PDA

View Full Version : virtumonde has got me



mchase
2007-11-02, 19:26
Hi I believe I am having problems with with virtumonde and maybe others.

I have tried Norton Symantic, and MS One care, virus scanners both have reported differing viruses which I removed.

I tried running Ad-Aware and Spybot. Both clean up various problems. However spybot reports, virtumonde keeps reappearing shortly after it is cleaned out. Also I start getting pop-ups on my computer.

As per the instructions I am currently running Kaspersky but it is taking a long time: so far 7:30 hours and only 22% complete. This rate it will take over a day to finish.
However currently it is reporting 37 infected objects and 15 virues found.

Should I continue the scan?

Also, it appears to have shut down my Norton auto protect during the scan. Is this ok?

Thanks
Mike

steamwiz
2007-11-02, 21:56
HI

Cancell the scan & do this ...

First post a hijackthis log ... run NOW, so that we can see what we are dealing with ...

Download ...

HiJackThis log - Trend Micro HijackThis 2.0.2
Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" and Paste (http://www.webmasternow.com/copyandpaste.html) the entire contents of the log (no attachments) into your next post.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System,

----------------
After posting the log continue with this ....

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Please post the contents of C:\vundofix.txt

If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...

Keep running vundofix untill it gives you the message "no infected files were found"


THEN ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-

An original hijackthis log ....

then ...

1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log.( run after everything else)

steam

mchase
2007-11-02, 23:00
Ok here is the hijack this file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:04 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\ads2002c\licenses\bin\lmgrd.exe
c:\ads2002c\licenses\bin\agileesof.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Vidalia\vidalia.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Privoxy\privoxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {47FD1D75-E4C0-4049-A882-60B57314032A} - C:\WINDOWS\system32\qomkjjg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\exjdrgmn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: (no name) - {E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E} - C:\WINDOWS\system32\mllmn.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [0468a0bb] rundll32.exe "C:\WINDOWS\system32\xrrgtjid.dll",b
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163788960109
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D276847-F6C8-4D44-8B7B-581941E66A7E}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: gjkbrjqb - gjkbrjqb.dll (file missing)
O20 - Winlogon Notify: qomkjjg - qomkjjg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXlm License Manager - GLOBEtrotter Software Inc. - c:\ads2002c\licenses\bin\lmgrd.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13298 bytes

mchase
2007-11-03, 00:22
Ok I ran VundoFix

It did not generat a text file as far as I can tell bu it did list some files in its window:

C:/windows/system32/exdramn.dll
C:/windows/system32/qomkjjg.dll

I clicked remove, then rebooted, then ran VundoFix again. This time it reported the system was clean.

steamwiz
2007-11-03, 01:00
Hi

OK ... the vundofix log should be here :-

C:\vundofix.txt



It did not generat a text file as far as I can tell bu it did list some files in its window:

C:/windows/system32/exdramn.dll
C:/windows/system32/qomkjjg.dll


well hijackthis shows this was deleted ....

O2 - BHO: (no name) - {47FD1D75-E4C0-4049-A882-60B57314032A} - C:\WINDOWS\system32\qomkjjg.dll (file missing)

but says you still have this one ...

O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\exjdrgmn.dll

I presume you spelt it wrong

You also still have this (which is vundo related)

O2 - BHO: (no name) - {E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E} - C:\WINDOWS\system32\mllmn.dll

+ other malware ...

So I need you to run the other programs I asked for & post the logs ...

THEN post a new hijackthis log ...

steam

mchase
2007-11-03, 03:45
Thanks for the location of the VundoFix.txt file. It contains the following:


VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 2:01:20 PM 11/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\exjdrgmn.dll
C:\WINDOWS\system32\qomkjjg.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\exjdrgmn.dll
C:\WINDOWS\system32\exjdrgmn.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 3:10:46 PM 11/2/2007

Listing files found while scanning....

No infected files were found.

Thanks
Mike

mchase
2007-11-03, 03:51
Ok SuperAntiSpyWare has finished. It says I still have 5 items of Vundo as well as some downloaders I will continue as per the instructions but here is the Scan log file:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/02/2007 at 05:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3336
Trace Rules Database Version: 1337

Scan type : Complete Scan
Total Scan Time : 02:13:59

Memory items scanned : 525
Memory threats detected : 0
Registry items scanned : 10766
Registry threats detected : 13
File items scanned : 73210
File threats detected : 98

Undefined Browser Helper Objects
HKLM\Software\Classes\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}\InprocServer32
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}\InprocServer32#ThreadingModel
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}\ProgID
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}\VersionIndependentProgID
C:\PROGRAM FILES\HOTFAX MESSAGECENTER\SMFAXHELPER.DLL

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E}
HKCR\CLSID\{E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E}
HKCR\CLSID\{E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E}\InprocServer32
HKCR\CLSID\{E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLLMN.DLL

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{47FD1D75-E4C0-4049-A882-60B57314032A}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}

Adware.Tracking Cookie
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CA2C4MU2.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.ontrack[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@windowsmedia[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@richmedia.yahoo[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CAK3Z6NJ.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adcentriconline[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adlegend[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@msnservices.112.2o7[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@epilot[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@mediamgr.ugo[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.dbforums[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@medianewsgroup[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.ezboard[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@296[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.simtel[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@statse.webtrendslive[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.pornigraphic[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@html[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ontrack[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@exitexchange[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@dir.videoclicks[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@msnportal.112.2o7[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CAYLPQYX.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@sales.liveperson[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@bestsellerantivirus[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@parentingteens.about[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.admedia365[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.pornigraphic[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@nextag[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@serviceswitching[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.monstermoving[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.trafficswarm[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@rightmedia[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@atdmt[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@sales.liveperson[3].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adinterax[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@specificpop[1].txt
C:\Documents and Settings\Grace\Cookies\grace@adinterax[1].txt
C:\Documents and Settings\Grace\Cookies\grace@atwola[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[10].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[11].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[3].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[4].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[5].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[6].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[7].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[8].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[9].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ad.bannerpoint[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ad.ir[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.as4x.tmcs[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adultfriendfinder[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adv.webmd[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@atwola[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CADXED2U.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CADXWPMV.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@counter.bugs2k[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[10].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[11].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[3].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[4].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[5].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[6].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[7].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[8].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[9].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[10].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[11].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[3].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[4].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[5].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[6].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[7].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[8].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[9].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@msnportal.112.2o7[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@msnservices.112.2o7[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@perf.overture[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@porn.smutshots[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@stats.klsoft[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@tacoda[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@webpower[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.admedia365[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.cracks[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@yadro[2].txt

Trojan.Downloader-Gen/TSITRA
C:\DOCUMENTS AND SETTINGS\MIA-KITTY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\23A7Z9ZG\TSITRA[1].EXE
C:\DOCUMENTS AND SETTINGS\MIA-KITTY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NFJDKSO6\TSITRA[1].EXE

Trojan.Unknown Origin
C:\WINDOWS\MROFINU2000382.EXE
C:\WINDOWS\MROFINU880.EXE
C:\WINDOWS\Prefetch\MROFINU880.EXE-2C279AF3.pf

mchase
2007-11-03, 04:34
Ok I have rebooted after SuperAntiSpyware. The resulting scan log is:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/02/2007 at 05:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3336
Trace Rules Database Version: 1337

Scan type : Complete Scan
Total Scan Time : 02:13:59

Memory items scanned : 525
Memory threats detected : 0
Registry items scanned : 10766
Registry threats detected : 13
File items scanned : 73210
File threats detected : 98

Undefined Browser Helper Objects
HKLM\Software\Classes\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}\InprocServer32
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}\InprocServer32#ThreadingModel
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}\ProgID
HKCR\CLSID\{523E1640-5EC3-11D2-BCC4-0020AFD4089D}\VersionIndependentProgID
C:\PROGRAM FILES\HOTFAX MESSAGECENTER\SMFAXHELPER.DLL

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E}
HKCR\CLSID\{E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E}
HKCR\CLSID\{E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E}\InprocServer32
HKCR\CLSID\{E047EE0E-CAAD-4FF3-ABA9-C6162901DA4E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLLMN.DLL

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{47FD1D75-E4C0-4049-A882-60B57314032A}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}

Adware.Tracking Cookie
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CA2C4MU2.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.ontrack[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@windowsmedia[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@richmedia.yahoo[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CAK3Z6NJ.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adcentriconline[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adlegend[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@msnservices.112.2o7[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@epilot[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@mediamgr.ugo[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.dbforums[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@medianewsgroup[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.ezboard[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@296[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.simtel[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@statse.webtrendslive[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.pornigraphic[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@html[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ontrack[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@exitexchange[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@dir.videoclicks[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@msnportal.112.2o7[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CAYLPQYX.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@sales.liveperson[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@bestsellerantivirus[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@parentingteens.about[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.admedia365[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.pornigraphic[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@nextag[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@serviceswitching[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.monstermoving[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.trafficswarm[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@rightmedia[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@atdmt[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@sales.liveperson[3].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adinterax[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@specificpop[1].txt
C:\Documents and Settings\Grace\Cookies\grace@adinterax[1].txt
C:\Documents and Settings\Grace\Cookies\grace@atwola[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[10].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[11].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[3].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[4].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[5].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[6].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[7].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[8].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@2o7[9].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ad.bannerpoint[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ad.ir[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ads.as4x.tmcs[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adultfriendfinder[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@adv.webmd[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@atwola[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CADXED2U.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@CADXWPMV.txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@counter.bugs2k[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[10].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[11].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[3].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[4].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[5].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[6].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[7].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[8].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@ehg-kasperskylab.hitbox[9].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[10].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[11].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[3].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[4].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[5].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[6].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[7].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[8].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@hitbox[9].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@msnportal.112.2o7[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@msnservices.112.2o7[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@perf.overture[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@porn.smutshots[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@stats.klsoft[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@tacoda[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@webpower[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.admedia365[1].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@www.cracks[2].txt
C:\Documents and Settings\MIA-KITTY\Cookies\mia-kitty@yadro[2].txt

Trojan.Downloader-Gen/TSITRA
C:\DOCUMENTS AND SETTINGS\MIA-KITTY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\23A7Z9ZG\TSITRA[1].EXE
C:\DOCUMENTS AND SETTINGS\MIA-KITTY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NFJDKSO6\TSITRA[1].EXE

Trojan.Unknown Origin
C:\WINDOWS\MROFINU2000382.EXE
C:\WINDOWS\MROFINU880.EXE
C:\WINDOWS\Prefetch\MROFINU880.EXE-2C279AF3.pf

mchase
2007-11-03, 06:14
Ok had a bit of a snag with this one. I forgot to disable script blocking in NAV. So on reboot while running ComboFix NAV sent me a warning and the system froze. I rebooted and got script blocking turned off. and re ran ComboFix. This time ComboFix did not ask for a reboot. The File below is the ComboFix Log (after NAV script blocking turned off) .
Nex post will be the new HJT log file



**********************************************
**********************************************

ComboFix Log:

ComboFix 07-11-02.3 - MIA-KITTY 2007-11-02 20:32:32.2 - NTFSx86
Running from: C:\Documents and Settings\MIA-KITTY\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\MIA-KITTY\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dijtgrrx.ini
C:\WINDOWS\system32\gjkbrjqb.dllbox
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\wlwbmwjx.ini
C:\WINDOWS\system32\xjwmbwlw.dll
C:\WINDOWS\system32\xrrgtjid.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\nm




((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 19:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-02 15:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-02 15:29 <DIR> d-------- C:\Documents and Settings\MIA-KITTY\Application Data\SUPERAntiSpyware.com
2007-11-02 14:01 <DIR> d-------- C:\VundoFix Backups
2007-11-02 00:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-02 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-02 00:15 <DIR> d-------- C:\{000030F4-0000-0000-3F72-D2B213869782}
2007-11-01 17:58 <DIR> d-------- C:\TEMPCRAP
2007-11-01 11:03 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-01 01:42 22 --a------ C:\WINDOWS\b149.exe.bin
2007-10-31 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 22:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 10:41 4,476 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-28 14:17 <DIR> d-------- C:\Program Files\Chami
2007-10-24 21:23 <DIR> d-------- C:\Program Files\Evrsoft First Page 2006
2007-10-24 21:17 <DIR> d-------- C:\Program Files\Alleycode
2007-10-24 21:12 <DIR> d-------- C:\Program Files\PageBreeze
2007-10-24 21:12 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2007-10-24 21:12 84,992 --a------ C:\WINDOWS\system32\Ledit32.dll
2007-10-24 21:12 70,656 --a------ C:\WINDOWS\system32\vspell32.dll
2007-10-23 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-10-23 23:31 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-10-23 23:31 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-10-23 22:57 <DIR> d-------- C:\Program Files\MagicISO
2007-10-23 20:30 <DIR> d-------- C:\Program Files\uTorrent
2007-10-23 20:30 <DIR> d-------- C:\Documents and Settings\MIA-KITTY\Application Data\uTorrent
2007-10-23 18:42 <DIR> d-------- C:\Documents and Settings\MIA-KITTY\Application Data\Shareaza
2007-10-17 07:46 <DIR> d-------- C:\Documents and Settings\MIA-KITTY\Application Data\Nero
2007-10-17 07:28 <DIR> d-------- C:\Program Files\Nero
2007-10-17 07:28 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-17 07:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-14 16:35 <DIR> d-------- C:\WINDOWS\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 03:30 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-02 20:48 --------- d-----w C:\Program Files\Trend Micro
2007-11-02 07:04 --------- d-----w C:\Program Files\DynDNS Updater
2007-11-01 05:12 --------- d-----w C:\Program Files\Lavasoft
2007-11-01 05:12 --------- d-----w C:\Documents and Settings\MIA-KITTY\Application Data\Lavasoft
2007-10-31 18:56 --------- d-----w C:\Documents and Settings\MIA-KITTY\Application Data\Vidalia
2007-10-26 21:04 --------- d-----w C:\Documents and Settings\MIA-KITTY\Application Data\SSH
2007-10-24 06:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-24 01:42 --------- d-----w C:\Program Files\Shareaza
2007-10-23 18:49 --------- d-----w C:\Program Files\Kazaa Lite
2007-10-23 16:14 --------- d-----w C:\Program Files\Common Files\HP
2007-10-23 16:09 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-23 15:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 15:56 --------- d-----w C:\Program Files\Canon
2007-10-20 16:47 --------- d-----w C:\Program Files\HP
2007-10-20 14:59 --------- d-----w C:\Program Files\Common Files\LogiShrd
2007-10-20 14:58 --------- d-----w C:\Program Files\Logitech
2007-10-20 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-10-17 14:34 106,592 ----a-w C:\Documents and Settings\MIA-KITTY\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 14:04 --------- d-----w C:\Program Files\Ahead
2007-10-15 00:02 --------- d-----w C:\Program Files\Intuit
2007-10-14 23:49 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-14 23:45 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-10-13 16:08 --------- d-----w C:\Program Files\Java
2007-09-04 00:06 --------- d-----w C:\Program Files\Print Workshop 2007 LE
2007-08-04 17:40 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-08-04 17:10 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-08-03 19:52 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_20.15.33.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-03 03:10:56 231,701 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-03 03:27:12 231,705 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 18:17]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 09:22 C:\WINDOWS\LTSMMSG.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 17:17]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 12:59 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 13:54]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 11:24]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2003-06-26 11:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 05:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="C:\Program Files\DynDNS Updater\DynDNS.exe" [2006-09-17 10:32]
"Vidalia"="C:\Program Files\Vidalia\vidalia.exe" [2006-07-07 12:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe [2003-01-21 01:35:28]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-22 05:55:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2004-03-05 03:47:30]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gjkbrjqb]
gjkbrjqb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 10:51 24638 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomkjjg]
qomkjjg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
"SiS KHooker"=C:\WINDOWS\System32\khooker.exe
"runner1"=C:\WINDOWS\mrofinu880.exe 61A847B5BBF7281A3A9B284503996897C881250221C8670836AC4FA7C8833201749139
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"Advanced Tools Check"=C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

R2 FLEXlm License Manager;FLEXlm License Manager;c:\ads2002c\licenses\bin\lmgrd.exe
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys
R3 WBMS;Winbond Memory Stick Storage (MS) Device Driver;C:\WINDOWS\system32\Drivers\WBMS.SYS
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys
S2 BT848;FusionHDTV, WDM Video Capture;C:\WINDOWS\system32\drivers\ZuluVcap.sys
S2 BT878;FusionHDTV, BDA Receiver Component (ATSC-A);C:\WINDOWS\system32\drivers\ZuluTcap.sys
S2 sshd;CYGWIN sshd;C:\cygwin\bin\cygrunsrv.exe
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
S3 soma;SOMA Service;C:\WINDOWS\system32\DRIVERS\soma.sys
S3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

.
Contents of the 'Scheduled Tasks' folder
"2003-07-08 07:57:25 C:\WINDOWS\Tasks\HotFax MessageCenter.job"
- C:\PROGRA~1\HOTFAX~1\HFMC.exe
"2007-10-31 17:45:15 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - MIA-KITTY.job"
"2007-11-03 03:04:07 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
.
**************************************************************************
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 20:49:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-02 20:52:30
.
--- E O F ---

mchase
2007-11-03, 06:15
Here is the new HJT log file. How am I doing?


***************************************

New HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:19 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\sistray.EXE
c:\ads2002c\licenses\bin\lmgrd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\ads2002c\licenses\bin\agileesof.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Vidalia\vidalia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163788960109
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D276847-F6C8-4D44-8B7B-581941E66A7E}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gjkbrjqb - gjkbrjqb.dll (file missing)
O20 - Winlogon Notify: qomkjjg - qomkjjg.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXlm License Manager - GLOBEtrotter Software Inc. - c:\ads2002c\licenses\bin\lmgrd.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12749 bytes

mchase
2007-11-03, 07:19
What is the next step or have we finished?

Mike

mchase
2007-11-03, 21:13
Is there anyway to find out what changes all of this has done to my computer? It looks like I have to go back and re-setup some things.

I notice that all of my secure ssh is no longer working.
looks like it completely shut down my ssh process. What other processes did it shut down?

I notice that when I look at the properties of various connections in my network places several of the ports that had been open for various applications including ssh and IP phone is not working.

Also I want to get rid of the MS security shield in quick launch bar.

Looks like superantispyware has set up an icon in my quick launch bar. Should I be using this application now or should I be using Spybot, or ad-aware.

Thanks
Mike

mchase
2007-11-03, 21:18
looks like my VNC port has been closed as VNC does not appear to be working any more.

Mike

steamwiz
2007-11-04, 01:02
Hi



How am I doing?


very well ... nearly there ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\WINDOWS\b149.exe.bin

Folder::
C:\{000030F4-0000-0000-3F72-D2B213869782}

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gjkbrjqb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomkjjg]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=-


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-
vundo is primarily an adware downloader (responsible for pop-ups on your computer) ... but malware has side effects on one computer which it doesn't on another ... it's impossible to know what changes may have been made ... but once you drop the script into Combofix, you will be clean as far as we can tell, I'm afraid you will have to reinstall/setup any programs which are now not working ...

When we are finished you can delete Combofix & vundofix, but I recommend you keep SUPERAntiSpyware, update & run it as an on-demand scanner, just as you would Adaware or spybot.

RE: Also I want to get rid of the MS security shield in quick launch bar.

You do mean "quick launch" & not the systray, don't you ?

Right click on it & select delete ... it's only a shortcut to the control center, it wont affect anything ...

steam

mchase
2007-11-04, 19:04
The comboFix file is very large 120,000 characters long. This posting program will only let me post upto 20,000 char how do I post? Or do I attach?

Mean while the HJT file is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:49 AM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\ads2002c\licenses\bin\lmgrd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\ads2002c\licenses\bin\agileesof.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Vidalia\vidalia.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Evrsoft First Page 2006\1stpage.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194119582156
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D276847-F6C8-4D44-8B7B-581941E66A7E}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXlm License Manager - GLOBEtrotter Software Inc. - c:\ads2002c\licenses\bin\lmgrd.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12978 bytes

steamwiz
2007-11-04, 23:22
Hi

Your hijackthis log is clean ...

RE: Combofix ... I suspect this is a problem with the "snapshot" in Combofix ...

Please open the log & scroll down to the snapshot section .... (this is what your last one looked like :-

((((((((((((((((((((((((((((( snapshot@2007-11-02_20.15.33.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-03 03:10:56 231,701 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-03 03:27:12 231,705 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin

If the problem is that this section is very large, then please delete the entire "snapshot section" & post the rest of the log ...

If this isn't the problem, let me know ...

steam

mchase
2007-11-05, 01:05
You were correct about the snapshot section:

here is the comboFix file with the section removed:

ComboFix 07-11-02.3 - MIA-KITTY 2007-11-04 8:17:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.590 [GMT -8:00]
Running from: C:\Documents and Settings\MIA-KITTY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MIA-KITTY\Desktop\CFScript.txt

FILE::
C:\WINDOWS\b149.exe.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\{000030F4-0000-0000-3F72-D2B213869782}
C:\{000030F4-0000-0000-3F72-D2B213869782}\DATA.CAB
C:\{000030F4-0000-0000-3F72-D2B213869782}\Manifest.ini
C:\{000030F4-0000-0000-3F72-D2B213869782}\Manifest.qrm
C:\WINDOWS\b149.exe.bin

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-03 17:55 <DIR> d-------- C:\Program Files\ToniArts
2007-11-03 17:53 <DIR> d-------- C:\Program Files\Virtual Mechanics
2007-11-03 17:53 <DIR> d-------- C:\Program Files\Common Files\Wintertree
2007-11-03 17:53 155,648 --a------ C:\WINDOWS\system32\SSCE5232.dll
2007-11-03 12:27 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-02 18:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-02 14:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-02 14:29 <DIR> d-------- C:\Documents and Settings\MIA-KITTY\Application Data\SUPERAntiSpyware.com
2007-11-02 13:01 <DIR> d-------- C:\VundoFix Backups
2007-11-01 23:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-01 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-01 16:58 <DIR> d-------- C:\TEMPCRAP
2007-11-01 10:03 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-31 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 21:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 09:41 4,476 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-28 13:17 <DIR> d-------- C:\Program Files\Chami
2007-10-24 20:23 <DIR> d-------- C:\Program Files\Evrsoft First Page 2006
2007-10-23 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\espionServerData
2007-10-23 22:31 109,568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-10-23 22:31 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-10-23 21:57 <DIR> d-------- C:\Program Files\MagicISO
2007-10-23 19:30 <DIR> d-------- C:\Program Files\uTorrent
2007-10-23 19:30 <DIR> d-------- C:\Documents and Settings\MIA-KITTY\Application Data\uTorrent
2007-10-23 17:42 <DIR> d-------- C:\Documents and Settings\MIA-KITTY\Application Data\Shareaza
2007-10-19 12:16 2,109,976 --a------ C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-17 06:46 <DIR> d-------- C:\Documents and Settings\MIA-KITTY\Application Data\Nero
2007-10-17 06:28 <DIR> d-------- C:\Program Files\Nero
2007-10-17 06:28 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-17 06:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-14 15:35 <DIR> d-------- C:\WINDOWS\Intuit
2007-10-12 00:57 195,096 --a------ C:\WINDOWS\system32\lvci1150.dll
2007-10-12 00:56 1,279,000 --a------ C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-11 17:59 2,142,488 --a------ C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-11 17:59 25,624 --a------ C:\WINDOWS\system32\drivers\LVPr2Mon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 08:23 --------- d-----w C:\Documents and Settings\MIA-KITTY\Application Data\SSH
2007-11-04 07:00 --------- d-----w C:\Program Files\DynDNS Updater
2007-11-04 01:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-03 21:55 --------- d-----w C:\Program Files\Logitech
2007-11-03 21:55 --------- d-----w C:\Program Files\Common Files\LogiShrd
2007-11-03 21:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-03 20:00 --------- d-----w C:\Program Files\SecureCRT
2007-11-03 03:30 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-02 20:48 --------- d-----w C:\Program Files\Trend Micro
2007-11-01 05:12 --------- d-----w C:\Program Files\Lavasoft
2007-11-01 05:12 --------- d-----w C:\Documents and Settings\MIA-KITTY\Application Data\Lavasoft
2007-10-31 18:56 --------- d-----w C:\Documents and Settings\MIA-KITTY\Application Data\Vidalia
2007-10-24 06:38 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-24 01:42 --------- d-----w C:\Program Files\Shareaza
2007-10-23 18:49 --------- d-----w C:\Program Files\Kazaa Lite
2007-10-23 16:14 --------- d-----w C:\Program Files\Common Files\HP
2007-10-23 16:09 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-23 15:56 --------- d-----w C:\Program Files\Canon
2007-10-20 16:47 --------- d-----w C:\Program Files\HP
2007-10-17 14:34 106,592 ----a-w C:\Documents and Settings\MIA-KITTY\Application Data\GDIPFONTCACHEV1.DAT
2007-10-17 14:04 --------- d-----w C:\Program Files\Ahead
2007-10-15 00:02 --------- d-----w C:\Program Files\Intuit
2007-10-14 23:49 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-14 23:45 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-10-13 16:08 --------- d-----w C:\Program Files\Java
2007-10-12 09:00 490,008 ----a-w C:\WINDOWS\system32\LVUI2.dll
2007-10-12 09:00 465,432 ----a-w C:\WINDOWS\system32\LVUI2RC.dll
2007-10-12 09:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 08:57 416,280 ----a-w C:\WINDOWS\system32\lvcodec2.dll
2007-10-12 08:56 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 08:18 21,138 ----a-w C:\WINDOWS\system32\Repository.reg
2007-09-04 00:06 --------- d-----w C:\Program Files\Print Workshop 2007 LE
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-04 17:40 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-08-04 17:10 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_20.15.33.23 )))))))))))))))))))))))))))))))))))))))))

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 17:17]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 08:22 C:\WINDOWS\LTSMMSG.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 16:17]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 11:59 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 12:54]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2003-08-15 10:24]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2003-06-26 10:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 15:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 15:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="C:\Program Files\DynDNS Updater\DynDNS.exe" [2006-09-17 09:32]
"Vidalia"="C:\Program Files\Vidalia\vidalia.exe" [2006-07-07 11:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\adobe\acrobat 5.0\Distillr\AcroTray.exe [2003-01-21 00:35:28]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-22 04:55:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2004-03-05 02:47:30]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 09:51 24638 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
"SiS KHooker"=C:\WINDOWS\System32\khooker.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"Advanced Tools Check"=C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

R2 FLEXlm License Manager;FLEXlm License Manager;c:\ads2002c\licenses\bin\lmgrd.exe
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys
R3 WBMS;Winbond Memory Stick Storage (MS) Device Driver;C:\WINDOWS\system32\Drivers\WBMS.SYS
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys
S2 BT848;FusionHDTV, WDM Video Capture;C:\WINDOWS\system32\drivers\ZuluVcap.sys
S2 BT878;FusionHDTV, BDA Receiver Component (ATSC-A);C:\WINDOWS\system32\drivers\ZuluTcap.sys
S2 sshd;CYGWIN sshd;C:\cygwin\bin\cygrunsrv.exe
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
S3 soma;SOMA Service;C:\WINDOWS\system32\DRIVERS\soma.sys
S3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

.
Contents of the 'Scheduled Tasks' folder
"2003-07-08 07:57:25 C:\WINDOWS\Tasks\HotFax MessageCenter.job"
- C:\PROGRA~1\HOTFAX~1\HFMC.exe
"2007-10-31 17:45:15 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - MIA-KITTY.job"
"2007-11-03 03:04:07 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 08:34:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-04 8:37:13
C:\ComboFix2.txt ... 2007-11-02 19:52
.
--- E O F ---

steamwiz
2007-11-05, 12:18
Hi

Your log looks fine now .. is your problem resolved (apart from having to reinstall some of your software)

steam

mchase
2007-11-05, 19:20
Yep, I think we are good. Some of the stuff was just closed ports and processes that needed to be restarted.

Thanks for the help. I owe you my first born.

Just for my education could you give me an idea as to what each of the steps we took did.

Thanks
Mike

steamwiz
2007-11-05, 21:54
Hi

OK ... A quick look through your thread shows ...

You originally complained about virtumonde (vundo)...

So we first ran hijackthis which confirmed the presence of vundo

Then we we ran a program which specifically targets and removes most variants of vundo ... vundofix

this removed some vundo files, but others were still present ...

SuperAntiSpyware also removes vundo files/registry keys ... which it did + other malware ...

but you still had vundo files ....

So Combofix found & removed a lot more ...

& files/reg keys which were not tagged as vundo were shown in the various sections of the log ... these we removed with a CFScript ...

So Combofix now shows no new malware has been downloaded in the last 30 days ... so I deem your computer as clean ... you may still have old malware files somewhere on your computer, & your registry no doubt has many orphan keys ... but if you have then they are inactive ...

One thing I did notice when looking back at your thread ...

You have the latest update to version jre1.5.0 of java (jre1.5.0.11)

Which is OK to run ... But jre1.6.0 is much faster...

You also have Java version jre1.5.0.7 & Java version jre1.5.0.9

these can be exploited by malware (vundo exploits them) so that could be how it got on your computer ...

I recommend you uninstall all 3 versions & update to jre1.6.0_3



Go to add/remove programs and uninstall any earlier versions ...

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 3' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

steam