Virtumonde and Virtumonde.generic Help Needed [Archive]

View Full Version : Virtumonde and Virtumonde.generic Help Needed

WaltL

2007-11-18, 02:45

Keeps reinstalling. I have run SpyBot, VundoFix, ComboFix and Kapersky On Line. Following is the latest Kapersky and HighJackThis logs. Any help is appreciated.

KASPERSKY ONLINE SCANNER REPORT
Saturday, November 17, 2007 6:14:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/11/2007
Kaspersky Anti-Virus database records: 461015

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINNT
C:\DOCUME~1\Owner\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 20228
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 00:25:27

Infected Object Name Virus Name Last Action
C:\WINNT\$NtServicePackUninstall$\wmplayer.exe.000/data0002 Infected: Trojan.Win32.Scapur.b skipped

C:\WINNT\$NtServicePackUninstall$\wmplayer.exe.000/data0003 Infected: Trojan.Win32.Scapur.b skipped

C:\WINNT\$NtServicePackUninstall$\wmplayer.exe.000 NSIS: infected - 2 skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped

C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\DEFAULT Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\Internet.evt Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\SOFTWARE Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SYSTEM Object is locked skipped

C:\WINNT\system32\config\system.LOG Object is locked skipped

C:\WINNT\system32\h323log.txt Object is locked skipped

C:\WINNT\system32\haoxqphx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\WINNT\system32\jsvxyisy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\WINNT\system32\leqvhpgt.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINNT\system32\xwxoisyx.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped

C:\WINNT\Temp\mcafee_HNajVjZdrQkpCb0 Object is locked skipped

C:\WINNT\Temp\mcmsc_qQdxSyxnNr5Csux Object is locked skipped

C:\WINNT\Temp\mcmsc_smfElmbvej8Xfxa Object is locked skipped

C:\WINNT\Temp\mcmsc_uW9lIvAHIfWf2eX Object is locked skipped

C:\WINNT\Temp\mcmsc_xZi878X266je8WG Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:04 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {344BCACA-5079-5DD2-7EB4-7395C9F2DD9A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: {229b8afb-3958-992b-31f4-d8134dfaf059} - {950fafd4-318d-4f13-b299-8593bfa8b922} - (no file)
O2 - BHO: (no name) - {C805E94A-DF95-4588-A1F5-00B6F880DC76} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [drmclien] C:\WINNT\System32\drmclien.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101515601940
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185853778328
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FC01E8B2-B5A6-4660-BD9A-C01B59330DD9} (ViPlayerHtml Control) - http://www.vdrv.com/demo/vidrev.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/plus/csp/el/bg_sm_bt_dna.gif

--
End of file - 10058 bytes

steamwiz

2007-11-18, 19:47

Hi

Please post the newest VundoFix & ComboFix logs as well ...
You'll find them here :-

C:\vundofix.txt
C:\ComboFix.txt

You say Virtumonde keeps reinstalling ... please post the logs which are telling you this, or tell me how you come to this conclusion ?

Something may be just finding a leftover, like a BHO CLSID of which you have a couple ...

steam

WaltL

2007-11-18, 20:19

I thought I had everything cleaned once or twice and then when browsing the popups restarted. I then ran SpyBot and it found 9 instances. That's when I ran VundoFix, ComboFix and Kapersky. Here are the logs from Spybot and VundoFix. Walt

VundoFix V6.6.2

Checking Java version...

Scan started at 3:00:23 PM 11/17/2007

Listing files found while scanning....

C:\WINNT\system32\byxwvsp.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\byxwvsp.dll
C:\WINNT\system32\byxwvsp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\byxwvsp.dll
C:\WINNT\system32\byxwvsp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 3:08:14 PM 11/17/2007

Listing files found while scanning....

No infected files were found.

ComboFix 07-11-08.3 - Owner 2007-11-17 15:17:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Application Data\SKS~1
C:\Documents and Settings\Owner\Application Data\YMANTE~1
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\racle~1
C:\Program Files\ymbols~1
C:\WINNT\cookies.ini
C:\WINNT\hosts
C:\WINNT\invupd.exe
C:\WINNT\racle~1
C:\WINNT\stem~1
C:\WINNT\stem~1\??stem\
C:\WINNT\system32\awtqn.dll
C:\WINNT\system32\crosof~1.net
C:\WINNT\system32\icroso~1.net
C:\WINNT\system32\lnnmp.bak1
C:\WINNT\system32\nqtwa.ini
C:\WINNT\system32\nqtwa.ini2
C:\WINNT\system32\pac.txt
C:\WINNT\system32\wnsapisv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 15:14 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-17 15:00 <DIR> d-------- C:\VundoFix Backups
2007-11-17 12:45 145,984 --a------ C:\WINNT\system32\xwxoisyx.dll
2007-11-16 18:09 85,056 --a------ C:\WINNT\system32\jsvxyisy.dll
2007-11-16 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 17:54 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-15 16:06 85,056 --a------ C:\WINNT\system32\haoxqphx.dll
2007-11-15 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-15 12:40 <DIR> d--h----- C:\WINNT\PIF
2007-10-26 12:59 <DIR> d-------- C:\WINNT\system32\logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 18:29 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\PIE Service
2007-12-14 18:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdwareAlert
2007-12-14 18:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\PIE Service
2007-12-12 03:46 56,234 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-08 13:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-08 13:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-08 13:22 --------- d-----w C:\Program Files\Yahoo!
2007-12-08 00:29 --------- d-----w C:\Program Files\McAfee
2007-12-08 00:24 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-06 13:40 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-17 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-16 17:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-15 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-11-15 21:35 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-15 19:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-10-25 03:01 --------- d-----w C:\Program Files\SBC Yahoo!
2007-10-22 02:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\yoclient
2007-07-23 14:57 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-06-26 21:35 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-12-06 01:12 57,256 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-11-27 02:32 153,412,551 --sh--w C:\WINNT\Fonts\litumoc.bak2
2004-11-17 01:16 558,331 --sha-w C:\WINNT\Fonts\litumoc.bak1
2004-10-30 22:28 15,752,040 --sh--w C:\WINNT\Fonts\itnacvs.bak2
2004-10-25 19:56 144,948,008 --sh--w C:\WINNT\Fonts\ptflld.bak2
2004-10-25 07:54 20,699,755 --sha-w C:\WINNT\Fonts\ptflld.bak1
2004-06-14 00:19 449 ----a-w C:\Documents and Settings\Owner\UpdateReg.reg
2004-11-23 16:01:57 983,335 --sha-w C:\WINNT\addins\bvlru.bak1
2004-11-24 04:02:05 972,850 --sh--w C:\WINNT\addins\bvlru.bak2
2004-11-29 20:06:58 62,047,607 --sha-w C:\WINNT\Driver Cache\csm.bak1
2004-11-29 20:08:08 62,130,253 --sh--w C:\WINNT\Driver Cache\csm.bak2
2004-10-30 22:28:57 15,752,040 --sh--w C:\WINNT\Fonts\itnacvs.bak2
2004-11-17 01:16:26 558,331 --sha-w C:\WINNT\Fonts\litumoc.bak1
2004-11-27 02:32:53 153,412,551 --sh--w C:\WINNT\Fonts\litumoc.bak2
2004-10-25 07:54:48 20,699,755 --sha-w C:\WINNT\Fonts\ptflld.bak1
2004-10-25 19:56:55 144,948,008 --sh--w C:\WINNT\Fonts\ptflld.bak2
2004-10-12 19:47:36 1,685,575 --sh--w C:\WINNT\Help\SBSI\bacyalp.bak2
2004-11-16 01:15:38 558,062 --sh--w C:\WINNT\java\classes\cfmpi.bak2
2004-10-20 19:50:58 20,670,009 --sh--w C:\WINNT\repair\tenibil.bak2
2004-10-22 19:52:45 20,699,819 --sh--w C:\WINNT\security\Database\ipatalue.bak2
2004-11-06 12:08:26 602,495 --sh--w C:\WINNT\system\itnada.bak2
2004-11-17 03:27:58 15,649,916 --sh--w C:\WINNT\system\sabger.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{344BCACA-5079-5DD2-7EB4-7395C9F2DD9A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{950fafd4-318d-4f13-b299-8593bfa8b922}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C805E94A-DF95-4588-A1F5-00B6F880DC76}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 04:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 09:42]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" []
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 07:03]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-06 23:56]
"Gateway Ink Monitor"="C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 12:23]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-12-13 09:16]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]
"drmclien"="C:\WINNT\System32\drmclien.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\awtqn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINNT\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINNT\System32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCvS1A]
C:\documents and settings\owner\local settings\temp\QCvS1A.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vGb0B]
C:\documents and settings\owner\local settings\temp\vGb0B.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

S3 2WIREPCP;2Wire USB;C:\WINNT\system32\DRIVERS\2WirePCP.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINNT\system32\DRIVERS\vnet558x.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 18:29:34 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job"
"2007-10-31 19:54:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-25 23:20:12 C:\WINNT\Tasks\HP DArC Task #Hewlett-Packard#7900#CN38G220D3EI.job"
"2008-01-15 07:18:41 C:\WINNT\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-17 21:08:53 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 15:30:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 15:32:07 - machine was rebooted
.
--- E O F ---

steamwiz

2007-11-18, 21:05

Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINNT\system32\xwxoisyx.dll
C:\WINNT\system32\jsvxyisy.dll
C:\WINNT\system32\haoxqphx.dll
C:\WINNT\Fonts\litumoc.bak2
C:\WINNT\Fonts\litumoc.bak1
C:\WINNT\Fonts\itnacvs.bak2
C:\WINNT\Fonts\ptflld.bak2
C:\WINNT\Fonts\ptflld.bak1
C:\WINNT\addins\bvlru.bak1
C:\WINNT\addins\bvlru.bak2
C:\WINNT\Driver Cache\csm.bak1
C:\WINNT\Driver Cache\csm.bak2
C:\WINNT\Fonts\itnacvs.bak2
C:\WINNT\Fonts\litumoc.bak1
C:\WINNT\Fonts\litumoc.bak2
C:\WINNT\Fonts\ptflld.bak1
C:\WINNT\Fonts\ptflld.bak2
C:\WINNT\Help\SBSI\bacyalp.bak2
C:\WINNT\java\classes\cfmpi.bak2
C:\WINNT\repair\tenibil.bak2
C:\WINNT\security\Database\ipatalue.bak2
C:\WINNT\system\itnada.bak2
C:\WINNT\system\sabger.bak2

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{344BCACA-5079-5DD2-7EB4-7395C9F2DD9A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{950fafd4-318d-4f13-b299-8593bfa8b922}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C805E94A-DF95-4588-A1F5-00B6F880DC76}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCvS1A]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vGb0B]

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

WaltL

2007-11-18, 21:36

Here are the two logs after running CFScript. Walt

ComboFix 07-11-08.3 - Owner 2007-11-18 13:14:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.184 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINNT\addins\bvlru.bak1
C:\WINNT\addins\bvlru.bak2
C:\WINNT\Driver Cache\csm.bak1
C:\WINNT\Driver Cache\csm.bak2
C:\WINNT\Fonts\itnacvs.bak2
C:\WINNT\Fonts\litumoc.bak1
C:\WINNT\Fonts\litumoc.bak2
C:\WINNT\Fonts\ptflld.bak1
C:\WINNT\Fonts\ptflld.bak2
C:\WINNT\Help\SBSI\bacyalp.bak2
C:\WINNT\java\classes\cfmpi.bak2
C:\WINNT\repair\tenibil.bak2
C:\WINNT\security\Database\ipatalue.bak2
C:\WINNT\system\itnada.bak2
C:\WINNT\system\sabger.bak2
C:\WINNT\system32\haoxqphx.dll
C:\WINNT\system32\jsvxyisy.dll
C:\WINNT\system32\xwxoisyx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINNT\addins\bvlru.bak1
C:\WINNT\addins\bvlru.bak2
C:\WINNT\Driver Cache\csm.bak1
C:\WINNT\Driver Cache\csm.bak2
C:\WINNT\Fonts\itnacvs.bak2
C:\WINNT\Fonts\litumoc.bak1
C:\WINNT\Fonts\litumoc.bak2
C:\WINNT\Fonts\ptflld.bak1
C:\WINNT\Fonts\ptflld.bak2
C:\WINNT\Help\SBSI\bacyalp.bak2
C:\WINNT\java\classes\cfmpi.bak2
C:\WINNT\repair\tenibil.bak2
C:\WINNT\security\Database\ipatalue.bak2
C:\WINNT\system\itnada.bak2
C:\WINNT\system\sabger.bak2
C:\WINNT\system32\haoxqphx.dll
C:\WINNT\system32\jsvxyisy.dll
C:\WINNT\system32\xwxoisyx.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-17 16:41 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-11-17 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 15:14 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-16 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 17:54 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-15 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-15 12:40 <DIR> d--h----- C:\WINNT\PIF
2007-10-26 12:59 <DIR> d-------- C:\WINNT\system32\logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 18:29 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\PIE Service
2007-12-14 18:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdwareAlert
2007-12-14 18:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\PIE Service
2007-12-12 03:46 56,234 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-08 13:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-08 13:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-08 13:22 --------- d-----w C:\Program Files\Yahoo!
2007-12-08 00:29 --------- d-----w C:\Program Files\McAfee
2007-12-08 00:24 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-06 13:40 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-17 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-16 17:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-15 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-11-15 21:35 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-15 19:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-10-25 03:01 --------- d-----w C:\Program Files\SBC Yahoo!
2007-10-22 02:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\yoclient
2007-07-23 14:57 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-06-26 21:35 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-12-06 01:12 57,256 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-06-14 00:19 449 ----a-w C:\Documents and Settings\Owner\UpdateReg.reg
.

((((((((((((((((((((((((((((( snapshot@2007-11-17_15.30.50.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-17 17:27:26 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-18 16:44:45 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
- 2007-11-17 17:27:26 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-18 16:44:45 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-18 16:44:45 32,768 --sha-w C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 04:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 09:42]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" []
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 07:03]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-06 23:56]
"Gateway Ink Monitor"="C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 12:23]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-12-13 09:16]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]
"drmclien"="C:\WINNT\System32\drmclien.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINNT\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINNT\System32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

S3 2WIREPCP;2Wire USB;C:\WINNT\system32\DRIVERS\2WirePCP.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINNT\system32\DRIVERS\vnet558x.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 18:29:34 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job"
"2007-10-31 19:54:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-25 23:20:12 C:\WINNT\Tasks\HP DArC Task #Hewlett-Packard#7900#CN38G220D3EI.job"
"2008-01-15 07:18:41 C:\WINNT\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-18 08:28:07 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 13:21:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 13:23:58 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 15:32
.
--- E O F ---

WaltL

2007-11-18, 21:36

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:05 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [drmclien] C:\WINNT\System32\drmclien.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101515601940
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185853778328
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FC01E8B2-B5A6-4660-BD9A-C01B59330DD9} (ViPlayerHtml Control) - http://www.vdrv.com/demo/vidrev.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/plus/csp/el/bg_sm_bt_dna.gif

--
End of file - 9758 bytes

steamwiz

2007-11-18, 23:55

Hi

Looks good

The logs are clean now... but just one file to delete :-

C:\WINNT\system32\leqvhpgt.dll

Are your problems resolved ?

steam

WaltL

2007-11-19, 01:45

Removed the final dll. All seems to be well so far. I ran Spybot and got the all clear. I rebooted several times and no sign of the problems.

Thanks very, very much for your assistance. Walt

steamwiz

2007-11-19, 02:04

You're very welcome :)

Happy surfing

steam