Need help on virtumode,winantiviruspro200 and winsoftware.

S

soulfly626

New member
This came from nowhere while at lunch, I would greatly appreciate and help.

I did read the read before disclaimer :bigthumb:

Thanks.
 
Hi

Download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
 
I make sure everything is check off, I ran the scan and after it's done, when I hit the save log button it doesn't promt me to save the log in a folder or place.
 
here is my vundo log....I couldn't bet hijack to get me a log or I don't know where to find it.....the the file name? maybe I could do a file search....anyways...thanks for the help.


VundoFix V6.5.6

Checking Java version...

Scan started at 2:37:27 PM 7/30/2007

Listing files found while scanning....

C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.tmp
C:\WINDOWS\system32\vtutt.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.tmp
C:\WINDOWS\system32\ttutv.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 3:11:59 PM 7/30/2007

Listing files found while scanning....
 
ComboFix 07-07-31 - "cem" 2007-07-30 17:02:34.1 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\ifxtegjd.dll
C:\WINDOWS\system32\iifffed.dll
C:\WINDOWS\system32\nnnmjih.dll
C:\WINDOWS\system32\ueailwep.dll
C:\WINDOWS\SYSTEM32\qstwa.bak1
C:\WINDOWS\SYSTEM32\qstwa.ini
C:\WINDOWS\system32\opnnlkh.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\temp\tn3
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G5
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-30 16:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 16:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-07-30 16:04 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-07-30 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-30 14:37 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:11 396,288 --a------ C:\Program Files\HijackThis.exe
2007-07-30 13:05 125,504 --a------ C:\WINDOWS\SYSTEM32\rtlsawgb.dll
2007-07-30 12:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-26 18:14 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-07-26 17:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-07-26 15:21 <DIR> d-------- C:\DOCUME~1\cem\.housecall6.6
2007-07-26 14:56 113,152 --a------ C:\WINDOWS\SYSTEM32\ncdmfcx.dll
2007-07-26 12:11 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-07-26 12:04 <DIR> d-------- C:\Temp\brr
2007-07-26 12:04 <DIR> d-------- C:\Temp\0c2
2007-07-26 12:04 <DIR> d-------- C:\Temp
2007-07-11 09:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\appmgmt


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 16:36 --------- d-------- C:\Program Files\Viewpoint
2007-07-30 13:38 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-26 18:20 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-26 18:20 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-26 18:20 48776 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-26 18:20 115000 --a--c--- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-26 18:20 --------- d-------- C:\Program Files\Symantec
2007-07-26 17:46 --------- d-------- C:\Program Files\Norton AntiVirus
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D10E906-E391-485F-96C6-739A9ED9A01C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D3A3599-9FB5-4520-99CE-8293386E8314}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8346856F-6EB0-472C-8A9C-70941CB63ACD}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 01:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 14:03]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 19:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-25 22:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\cem\Start Menu\Programs\Startup\
DESKTOP.INI [2004-03-20 10:58:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cenlpdstatus.exe [2004-03-01 13:24:00]
DESKTOP.INI [2004-03-20 10:58:38]

R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R2 CenLPD;CenLPD;C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-07-27 03:40:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-27 01:32:56 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - cem.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 17:13:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FE2DACC32FFC736428AAAAFB7320283D\Usage]
"Complete"=dword:36fe009a

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-30 17:23:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 17:20
 
once again the reason I can't post hijack log is because I dont get this options "Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here."
 
Hi

Well.. if you can't post hjt log then we need to use other way.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
 
thanks for the help blade......I'll try to use that scanner and see what happens.

I did use the avg-anti adware and it help greatly. Here is the report.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:44:44 AM 7/31/2007

+ Scan result:



C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP720\A0127670.exe -> Adware.SystemDoctor : Ignored.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP720\A0127796.exe -> Adware.TTC : Ignored.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP723\A0130146.dll -> Adware.TTC : Ignored.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP723\A0130148.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP719\A0127476.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Ignored.
C:\Documents and Settings\cem\Cookies\cem@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@atdmt[3].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@doubleclick[3].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@ehg-kasperskylab.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\cem\Cookies\cem@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP719\A0127474.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP719\A0127475.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

I greatly appreciate everyone in here helping.

Thanks,
Soulfly.
 
here you go Blade,

Deckard's System Scanner v20070729.57
Run by cem on 2007-07-31 at 17:31:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
56: 2007-08-01 00:31:58 UTC - RP726 - Deckard's System Scanner Restore Point
55: 2007-07-31 00:02:08 UTC - RP725 - ComboFix created restore point
54: 2007-07-30 15:58:31 UTC - RP724 - System Checkpoint
53: 2007-07-27 01:34:27 UTC - RP723 - Norton Internet Security post configuration restore point
52: 2007-07-27 01:01:21 UTC - RP722 - Removed Norton WMI Update


-- First Restore Point --
1: 2007-05-01 19:25:25 UTC - RP671 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as cem.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:35 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\cem\Desktop\dss.exe
C:\PROGRA~1\cem.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D10E906-E391-485F-96C6-739A9ED9A01C} - \
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7D3A3599-9FB5-4520-99CE-8293386E8314} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8346856F-6EB0-472C-8A9C-70941CB63ACD} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Cenlpdstatus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BF1D39C-E6B6-4616-AB7E-E5656C118D54}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7BF1D39C-E6B6-4616-AB7E-E5656C118D54}: NameServer = 192.168.1.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CenLPD - Unknown owner - C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7007 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 catchme - c:\docume~1\cem\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CenLPD - c:\program files\century\tinyterm\netutils\cenlpd.exe <Not Verified; ; CenLPD Module>


-- Scheduled Tasks -------------------------------------------------------------

2007-07-26 20:40:21 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-26 18:32:56 618 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - cem.job


-- Files created between 2007-06-30 and 2007-07-31 -----------------------------

2007-07-31 17:33:16 396288 --a------ C:\Program Files\cem.exe <Not Verified; Trend Micro Inc.; HijackThis>
2007-07-31 08:26:37 0 d-------- C:\Documents and Settings\cem\Application Data\Grisoft
2007-07-31 08:26:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-07-30 16:04:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-07-30 16:04:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-30 14:37:26 0 d-------- C:\VundoFix Backups
2007-07-30 14:11:28 396288 --a------ C:\Program Files\HijackThis.exe <Not Verified; Trend Micro Inc.; HijackThis>
2007-07-30 13:05:16 125504 --a------ C:\WINDOWS\system32\rtlsawgb.dll
2007-07-30 12:42:07 0 d-------- C:\Program Files\Trend Micro
2007-07-26 18:14:55 0 d-------- C:\Program Files\Norton Internet Security
2007-07-26 17:26:58 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2007-07-26 15:21:35 0 d-------- C:\Documents and Settings\cem\.housecall6.6
2007-07-26 14:56:36 113152 --a------ C:\WINDOWS\system32\ncdmfcx.dll <Not Verified; Century Software Inc. www.censoft.com; TinyTERM Series>
2007-07-26 12:04:16 0 d-------- C:\Temp
2007-07-11 09:27:41 0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2007-07-31 17:33:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-31 17:33:35 7008 --a------ C:\Program Files\hijackthis.log
2007-07-30 16:36:21 0 d-------- C:\Program Files\Viewpoint
2007-07-27 10:37:09 0 d-------- C:\Program Files\Common Files
2007-07-26 18:20:42 0 d-------- C:\Program Files\Symantec
2007-07-26 17:46:48 0 d-------- C:\Program Files\Norton AntiVirus
2007-07-26 13:50:20 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D10E906-E391-485F-96C6-739A9ED9A01C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D3A3599-9FB5-4520-99CE-8293386E8314}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8346856F-6EB0-472C-8A9C-70941CB63ACD}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/18/2004 01:20 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [01/17/2006 02:03 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/04/2007 07:05 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [06/25/2007 10:00 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\cem\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cenlpdstatus.exe [3/1/2004 1:24:00 PM]
DESKTOP.INI [3/20/2004 10:58:38 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - AVGASCLN
*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-07-31 at 17:34:38 ---------
 
Deckard's System Scanner v20070729.57
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.66GHz
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 254 MiB / 61.66 MiB
Pagefile Memory (total/avail): 625 MiB / 323.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1969.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.21 GiB total, 21.49 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cem\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DF1BLY41
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\cem
LOGONSERVER=\\DF1BLY41
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\cem\LOCALS~1\Temp
TMP=C:\DOCUME~1\cem\LOCALS~1\Temp
USERDOMAIN=DF1BLY41
USERNAME=cem
USERPROFILE=C:\Documents and Settings\cem
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

cem (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 6.0.2 CE --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-CEA000000001}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Art Explosion Label Factory Deluxe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CC982C0-7EAE-11D4-ACC3-0050568AD318}\setup.exe" -uninst
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
HijackThis 2.0.2 --> "C:\Program Files\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp LaserJet 4200 Uninstaller --> C:\Program Files\Hewlett-Packard\LJ4200\Uninstall\unhp.exe ciuninst.ini
HP LaserJet 8150 Uninstaller --> C:\Program Files\Hewlett-Packard\LaserJet 8150\Uninstall\setup.exe ciuninst.ini
IGN Download Manager 2.2.0 --> C:\Program Files\IGN\Download Manager\uninst.exe
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3CB41017-F5CA-4C56-934C-ED02156251E6}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
NetUtils --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Century\TinyTERM\NetUtils\DeIsNetU.isu"
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49E2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41F3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41F3-87C5-2B5A031F2B3B}_10_4_0_13\{5AA2CD16-706F-41F3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
TinyTERM --> C:\Program Files\Century\TinyTERM\rem.exe P42 C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Century\TinyTERM\DeIsWpl.isu"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}


-- End of Deckard's System Scanner: finished at 2007-07-31 at 17:34:38 ---------
 
Hi


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\SYSTEM32\rtlsawgb.dll

Folder::
C:\VundoFix Backups
C:\Temp
C:\WINDOWS\SYSTEM32\appmgmt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D10E906-E391-485F-96C6-739A9ED9A01C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D3A3599-9FB5-4520-99CE-8293386E8314}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8346856F-6EB0-472C-8A9C-70941CB63ACD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]


Save this as
CFScript (overwrite previous one)


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. Run Deckard's System Scanner again and this time post contents of main.txt
 
ComboFix 07-07-31 - "cem" 2007-08-01 10:14:55.2 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\cem\Desktop\Report-Scan-20070731-094444.txt


((((((((((((((((((((((((( Files Created from 2007-07-01 to 2007-08-01 )))))))))))))))))))))))))))))))


2007-07-31 17:33 396,288 --a------ C:\Program Files\cem.exe
2007-07-31 17:31 <DIR> d-------- C:\Deckard
2007-07-31 08:26 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-30 17:37 22,112 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\COH_Mon.sys
2007-07-30 16:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 16:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-07-30 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-30 14:37 <DIR> d-------- C:\VundoFix Backups
2007-07-30 14:11 396,288 --a------ C:\Program Files\HijackThis.exe
2007-07-30 13:05 125,504 --a------ C:\WINDOWS\SYSTEM32\rtlsawgb.dll
2007-07-30 12:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-26 18:14 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-07-26 17:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files
2007-07-26 15:21 <DIR> d-------- C:\DOCUME~1\cem\.housecall6.6
2007-07-26 14:56 113,152 --a------ C:\WINDOWS\SYSTEM32\ncdmfcx.dll
2007-07-26 12:11 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-07-26 12:04 <DIR> d-------- C:\Temp\brr
2007-07-26 12:04 <DIR> d-------- C:\Temp\0c2
2007-07-26 12:04 <DIR> d-------- C:\Temp
2007-07-11 09:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\appmgmt


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-31 17:33 7008 --a------ C:\Program Files\hijackthis.log
2007-07-31 17:33 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-30 16:36 --------- d-------- C:\Program Files\Viewpoint
2007-07-26 18:20 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-26 18:20 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-26 18:20 48776 --a--c--- C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-26 18:20 115000 --a--c--- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-26 18:20 --------- d-------- C:\Program Files\Symantec
2007-07-26 17:46 --------- d-------- C:\Program Files\Norton AntiVirus
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D10E906-E391-485F-96C6-739A9ED9A01C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D3A3599-9FB5-4520-99CE-8293386E8314}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8346856F-6EB0-472C-8A9C-70941CB63ACD}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 01:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 14:03]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 19:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-25 22:00]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\cem\Start Menu\Programs\Startup\
DESKTOP.INI [2004-03-20 10:58:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cenlpdstatus.exe [2004-03-01 13:24:00]
DESKTOP.INI [2004-03-20 10:58:38]

R1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
R1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
R2 CenLPD;CenLPD;C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-07-27 03:40:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-27 01:32:56 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - cem.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 10:19:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-01 10:22:16
C:\ComboFix-quarantined-files.txt ... 2007-08-01 10:21
C:\ComboFix2.txt ... 2007-07-30 17:23

--- E O F ---
 
Deckard's System Scanner v20070729.57
Run by cem on 2007-08-01 at 10:28:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as cem.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:35 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\cem\Desktop\dss.exe
C:\PROGRA~1\cem.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D10E906-E391-485F-96C6-739A9ED9A01C} - \
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7D3A3599-9FB5-4520-99CE-8293386E8314} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8346856F-6EB0-472C-8A9C-70941CB63ACD} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Cenlpdstatus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BF1D39C-E6B6-4616-AB7E-E5656C118D54}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{7BF1D39C-E6B6-4616-AB7E-E5656C118D54}: NameServer = 192.168.1.1
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CenLPD - Unknown owner - C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7007 bytes

-- Files created between 2007-07-01 and 2007-08-01 -----------------------------

2007-07-31 17:33:16 396288 --a------ C:\Program Files\cem.exe <Not Verified; Trend Micro Inc.; HijackThis>
2007-07-31 08:26:37 0 d-------- C:\Documents and Settings\cem\Application Data\Grisoft
2007-07-31 08:26:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-07-30 16:04:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-07-30 16:04:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-30 14:37:26 0 d-------- C:\VundoFix Backups
2007-07-30 14:11:28 396288 --a------ C:\Program Files\HijackThis.exe <Not Verified; Trend Micro Inc.; HijackThis>
2007-07-30 13:05:16 125504 --a------ C:\WINDOWS\system32\rtlsawgb.dll
2007-07-30 12:42:07 0 d-------- C:\Program Files\Trend Micro
2007-07-26 18:14:55 0 d-------- C:\Program Files\Norton Internet Security
2007-07-26 17:26:58 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2007-07-26 15:21:35 0 d-------- C:\Documents and Settings\cem\.housecall6.6
2007-07-26 14:56:36 113152 --a------ C:\WINDOWS\system32\ncdmfcx.dll <Not Verified; Century Software Inc. www.censoft.com; TinyTERM Series>
2007-07-26 12:04:16 0 d-------- C:\Temp
2007-07-11 09:27:41 0 d-------- C:\WINDOWS\system32\appmgmt


-- Find3M Report ---------------------------------------------------------------

2007-07-31 17:33:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-31 17:33:35 7008 --a------ C:\Program Files\hijackthis.log
2007-07-30 16:36:21 0 d-------- C:\Program Files\Viewpoint
2007-07-27 10:37:09 0 d-------- C:\Program Files\Common Files
2007-07-26 18:20:42 0 d-------- C:\Program Files\Symantec
2007-07-26 17:46:48 0 d-------- C:\Program Files\Norton AntiVirus
2007-07-26 13:50:20 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D10E906-E391-485F-96C6-739A9ED9A01C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D3A3599-9FB5-4520-99CE-8293386E8314}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8346856F-6EB0-472C-8A9C-70941CB63ACD}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/18/2004 01:20 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [01/17/2006 02:03 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/04/2007 07:05 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [06/25/2007 10:00 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\cem\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cenlpdstatus.exe [3/1/2004 1:24:00 PM]
DESKTOP.INI [3/20/2004 10:58:38 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-08-01 at 10:29:05 ---------
 
Command switches used :: C:\Documents and Settings\cem\Desktop\Report-Scan-20070731-094444.txt
Click to expand...
Hi

It looks like you didn't drag and drop right txt file to ComboFix. Could you please try again? Those instructions should be clear enough. Tell me if some part needs more explaining :)
 
You must log in or register to reply here.
Back
Top