PDA

View Full Version : Can't get rid of Virtumonde



nickerbocker
2007-08-25, 14:32
Hi and thanks in advance to anyone who can help! I've been going crazy for the past few days running spybot to get rid of spyware, but virtumonde's still with me, so I can really use some help.

I downloaded Hijack this and here is the results:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:23 AM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://h2/
F2 - REG:system.ini: Shell=Explorer.exe svcroot.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ntsvc32.dll,
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [] mstdmc.exe
O4 - HKLM\..\Run: [svcroot] C:\WINDOWS\system32\svcroot.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA2285] command /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1633] cmd /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6601] command /c del "C:\WINDOWS\system32\ddabb.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2797] cmd /c del "C:\WINDOWS\system32\ddabb.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [svcroot] C:\WINDOWS\system32\svcroot.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1885] command /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD94] cmd /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9511] command /c del "C:\WINDOWS\system32\ddabb.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD126] cmd /c del "C:\WINDOWS\system32\ddabb.dll_tobedeleted"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8994 bytes

shelf life
2007-08-26, 04:43
hi nickerbocker,

look like spybot was set to run at reboot, but didnt.
looks like you have a key logger on your computer. dont do anything that requires a password or anything financial or sensitive on websites of email-- it captures key strokes and can email the results.

first we will use hjt, then boot into safe mode:

first hjt:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://h2/

F2 - REG:system.ini: Shell=Explorer.exe svcroot.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ntsvc32.dll,

O4 - HKLM\..\Run: [] mstdmc.exe

O4 - HKLM\..\Run: [svcroot] C:\WINDOWS\system32\svcroot.exe

O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
-----------------------------
the next step do in safe mode, you might want to copy/paste what follows into notepad and save it somewhere so you can read it in safe mode:

to reach safe mode you would tap the f8 key during a computer restart. chose the first option form the list safe mode. once in safe mode navigate to the system32 dir and see if you can find and delete:
svcroot.exe

still in safe mode run spybot and your anitvirus.
------------------------------
reboot computer normally, first stop is here:

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet,Click Full System Scan
Once the download completes (may take awhile),the scan will begin automatically.
The scan may take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply.
---------------------
next stop is here:

Download SmitfraudFix (by S!Ri) to your Desktop:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip


Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named: c:\rapport.txt

stop at this point and post the contents of the c:\rapport.txt.
-------------------------------
last stop:
please download, install, update and scan with super antispyware, follow the install wizard:
http://www.superantispyware.com/

after the above:
post the f-secure log, the log from smitfraud and a new hjt log

shelf life

nickerbocker
2007-08-29, 17:40
hi shelf life,
thanks for the quick response
i've been trying to follow the steps you gave me, but came across a couple of problems.
first, when i tried booting into safe mode the computer screen was just black, i couldn't access any files. so i booted into 'safe mode with networking' for that step instead. i hope that wouldn't have made an impact on the rest of the steps.
the second problem is that when i try to run the F-secure scan in normal mode, i keep getting an error while it's scanning. i've tried it repeatedly over the past couple of days and it never gets through the scan.
could i run the scan in safe mode with networking and achieve the same results as if it was in normal mode? if not, how should i proceed?

shelf life
2007-08-30, 02:06
hi nickerbocker,

when you boot into safe mode are you giving it enough time to get to the desktop? couple minutes maybe-- if so. then go ahead and boot into safe mode with networking but unplug your ethernet cable or unplug your modem after you are in safe mode.

we dont want a internet connection, in fact i would use your computer as little as possible until its clean and keep the modem off when its not in use.
-----------------------------------
you might want to copy/paste the rest of this into notepad and save it so you can read it in safe mode.its alittle different then last time

boot into safe mode with networking, then pull the plug on your modem or cable.
-----------------

ok now we are in safe mode:

1) if you havent used hjt yet do this: or you can use it again and check for any of these below:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://h2/

F2 - REG:system.ini: Shell=Explorer.exe svcroot.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ntsvc32.dll,

O4 - HKLM\..\Run: [] mstdmc.exe

O4 - HKLM\..\Run: [svcroot] C:\WINDOWS\system32\svcroot.exe

O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll

2) to show all files do this:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

3) using explorer, right click on start>explore navigate to the system32 dir. and delete the following:

in the system32 dir-- look for and see if you can delete:
svcroot.exe
ldcore.dll

4)while still in safe mode run your antivirus and spybot once.

5)plug etherent cable or modem back in and reboot computer normally.

first stop:

download, install update and scan with super antispyware;
http://www.superantispyware.com/

after the reboot, rescan and post a new hjt log.

shelf life

PS i hope you aren't using passwords or doing any financial transactions or anything sensitive on your computer. your keystrokes can be captured and emailed to somebody..

nickerbocker
2007-08-31, 16:11
hey,
i got rid of the svcroot file, but i couldn't delete the ldcore.dll one. i got a message saying that access was denied and to make sure the disk is not full or in use.
should i continue with the steps anyway?

shelf life
2007-08-31, 17:03
hi,

ok good, yes continue with getting super antispyware. after the scan you can save and post the report it generates like this:

After a scan and a reboot, double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.

Now please paste the removal information along with a new HijackThis log in your reply.
--------------------------

i couldn't delete the ldcore.dll one.
where you in safe mode when you tried to delete it?
shelf life

nickerbocker
2007-09-01, 15:21
hey, the message gets to be too long if i put the logs together, so here is the superantispyware one:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/01/2007 at 01:41 AM

Application Version : 3.9.1008

Core Rules Database Version : 3298
Trace Rules Database Version: 1306

Scan type : Complete Scan
Total Scan Time : 02:08:53

Memory items scanned : 534
Memory threats detected : 9
Registry items scanned : 5015
Registry threats detected : 35
File items scanned : 28900
File threats detected : 146

Trojan.Downloader-LDCORE
C:\WINDOWS\SYSTEM32\LDCORE.DLL
C:\WINDOWS\SYSTEM32\LDCORE.DLL
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\EXPLORER4.EXE

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\DDABB.DLL
C:\WINDOWS\SYSTEM32\DDABB.DLL
HKLM\Software\Classes\CLSID\{488F5416-0E29-4ABB-8E1E-CD763DBFAF58}
HKCR\CLSID\{488F5416-0E29-4ABB-8E1E-CD763DBFAF58}
HKCR\CLSID\{488F5416-0E29-4ABB-8E1E-CD763DBFAF58}\InprocServer32
HKCR\CLSID\{488F5416-0E29-4ABB-8E1E-CD763DBFAF58}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{CC358019-D328-40B4-8E2D-818CE142616C}
HKCR\CLSID\{CC358019-D328-40B4-8E2D-818CE142616C}
HKCR\CLSID\{CC358019-D328-40B4-8E2D-818CE142616C}\InprocServer32
HKCR\CLSID\{CC358019-D328-40B4-8E2D-818CE142616C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{488F5416-0E29-4ABB-8E1E-CD763DBFAF58}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC358019-D328-40B4-8E2D-818CE142616C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{CC358019-D328-40B4-8E2D-818CE142616C}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ddabb
HKCR\CLSID\{CC358019-D328-40B4-8E2D-818CE142616C}

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\NNNNOON.DLL
C:\WINDOWS\SYSTEM32\NNNNOON.DLL

Adware.DeluxeCommunications
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\I5.TMP
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\I5.TMP
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMP\I6.TMP
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMP\I6.TMP
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\DXCUPDATER3.EXE
C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMP\DXCUPDATER3.EXE
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMP\DXCUPDATER3.EXE
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMP\DXCUPDATER3.EXE
HKU\S-1-5-19\Software\DeluxeCommunications
HKU\S-1-5-20\Software\DeluxeCommunications
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\DXCUPDATER3.EXE
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\I6.TMP
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\STDRUN2.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\DXCUPDATER3.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\I5.TMP
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN2.EXE

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\TICSFDCR.DLL
C:\WINDOWS\SYSTEM32\TICSFDCR.DLL

Trojan.Downloader-Gen/AClient
C:\WINDOWS\SYSTEM32\ACLIENT.DLL
C:\WINDOWS\SYSTEM32\ACLIENT.DLL
HKLM\Software\Classes\CLSID\{98B822AD-6BE7-49BC-B773-97240B774080}
HKCR\CLSID\{98B822AD-6BE7-49BC-B773-97240B774080}
HKCR\CLSID\{98B822AD-6BE7-49BC-B773-97240B774080}
HKCR\CLSID\{98B822AD-6BE7-49BC-B773-97240B774080}\InprocServer32
HKCR\CLSID\{98B822AD-6BE7-49BC-B773-97240B774080}\InprocServer32#ThreadingModel
HKCR\CLSID\{98B822AD-6BE7-49BC-B773-97240B774080}\ProgID
HKCR\CLSID\{98B822AD-6BE7-49BC-B773-97240B774080}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98B822AD-6BE7-49BC-B773-97240B774080}

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}
HKCR\CLSID\{44218730-94E0-4B24-BBF0-C3D8B2BCE2C3}
HKCR\CLSID\{44218730-94E0-4B24-BBF0-C3D8B2BCE2C3}\InprocServer32
HKCR\CLSID\{44218730-94E0-4B24-BBF0-C3D8B2BCE2C3}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}
HKCR\CLSID\{44218730-94E0-4B24-BBF0-C3D8B2BCE2C3}

Trojan.IP6FW/Rootkit
HKLM\System\ControlSet001\Services\Ip6Fw
C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS
HKLM\System\ControlSet002\Services\Ip6Fw
HKLM\System\CurrentControlSet\Services\Ip6Fw

Trojan.Downloader-Gen/HitItQuitIt
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\nnnnoon

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@partypoker[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@cgi-bin[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@eb.adbureau[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@4.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@cgi-bin[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@track.searchignite[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@adecn[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ads.adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@sales.liveperson[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@partygaming.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad.adnetinteractive[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad.abum[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@1070299046[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@a[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@atwola[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@cnn.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@toplist[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@www.poweradvertising[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@59754885[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad.scanmedios[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@livenation.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@qnsr[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ads.addynamix[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@revenue[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@www.burstbeacon[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@track.bestbuy[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@xiti[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@247realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@clickbank[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@valueclick[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@adtech[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@stats1.reliablestats[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@e-2dj6wgmyclc5adp.stats.esomniture[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@indextools[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@clickaider[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@torstardigital.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@microsoftconsumermarketing.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad1.clickhype[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ads.ak.facebook[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@usenext[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@roiservice[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@questionmarket[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@gomyron[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@1068064317[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@web-stat[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@cooking.adbureau[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad.thewheelof[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@partner2profit[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@adcentriconline[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@stat.dealtime[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@a.websponsors[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@3.adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@anad.tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad.greenmarquee[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@digitalmedianet[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@media.the-leaky-cauldron[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@omniturechannel.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@70062990[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ads.as4x.tmcs.ticketmaster[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@adserver.adreactor[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@2696[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@divx.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@1069218548[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ads.digitalmedianet[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@www.managebanner[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@homedepotca.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@reduxads.valuead[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@adlegend[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@data.neuroxmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@tremor.adbureau[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@overture[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@cpvfeed[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@enhance[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@1072725627[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad.iconadserver[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@stats.channel4[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@bizrate[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@laptopmag.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@server.iad.liveperson[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@brightcove.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@perf.overture[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@1067413066[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@harpo.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@digitalmediaonline.us.intellitxt[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ads.labpixies[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ads.guardian.co[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@creativemac.digitalmedianet[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@bellglobemediapublishing.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@drivecleaner[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@adserver.pollstar[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@metacafe.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@wTracker[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\nicola rodriguez@doubleclick[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\nicola rodriguez@msnportal.112.2o7[1].txt

Rootkit.RunTime2
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys
C:\WINDOWS\SYSTEM32\DRIVERS\RUNTIME2.SYS

Trojan.Downloader-Gen/Micky
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\2.DLLB

Trojan.Downloader-StdRun/Gen
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\STDRUN1.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN1.EXE

Trojan.Downloader-UDL2
C:\OFKVWFIF.EXE

Dialer.Dial/Gen Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022931.EXE

Trojan.VXGame/32
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022933.EXE

Trojan.VXGame-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022936.EXE
C:\WINDOWS\SYSTEM32\VEDXG3AM1ET3.EXE

Trojan.Downloader-Gen/WinPop
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022947.EXE

Trojan.Downloader-Gen/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022950.EXE

Trojan.Downloader-Gen/Win
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022954.EXE

Adware.ZenoSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022957.EXE

Adware.ZenoSearch-NVON
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022958.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP161\A0022959.EXE

Trojan.BraveSentry
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP162\A0027001.EXE

Malware.MalwareStopper
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP162\A0027003.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP162\A0027004.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A02663E2-6190-4411-AFD2-5BFD28350B76}\RP162\A0027005.DLL

Trojan.Downloader-CSRSS/Fake
C:\WINDOWS\CSRSS.EXE

nickerbocker
2007-09-01, 15:24
and here is the hjt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:53 AM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [MSOffice] rundll32.exe "C:\WINDOWS\system32\syhtncxw.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [svcroot] C:\WINDOWS\system32\svcroot.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10317 bytes

i checked for the svcroot.exe and ldcore.dll file in the system32 folder and they were both gone...my computer seems to be running like before. dare i ask if it's fixed?!

shelf life
2007-09-01, 17:30
hi nickerbocker,

in "normal mode" use hjt to fix the items below, then do a full system scan with superantispyware:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKCU\..\Run: [svcroot] C:\WINDOWS\system32\svcroot.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
--------------------------------
first stop after the above:

Please download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply.
------------------------------------------
post the combofix log and a new hjt log.

shelf life

nickerbocker
2007-09-01, 20:27
hi shelf life,

combofix log:

ComboFix 07-08-30.3 - "Nicola Rodriguez" 2007-09-01 13:08:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1\install.dat
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\ta_start.lnk
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\dllh8jkd1q8.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\asc3550u.sys
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msbind32.exe
C:\WINDOWS\system32\xpdx.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SFSYNC02
-------\NtmlSvc
-------\runtime
-------\sfsync02
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 )))))))))))))))))))))))))))))))


2007-09-01 13:07 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 01:06 603,723 ---hs---- C:\WINDOWS\system32\bbadd.ini2
2007-08-31 23:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-31 23:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-31 23:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-31 23:01 87,616 --a------ C:\WINDOWS\system32\syhtncxw.dll
2007-08-31 22:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 18:28 87,616 --------- C:\WINDOWS\system32\srrxwddc.dll
2007-08-31 17:26 87,616 --a------ C:\WINDOWS\system32\wociddij.dll
2007-08-28 23:07 87,616 --a------ C:\WINDOWS\system32\vwmlwcjc.dll
2007-08-28 17:45 87,616 --a------ C:\WINDOWS\system32\ffvslrsh.dll
2007-08-27 21:53 87,616 --a------ C:\WINDOWS\system32\qbptqkui.dll
2007-08-27 19:48 94,208 --a------ C:\WINDOWS\system32\MailSpectre.exe
2007-08-27 19:48 18,176 --a------ C:\WINDOWS\system32\drivers\smtpdrv.sys
2007-08-26 20:15 87,616 --a------ C:\WINDOWS\system32\atijpabd.dll
2007-08-26 13:57 87,616 --a------ C:\WINDOWS\system32\derfffei.dll
2007-08-25 20:02 87,616 --a------ C:\WINDOWS\system32\gcalbgox.dll
2007-08-25 14:34 87,616 --a------ C:\WINDOWS\system32\osqlfpmb.dll
2007-08-25 02:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-25 02:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-25 02:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-24 21:09 87,616 --a------ C:\WINDOWS\system32\ryxjactc.dll
2007-08-24 20:15 87,616 --------- C:\WINDOWS\system32\blfcjgly.dll
2007-08-24 18:44 87,616 --a------ C:\WINDOWS\system32\tkxgnudj.dll
2007-08-23 23:34 87,616 --a------ C:\WINDOWS\system32\gatllruf.dll
2007-08-23 21:18 278 --a------ C:\WINDOWS\system32\is68193.exe
2007-08-23 19:39 87,616 --a------ C:\WINDOWS\system32\jwqonxwg.dll
2007-08-23 16:52 87,616 --a------ C:\WINDOWS\system32\ikylgcym.dll
2007-08-22 21:27 87,616 --a------ C:\WINDOWS\system32\wecyktcr.dll
2007-08-21 23:01 87,616 --a------ C:\WINDOWS\system32\hagllpdc.dll
2007-08-20 23:17 17,408 --a------ C:\WINDOWS\system32\ntsvc32.dll
2007-08-20 22:46 603,751 ---hs---- C:\WINDOWS\system32\bbadd.bak2
2007-08-20 21:37 4,096 --a------ C:\WINDOWS\system32\lwinqmdt.exe
2007-08-20 21:35 <DIR> d-------- C:\Temp
2007-08-20 21:34 59,392 --a------ C:\lisy.exe
2007-08-20 21:34 21,504 --a------ C:\WINDOWS\system32\mstdmc.exe
2007-08-18 09:24 <DIR> d-------- C:\Program Files\Quest Software
2007-08-17 20:24 <DIR> d-------- C:\Program Files\Microsoft Visual Studio .NET
2007-08-17 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-17 20:20 <DIR> d-------- C:\oraclexe
2007-08-04 23:00 <DIR> d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-01 12:50 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-24 18:43 111 --a------ C:\WINDOWS\system32\drivers\fee
2007-08-24 18:37 --------- d-------- C:\Program Files\Norton AntiVirus
2007-08-20 21:34 --------- d-------- C:\Program Files\BitTorrent
2007-08-20 07:46 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\BitTorrent
2007-08-17 20:42 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-12 14:08 --------- d-------- C:\Program Files\DivX
2007-08-04 23:01 --------- d-------- C:\Program Files\iTunes
2007-07-31 22:03 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-07-31 22:02 --------- d-------- C:\Program Files\QuickTime
2007-07-31 22:02 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-31 22:00 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-31 22:00 --------- d-------- C:\Program Files\Apple Software Update
2007-07-31 22:00 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-26 19:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-26 19:06 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-26 19:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 19:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 19:06 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-26 19:06 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 19:06 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-26 19:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-26 19:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 19:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 19:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-26 19:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 19:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-26 19:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 19:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-26 19:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 19:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-26 19:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-26 19:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-26 19:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-26 19:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01]
"nwiz"="nwiz.exe" [2004-10-26 12:01 C:\WINDOWS\system32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 23:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 12:29]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-10 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 19:38]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyp32]
winjyp32.dll

R1 smtpdrv;smtpdrv;C:\WINDOWS\system32\DRIVERS\smtpdrv.sys
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
S2 OracleXETNSListener;OracleXETNSListener;C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE


Contents of the 'Scheduled Tasks' folder
2007-08-05 02:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-25 00:01:40 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Nicola Rodriguez.job - C:\PROGRA~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-01 13:14:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-01 13:20:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-01 13:19

--- E O F ---

nickerbocker
2007-09-01, 20:28
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:33 PM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9691 bytes

shelf life
2007-09-02, 02:53
hi nickerbocker,

ok good. thanks for the info. one more download to get:


download and run vundofix.exe:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

shelf life

nickerbocker
2007-09-02, 22:31
hey shelf life,

when i run the vundofix scan it says there were no infected files found

shelf life
2007-09-03, 00:27
hi nickerbocker,


vundofix scan it says there were no infected files found
ok good. hows it looking on that end now? did you do the rescan with superantispyware?

shelf life

nickerbocker
2007-09-03, 04:38
here's the latest log from superantispyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/02/2007 at 07:44 PM

Application Version : 3.9.1008

Core Rules Database Version : 3298
Trace Rules Database Version: 1306

Scan type : Complete Scan
Total Scan Time : 00:42:14

Memory items scanned : 451
Memory threats detected : 0
Registry items scanned : 4988
Registry threats detected : 0
File items scanned : 27552
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@overture[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@casalemedia[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@ad.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\nicola rodriguez@mediaplex[2].txt


What's the verdict?

shelf life
2007-09-03, 05:14
hi nickerbocker.


What's the verdict?
looks good to me. cookies are not much to worry about. we can make new restore points:

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot computer (will delete possibly infected restore points)

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

4. Reboot computer (new clean restore point)

shelf life

nickerbocker
2007-09-03, 19:46
thanks so much shelf life!
i just ran spybot as well and only a couple of cookies came up... virtumonde is gone!

thanks again!

shelf life
2007-09-04, 04:18
hi nickerbocker,

ok good. happy safe surfing.