PDA

View Full Version : Virtumonde & Degraded Internet Speed - Help To Remove



bonds1972
2007-11-17, 19:08
Hi, need help to remove virtumonde trojan from my system. I've read through a couple of previous threads on this trojan and executed vundofix (scanned and removed), combofix, and hijackthis in that order. Below are the log files...


VUNDOFIX LOG =================


VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 11:15:41 PM 11/17/2007

Listing files found while scanning....

C:\windows\system32\dccdd.ini
C:\windows\system32\dccdd.ini2
C:\windows\system32\ddccd.dll

Beginning removal...

Attempting to delete C:\windows\system32\dccdd.ini
C:\windows\system32\dccdd.ini Has been deleted!

Attempting to delete C:\windows\system32\dccdd.ini2
C:\windows\system32\dccdd.ini2 Has been deleted!

Attempting to delete C:\windows\system32\ddccd.dll
C:\windows\system32\ddccd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\dccdd.ini
C:\windows\system32\dccdd.ini Has been deleted!

Attempting to delete C:\windows\system32\dccdd.ini2
C:\windows\system32\dccdd.ini2 Has been deleted!

Attempting to delete C:\windows\system32\ddccd.dll
C:\windows\system32\ddccd.dll Has been deleted!

Performing Repairs to the registry.
Done!


COMBOFIX LOG =================

ComboFix 07-11-08.1 - mufti 2007-11-17 23:39:45.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1561 [GMT 7:00]
Running from: D:\Documents and Settings\mufti\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\pmkjk.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 23:15 <DIR> d-------- C:\VundoFix Backups
2007-11-17 23:05 52,072 --a------ C:\WINDOWS\system32\pmnlm.dll
2007-11-17 22:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 22:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 20:41 85,056 --a------ C:\WINDOWS\system32\uwrnukni.dll
2007-11-17 20:41 82,496 --a------ C:\WINDOWS\system32\fsrvoodx.dll
2007-11-17 20:38 71,232 --a------ C:\WINDOWS\system32\tsujtqos.exe
2007-11-17 12:02 <DIR> d-------- D:\Documents and Settings\mufti\Application Data\JPEGsnoop
2007-11-16 16:56 85,056 --a------ C:\WINDOWS\system32\tvwbvnut.dll
2007-11-16 16:53 81,984 --a------ C:\WINDOWS\system32\sklyhbbg.dll
2007-11-15 23:13 <DIR> d-------- C:\Program Files\DOSBox-0.63
2007-11-15 07:47 37,376 --a------ C:\WINDOWS\system32\yayxxxy.dll
2007-11-15 07:47 37,376 --a------ C:\WINDOWS\system32\efcayaw.dll
2007-11-15 07:26 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 07:25 <DIR> d-------- C:\Program Files\DAP
2007-11-15 05:59 <DIR> d-------- C:\Program Files\Second Sight Software
2007-10-30 01:06 413,760 --a------ C:\WINDOWS\system32\MPG4C32.DLL
2007-10-24 20:37 <DIR> d-------- C:\Program Files\Monte Cristo
2007-10-21 18:43 <DIR> d-------- D:\Documents and Settings\mufti\Application Data\Command & Conquer 3 Tiberium Wars
2007-10-21 18:17 <DIR> d-------- C:\Program Files\DAEMON Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 04:59 --------- d-----w D:\Documents and Settings\mufti\Application Data\Printer Info Cache
2007-11-17 04:59 --------- d-----w D:\Documents and Settings\mufti\Application Data\Image Zone Express
2007-11-17 02:35 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 01:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-16 10:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-21 11:41 --------- d-----w C:\Program Files\Electronic Arts
2007-10-20 03:24 --------- d-----w C:\Program Files\HP
2007-10-12 17:40 --------- d-----w C:\Program Files\Google
2007-10-12 16:28 --------- d-----w D:\Documents and Settings\mufti\Application Data\Command & Conquer 3 Tiberium Wars Demo
2007-10-11 03:22 --------- d-----w C:\Program Files\Java
2007-10-10 12:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 11:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Firefly Studios
2007-10-10 11:35 --------- d-----w D:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-08 13:13 --------- d-----w C:\Program Files\Winamp
2007-10-08 05:33 --------- d-----w C:\Program Files\Yahoo!
2007-10-06 10:23 --------- d-----w C:\Program Files\CCP
2007-10-05 19:17 --------- d-----w C:\Program Files\Security Task Manager
2007-10-04 19:26 --------- d-----w C:\Program Files\Alcohol Soft
2007-10-04 19:12 --------- d--h--r D:\Documents and Settings\mufti\Application Data\SecuROM
2007-10-03 05:53 --------- d-----w D:\Documents and Settings\mufti\Application Data\Gamelab
2007-10-02 20:47 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-02 20:46 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-09-30 04:34 --------- d-----w D:\Documents and Settings\mika\Application Data\HP
2007-09-29 03:06 --------- d-----w D:\Documents and Settings\dana\Application Data\HP
2007-09-28 15:46 --------- d-----w C:\Program Files\QuickPar
2007-09-27 09:01 --------- d-----w C:\Program Files\Common Files\HP
2007-09-27 08:45 --------- d-----w D:\Documents and Settings\mufti\Application Data\HP
2007-09-27 08:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\HP
2007-09-27 08:25 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-27 08:25 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-09-26 03:44 --------- d-----w C:\Program Files\MatrixEngine 1.0
2007-09-24 04:45 --------- d-----w C:\Program Files\Camfrog
2007-09-22 12:17 --------- d-----w C:\Program Files\Astraware
2007-08-21 06:25 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761BCB47-850E-4893-BDA7-4952EF459F14}]
C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89F3D70D-7643-4C33-90F0-991EA6024B26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91A20DDB-5032-429E-95A1-37D824CAE14C}]
C:\WINDOWS\system32\geeby.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A923799F-552B-429D-8327-FECA1E0D65E0}]
C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]
2007-11-15 07:47 37376 --a------ C:\WINDOWS\system32\efcayaw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 13:00 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 17:04 C:\WINDOWS\SkyTel.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2002-06-23 21:19]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-04-08 02:56]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 C:\WINDOWS\system32\TWEAKUI.CPL]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-13 11:00]
"MtdAcqu"="C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 08:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 17:48]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}"= C:\WINDOWS\system32\efcayaw.dll [2007-11-15 07:47 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcayaw]
efcayaw.dll 2007-11-15 07:47 37376 C:\WINDOWS\system32\efcayaw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
"Phase One Media Reader"=C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"JMB36X Configure"=C:\WINDOWS\system32\JMRaidTool.exe boot
"nwiz"=nwiz.exe /install

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 10:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2007-11-16 13:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Administrator.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 23:51:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 23:56:40 - machine was rebooted
.
--- E O F ---

bonds1972
2007-11-17, 19:09
HIJACKTHIS LOG =================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:57 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {761BCB47-850E-4893-BDA7-4952EF459F14} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: (no name) - {89F3D70D-7643-4C33-90F0-991EA6024B26} - (no file)
O2 - BHO: (no name) - {91A20DDB-5032-429E-95A1-37D824CAE14C} - C:\WINDOWS\system32\geeby.dll (file missing)
O2 - BHO: (no name) - {A923799F-552B-429D-8327-FECA1E0D65E0} - C:\WINDOWS\system32\ddccd.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E0B54BEC-9209-4B5D-94E5-A8906DE18FFB} - C:\WINDOWS\system32\efcayaw.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: efcayaw - C:\WINDOWS\SYSTEM32\efcayaw.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 11303 bytes

steamwiz
2007-11-18, 02:03
Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\uwrnukni.dll
C:\WINDOWS\system32\fsrvoodx.dll
C:\WINDOWS\system32\tsujtqos.exe
C:\WINDOWS\system32\tvwbvnut.dll
C:\WINDOWS\system32\sklyhbbg.dll
C:\WINDOWS\system32\yayxxxy.dll
C:\WINDOWS\system32\efcayaw.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761BCB47-850E-4893-BDA7-4952EF459F14}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89F3D70D-7643-4C33-90F0-991EA6024B26}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91A20DDB-5032-429E-95A1-37D824CAE14C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A923799F-552B-429D-8327-FECA1E0D65E0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcayaw]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

bonds1972
2007-11-18, 04:36
Hi steamwiz, thanks for the reply. I've executed combofix as per your advice. Initially it gives me an error saying that combofix was outdated and it uninstall itself. I've downloaded a new copy and below are the log.



ComboFix 07-11-08.3 - mufti 2007-11-18 9:24:11.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1559 [GMT 7:00]
Running from: D:\Documents and Settings\mufti\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\mufti\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\efcayaw.dll
C:\WINDOWS\system32\fsrvoodx.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\sklyhbbg.dll
C:\WINDOWS\system32\tsujtqos.exe
C:\WINDOWS\system32\tvwbvnut.dll
C:\WINDOWS\system32\uwrnukni.dll
C:\WINDOWS\system32\yayxxxy.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\efcayaw.dll
C:\WINDOWS\system32\fsrvoodx.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\sklyhbbg.dll
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\tsujtqos.exe
C:\WINDOWS\system32\tvwbvnut.dll
C:\WINDOWS\system32\uwrnukni.dll
C:\WINDOWS\system32\yayxxxy.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 00:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-18 00:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-17 22:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 22:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 12:02 <DIR> d-------- D:\Documents and Settings\mufti\Application Data\JPEGsnoop
2007-11-15 23:13 <DIR> d-------- C:\Program Files\DOSBox-0.63
2007-11-15 07:26 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 07:25 <DIR> d-------- C:\Program Files\DAP
2007-11-15 05:59 <DIR> d-------- C:\Program Files\Second Sight Software
2007-10-30 01:06 413,760 --a------ C:\WINDOWS\system32\MPG4C32.DLL
2007-10-24 20:37 <DIR> d-------- C:\Program Files\Monte Cristo
2007-10-21 18:43 <DIR> d-------- D:\Documents and Settings\mufti\Application Data\Command & Conquer 3 Tiberium Wars
2007-10-21 18:17 <DIR> d-------- C:\Program Files\DAEMON Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 02:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-18 02:07 --------- d-----w C:\Program Files\Symantec
2007-11-18 02:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
2007-11-17 04:59 --------- d-----w D:\Documents and Settings\mufti\Application Data\Printer Info Cache
2007-11-17 04:59 --------- d-----w D:\Documents and Settings\mufti\Application Data\Image Zone Express
2007-11-17 02:35 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 10:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-21 11:41 --------- d-----w C:\Program Files\Electronic Arts
2007-10-20 03:24 --------- d-----w C:\Program Files\HP
2007-10-12 17:40 --------- d-----w C:\Program Files\Google
2007-10-12 16:28 --------- d-----w D:\Documents and Settings\mufti\Application Data\Command & Conquer 3 Tiberium Wars Demo
2007-10-11 03:22 --------- d-----w C:\Program Files\Java
2007-10-10 12:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 11:39 --------- d-----w D:\Documents and Settings\All Users\Application Data\Firefly Studios
2007-10-10 11:35 --------- d-----w D:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-08 13:13 --------- d-----w C:\Program Files\Winamp
2007-10-08 05:33 --------- d-----w C:\Program Files\Yahoo!
2007-10-06 10:23 --------- d-----w C:\Program Files\CCP
2007-10-05 19:17 --------- d-----w C:\Program Files\Security Task Manager
2007-10-04 19:26 --------- d-----w C:\Program Files\Alcohol Soft
2007-10-04 19:12 --------- d--h--r D:\Documents and Settings\mufti\Application Data\SecuROM
2007-10-03 05:53 --------- d-----w D:\Documents and Settings\mufti\Application Data\Gamelab
2007-10-02 20:47 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-02 20:46 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-09-30 04:34 --------- d-----w D:\Documents and Settings\mika\Application Data\HP
2007-09-29 03:06 --------- d-----w D:\Documents and Settings\dana\Application Data\HP
2007-09-28 15:46 --------- d-----w C:\Program Files\QuickPar
2007-09-27 09:01 --------- d-----w C:\Program Files\Common Files\HP
2007-09-27 08:45 --------- d-----w D:\Documents and Settings\mufti\Application Data\HP
2007-09-27 08:29 --------- d-----w D:\Documents and Settings\All Users\Application Data\HP
2007-09-27 08:25 --------- d-----w C:\Program Files\Hewlett-Packard
2007-09-27 08:25 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-09-26 03:44 --------- d-----w C:\Program Files\MatrixEngine 1.0
2007-09-24 04:45 --------- d-----w C:\Program Files\Camfrog
2007-09-22 12:17 --------- d-----w C:\Program Files\Astraware
2007-08-21 06:25 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 13:00 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 17:04 C:\WINDOWS\SkyTel.exe]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2002-06-23 21:19]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-04-08 02:56]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 C:\WINDOWS\system32\TWEAKUI.CPL]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 22:36]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-13 11:00]
"MtdAcqu"="C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 08:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 17:48]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
"Phase One Media Reader"=C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"JMB36X Configure"=C:\WINDOWS\system32\JMRaidTool.exe boot
"nwiz"=nwiz.exe /install

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys
R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 10:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 09:31:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-18 9:33:36 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 23:56
.
--- E O F ---

bonds1972
2007-11-18, 04:37
Below are the new log file for hijackthis...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:33 AM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 8414 bytes

bonds1972
2007-11-18, 05:08
Hi steamwiz, an additional info.
I removed Norton AV prior to the steps above because it gives a lot of problem to the previous combofix run and refuses to disable 'script protection'. Hope that is okay.

I may install AVG (instead of NAV) later when we've fixed the current problem.

steamwiz
2007-11-18, 18:27
Hi

AVG is a good alternative, I don't like Norton for various reasons, & I in fact use AVG myself.

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


Reboot, then please do the following :-

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

-
THEN...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

-
I also see you have run a kaspersky on-line scan ... Please post the log from that as well (or attach it if it's too big to copy & paste)

-
So please post :-

1. kaspersky log
2. SUPERAntiSpyware Scan Log
3. a new hijackthis log (run after the others)

Also let me know if your problm is resolved ?

steam

bonds1972
2007-11-18, 22:34
Hi Steamwiz,

Please find attached the required logs. I'm not sure when you said about the Kapersky log, whether you meant the log I already have, or a log after I have follow your latest steps.

Anyway, I am attaching the one I already have here (I have to zip it though because it exceeds the limit defined for txt upload), together with the SUPERAntispyware and HijackThis logs. I am running Kaspersky scan again now though, just in case you wanted the updated log.

My PC looks better now, but internet connection is still a bit slow. Not sure whether this is a seperate issue.

BTW, I installed AVG before I receive your post. So the SUPERAntispyware and HijackThis log were generated with AVG running. Hope that's okay. I just felt naked connecting to the net without any protection at all.


Thanks.

steamwiz
2007-11-19, 00:42
Hi

Please delete this folder :-

C:\qoobox

Then take a very close look at the KASPERSKY ONLINE SCANNER REPORT ...

You have a lot of infected e-mails dating back to the year 2000, infected with a very nasty virus Worm.VBS.KakWorm.b

example ...

D:\Documents and Settings\mufti\My Documents\My Mail\mufti_business_archive.pst/Archive Folders/Sent Items/Internal/08 May 2001 02:10 to El Fatah Karim; Michael Sugiharto:FW: Busin.rtf Infected: Email-Worm.VBS.KakWorm.b

D:\Documents and Settings\mufti\My Documents\My Mail\mufti_mailbox.pst/Personal Folders/Inbox/Personal/08 Mar 2004 06:53 from gnarasoma@yahoo.com:read it immediately/me.zip/me.htm.exe Infected: Email-Worm.Win32.NetSky.b

D:\Documents and Settings\mufti\My Documents\My Mail\mufti_personal.pst/Mufti Personal Folders/Inbox/Surveyor/19 Mar 2002 07:11 from Setia Nuryani:Fw: .rtf Infected: Email-Worm.VBS.KakWorm.b

ALL those e-mails have attachments with virus in them do not be tempted to open any of the attachments ... delete all those e-mails now ...

-
Then you have a lot of infected restore points...

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

-
When you have done all that .... run a new KASPERSKY ONLINE SCAN ...

I'm sorry but the one you are running now will still have all the original infected files in it.

steam

bonds1972
2007-11-19, 10:36
Hi Steamwiz,

I've done the steps you recomended and re-run the kaspersky online scan.
1. Deleted all backup *.pst files (don't need them anyway)
2. Disable restore point, reboot, re-enable restore point.
3. Run kaspersky scan.

The volume restore point still persist. Not sure whether I did it correctly. I will do it again after this post.

Is there a way to check whether windows actually clear out the restore point. Running kaspersky is exhaustive. Is there a way I can make sure that the restore point was actually wiped out before I try to run kaspersky again?

Attached is the log file from the updated kaspersky scan.


Thanks

bonds1972
2007-11-19, 21:12
Hi Steamwiz,

I've tried to wipe the restore point by doing:
1. disable restore point
2. reboot
3. enable restore point
4. reboot

Then I ran kaspersky online scan again, but the previous infected restore point are still there. Not sure why I can't wipe the restore point.

Attached is the log from the updated kaspersky scan.

steamwiz
2007-11-19, 22:27
Hi

I see you've removed the restore points from the C: drive

The one's remaining are on the D: & F: drives

Did you place a checkmark in the box "Turn off System Restore on all drives" then reboot

I'm not sure how you've managed to purge one drive & not the others ... unless

1. Right-click My Computer,
2. click Properties
3. Click System Restore tab

4. In the box which says Available drives:
5. Click to select your D: drive
6. click settings
7. Put a checkmark in the box "turn off system restore on this drive" then click OK
8. Do the same for your F: drive

now reboot, then go back & remove the checkmarks ...

I'm afraid the only way we'll know if it worked is to run another K scan ...

steam

bonds1972
2007-11-20, 15:05
Hi Steamwiz,

This are the steps that I redo:
1. Disable restore point for all drives.
2. Reboot my machine.
3. Enable restore point for all drives, change allocation to 5% each.
4. Reboot my machine.

When I run the kaspersky scan, only drive D restore point still exists. So I go on ahead and redo the following steps:
1. Disable restore point for drive D only.
2. Reboot my machine.
3. Enable restore point for drive D.
4. Reboot my machine.

After I re-run the kaspersky scan, the restore point for drive D is still there. Amazing, I don't understand where my mistake is...

Pls find attached the latest kaspersky scan for my machine.

bonds1972
2007-11-21, 08:09
Hi Steamwiz,

I went and install kaspersky anti-virus (trial version) on pc and did a scan. It successfully removed the virus found on the restore point.

I did an online kaspersky scanning again and attached is the log file. I looked through the log and I think everything should be ok. Do you have any further recommendation? My PC seems to be working nicely now.

Still not sure why I can't delete the restore point for drive D though.

Tx,

LMR

bonds1972
2007-11-21, 08:15
Below is the fresh log from HijackThis
--------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:45 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 8843 bytes

steamwiz
2007-11-22, 00:36
Hi

I've no idea why they wont delete either ...

The logs are clean, I don't believe those restore points are anything to worry about...

Happy surfing

steam

bonds1972
2007-11-22, 08:23
Thanks Steamwiz, appreciate you taking the time to help me out.


Tx,

LMR

steamwiz
2007-11-22, 23:32
You're very welcome :)

Happy surfing

steam