Files\Common Files\uzuf
C:\Program Files\Common Files\uzuf\uzufa.lck
C:\Program Files\Common Files\uzuf\uzufd\class-barrel
C:\Program Files\Common Files\uzuf\uzufd\vocabulary
C:\Program Files\Common Files\uzuf\uzufl.lck
C:\Program Files\Common Files\uzuf\uzufm.lck
C:\Program Files\vga dumb license
C:\WINDOWS\system32\byxwxvv.dll
C:\WINDOWS\system32\cbxwxvs.dll
C:\WINDOWS\system32\ddcbxxx.dll
C:\WINDOWS\system32\fccaxuu.dll
C:\WINDOWS\system32\gebbxyx.dll
C:\WINDOWS\system32\iifgfgd.dll
C:\WINDOWS\system32\ljjgdbb.dll
C:\WINDOWS\system32\ljjhfdd.dll
C:\WINDOWS\system32\ljjhhfd.dll
C:\WINDOWS\system32\ljjiijh.dll
C:\WINDOWS\system32\opnmkkk.dll
C:\WINDOWS\system32\pmnoppp.dll
C:\WINDOWS\system32\xxyaaaw.dll
C:\WINDOWS\system32\xxyvusq.dll
C:\WINDOWS\uzuf
C:\WINDOWS\uzuf\uzuf.dat
C:\WINDOWS\uzuf\wu

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-25 07:11 212 --a------ C:\delete.bat
2007-10-25 06:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 07:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 23:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-23 20:05 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-10-23 07:02 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-10-23 06:54 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-23 06:54 <DIR> d-------- C:\Program Files\CA
2007-10-22 16:57 <DIR> d-------- C:\WINDOWS\pss
2007-10-22 00:13 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-09 16:37 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-04 20:07 <DIR> d--hs---- C:\Documents and Settings\NetworkService\Temporary Internet Files
2007-10-04 20:07 <DIR> d--hs---- C:\Documents and Settings\NetworkService\History

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 21:12 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-10-25 10:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 11:02 879,832 ----a-w C:\WINDOWS\system32\drivers\VetEFile.sys
2007-10-23 11:02 108,360 ----a-w C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-10-23 10:55 74,864 ----a-w C:\WINDOWS\system32\VetRedir.dll
2007-10-23 10:55 21,031 ----a-w C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-10-23 10:55 15,735 ----a-w C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-10-23 10:55 15,478 ----a-w C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-10-23 10:55 115,824 ----a-w C:\WINDOWS\UnVet32.exe
2007-10-23 10:55 111,728 ----a-w C:\WINDOWS\AVShlExt.dll
2007-10-23 10:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 10:06 --------- d-----w C:\Program Files\Google
2007-10-23 02:37 --------- d-----w C:\Program Files\Yahoo!
2007-10-23 00:23 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-23 00:23 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-23 00:22 --------- d-----w C:\Program Files\HP
2007-10-17 00:23 --------- d-----w C:\Documents and Settings\Juliana\Application Data\LimeWire
2007-10-07 22:32 --------- d-----w C:\Program Files\AIM6
2007-10-07 22:25 --------- d-----w C:\Program Files\Viewpoint
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-27 04:30 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-06-28 20:24 272 ----a-w C:\Documents and Settings\Juliana\Application Data\wklnhst.dat
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2007-10-23 06:55]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-10-23 06:55]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-10-23 06:55]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2005-01-26 03:43]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 01:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 12:52]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 13:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-30 22:01]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-19 18:14]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 14:33]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 19:30]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 19:30]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-22 16:17]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-22 16:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-22 16:13]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 01:58]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 11:02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" []
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 13:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 07:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 00:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 16:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"comHost"=3 (0x3)
"ccISPwdSvc"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S2 wcimsvc;Windows Catalyst Installer;"C:\WINDOWS\system\wcisvc.exe"
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 17:12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????^??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 17:15:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-25 07:07
.
--- E O F ---



The HijackThis log will be in the next post...

[hobbes]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:14 PM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\hobbes.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZSzim029YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/din...2.1.0.0.67.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/din...g.1.0.0.33.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Catalyst Installer (wcimsvc) - Unknown owner - C:\WINDOWS\system\wcisvc.exe (file missing)

--
End of file - 10447 bytes

[Shaba]

Hi

Re-scan with kaspersky

post:

- a fresh HijackThis log
- kaspersky report