PDA

View Full Version : Smithfraud-C CoreService Trojan



mystyflwr
2007-12-05, 00:53
Please help me. I can't seem to get rid of this infection. Your help is greatly appreciated.

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:58, on 2007-12-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mmlweb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {02e7ee48-9259-44e1-b2e6-2c7e230c7be2} - C:\WINDOWS\system32\fiysrtl.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: {d6c04a8a-3fd1-7e4a-9d44-a63975d74fa9} - {9af47d57-936a-44d9-a4e7-1df3a8a40c6d} - C:\WINDOWS\system32\suhkasmr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA52D46B-0209-40DF-8E17-015B090BCBDC} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: cbxvwvu - cbxvwvu.dll (file missing)
O20 - Winlogon Notify: coytxylu - coytxylu.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12106 bytes

Shaba
2007-12-06, 11:19
Hi mystyflwr

1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://subs.geekstogo.com/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

mystyflwr
2007-12-06, 21:59
I tried to post the ComboFix log, but it says that the text you have entered is too long (71136 characters). How should I post it?

Shaba
2007-12-07, 10:08
Hi

Split it into multiple replies, please :)

mystyflwr
2007-12-12, 01:31
Here is a new HijackThis log. Sorry it took so long.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:27, on 2007-12-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mmlweb.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {02e7ee48-9259-44e1-b2e6-2c7e230c7be2} - C:\WINDOWS\system32\fiysrtl.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: {d6c04a8a-3fd1-7e4a-9d44-a63975d74fa9} - {9af47d57-936a-44d9-a4e7-1df3a8a40c6d} - C:\WINDOWS\system32\suhkasmr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA52D46B-0209-40DF-8E17-015B090BCBDC} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: cbxvwvu - cbxvwvu.dll (file missing)
O20 - Winlogon Notify: coytxylu - coytxylu.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11340 bytes

mystyflwr
2007-12-12, 01:33
ComboFix part 1



ComboFix 07-12-12.3 - ofoor 2007-12-11 15:04:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Local Settings\Temporary Internet Files\Content.IE5\T6OC9S7R\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 13:31 . 2007-11-20 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 13:24 . 2007-11-20 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:54 . 2007-11-19 10:54 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2007-11-19 10:53 . 2007-11-19 12:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-11-15 10:14 . 2007-11-15 10:14 <DIR> d-------- C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 13:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 12:19 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 12:18 . 2007-11-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\tektegrity
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\Program Files\RealVNC
2007-11-14 10:32 . 2007-11-14 10:32 82,432 --a------ C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 10:32 . 2007-11-14 10:32 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 10:23 . 2007-11-14 10:23 <DIR> d-------- C:\Program Files\Tektegrity
2007-11-14 10:23 . 2007-05-18 19:23 122,880 --a------ C:\WINDOWS\SYSTEM32\kaseyasp.dll
2007-11-14 10:23 . 2007-05-11 09:31 13,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys
2007-11-14 10:23 . 2006-12-28 09:57 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaseyaHA.sys
2007-11-14 08:59 . 2007-11-14 08:59 <DIR> d-------- C:\dd9b114365e7e356e3a9a7956efd
2007-11-13 08:28 . 2007-11-13 08:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-13 08:28 . 2007-11-13 08:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 23:15 3,452,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 23:12 41,492 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))

mystyflwr
2007-12-12, 01:34
ComboFix part 2


.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 15:16:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 15:22:13 - machine was rebooted
.
2007-11-14 17:21:55 --- E O F ---

Shaba
2007-12-12, 11:21
Hi

Problem is that you are running Combofix from temp folder.

Save it to desktop, run it from there and post back a fresh combofix log, please :)

mystyflwr
2007-12-13, 00:45
I'm so sorry. I'm a dork. Here it is saved to my desktop.

ComboFix 07-12-12.3 - ofoor 2007-12-12 14:31:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Local Settings\Temporary Internet Files\Content.IE5\T6OC9S7R\ComboFix[1].exe
.

((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 13:31 . 2007-11-20 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 13:24 . 2007-11-20 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:54 . 2007-11-19 10:54 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2007-11-19 10:53 . 2007-11-19 12:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-11-15 10:14 . 2007-11-15 10:14 <DIR> d-------- C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 13:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 12:19 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 12:18 . 2007-11-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\tektegrity
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\Program Files\RealVNC
2007-11-14 10:32 . 2007-11-14 10:32 82,432 --a------ C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 10:32 . 2007-11-14 10:32 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 10:23 . 2007-11-14 10:23 <DIR> d-------- C:\Program Files\Tektegrity
2007-11-14 10:23 . 2007-05-18 19:23 122,880 --a------ C:\WINDOWS\SYSTEM32\kaseyasp.dll
2007-11-14 10:23 . 2007-05-11 09:31 13,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys
2007-11-14 10:23 . 2006-12-28 09:57 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaseyaHA.sys
2007-11-14 08:59 . 2007-11-14 08:59 <DIR> d-------- C:\dd9b114365e7e356e3a9a7956efd
2007-11-13 08:28 . 2007-11-13 08:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-13 08:28 . 2007-11-13 08:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-12 23:37 41,684 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 22:37 3,522,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 14:37:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-12 14:41:12
C:\ComboFix2.txt ... 2007-12-12 15:22
.
2007-11-14 17:21:55 --- E O F ---

Shaba
2007-12-13, 11:08
Hi

No, unfortunately it's not, still running from IE temp folder:

Running from: C:\Documents and Settings\ofoor\Local Settings\Temporary Internet Files\Content.IE5\T6OC9S7R\ComboFix[1].exe

1. Right-click this link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Choose save as or save target as (depends on your browser).
3. Save it to your desktop
4. Run combofix
5. Post a fresh combofix log.

mystyflwr
2007-12-14, 00:42
ComboFix 07-12-12.3 - ofoor 2007-12-13 14:28:43.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 13:31 . 2007-11-20 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 13:24 . 2007-11-20 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:54 . 2007-11-19 10:54 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2007-11-19 10:53 . 2007-11-19 12:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-11-15 10:14 . 2007-11-15 10:14 <DIR> d-------- C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 13:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 12:19 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 12:18 . 2007-11-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\tektegrity
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\Program Files\RealVNC
2007-11-14 10:32 . 2007-11-14 10:32 82,432 --a------ C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 10:32 . 2007-11-14 10:32 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 10:23 . 2007-11-14 10:23 <DIR> d-------- C:\Program Files\Tektegrity
2007-11-14 10:23 . 2007-05-18 19:23 122,880 --a------ C:\WINDOWS\SYSTEM32\kaseyasp.dll
2007-11-14 10:23 . 2007-05-11 09:31 13,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys
2007-11-14 10:23 . 2006-12-28 09:57 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaseyaHA.sys
2007-11-14 08:59 . 2007-11-14 08:59 <DIR> d-------- C:\dd9b114365e7e356e3a9a7956efd
2007-11-13 08:28 . 2007-11-13 08:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-13 08:28 . 2007-11-13 08:28 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 22:34 3,641,376 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-12 23:31 42,452 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - KAPFA
*Newly Created Service* - KASEYAAVSERVICE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 14:35:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 14:38:30
C:\ComboFix2.txt ... 2007-12-12 14:41
C:\ComboFix3.txt ... 2007-12-12 15:22
.
2007-11-14 17:21:55 --- E O F ---

Shaba
2007-12-14, 10:52
Hi

Good, now it's in permanent place :)

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\SYSTEM32\ppqss.bak2
C:\WINDOWS\SYSTEM32\ppqss.bak1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

mystyflwr
2007-12-15, 01:19
Hope I did this right.

ComboFix 07-12-12.3 - ofoor 2007-12-14 15:04:17.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ofoor\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 13:31 . 2007-11-20 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 13:24 . 2007-11-20 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:54 . 2007-11-19 10:54 5,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MS1000.sys
2007-11-19 10:53 . 2007-11-19 12:33 <DIR> d-------- C:\Program Files\The Cleaner Free
2007-11-15 10:14 . 2007-11-15 10:14 <DIR> d-------- C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 13:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 12:19 . 2007-11-14 12:19 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 12:18 . 2007-11-14 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\tektegrity
2007-11-14 10:32 . 2007-11-14 10:32 <DIR> d-------- C:\Program Files\RealVNC
2007-11-14 10:32 . 2007-11-14 10:32 82,432 --a------ C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 10:32 . 2007-11-14 10:32 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 10:23 . 2007-11-14 10:23 <DIR> d-------- C:\Program Files\Tektegrity
2007-11-14 10:23 . 2007-05-18 19:23 122,880 --a------ C:\WINDOWS\SYSTEM32\kaseyasp.dll
2007-11-14 10:23 . 2007-05-11 09:31 13,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaPFA.sys
2007-11-14 10:23 . 2006-12-28 09:57 6,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\KaseyaHA.sys
2007-11-14 08:59 . 2007-11-14 08:59 <DIR> d-------- C:\dd9b114365e7e356e3a9a7956efd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 23:09 3,713,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-13 23:31 43,868 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
R3 KAPFA;KAPFA;\??\C:\WINDOWS\system32\drivers\KAPFA.SYS
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - KASEYAAVSERVICE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 15:10:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-14 15:13:45
C:\ComboFix2.txt ... 2007-12-13 14:38
C:\ComboFix3.txt ... 2007-12-12 14:41
.
2007-11-14 17:21:55 --- E O F ---

mystyflwr
2007-12-15, 01:21
HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:19, on 2007-12-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\mmlweb.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {02e7ee48-9259-44e1-b2e6-2c7e230c7be2} - C:\WINDOWS\system32\fiysrtl.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: {d6c04a8a-3fd1-7e4a-9d44-a63975d74fa9} - {9af47d57-936a-44d9-a4e7-1df3a8a40c6d} - C:\WINDOWS\system32\suhkasmr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA52D46B-0209-40DF-8E17-015B090BCBDC} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: cbxvwvu - cbxvwvu.dll (file missing)
O20 - Winlogon Notify: coytxylu - coytxylu.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11394 bytes

Shaba
2007-12-15, 11:58
Hi

Did you copy/paste everything in quotebox to CFScript.txt?

mystyflwr
2007-12-18, 00:37
I guess i didn't. I will try again. Please understand, I'm a novice to this stuff.:oops:

mystyflwr
2007-12-18, 00:45
is this what is is suppose to look like?

C:\WINDOWS\SYSTEM32\ppqss.bak2
C:\WINDOWS\SYSTEM32\ppqss.bak1
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

Shaba
2007-12-18, 14:29
Hi

1. Open Notepad.

2. Copy/paste all text below into Notepad:

File::
C:\WINDOWS\SYSTEM32\ppqss.bak2
C:\WINDOWS\SYSTEM32\ppqss.bak1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]

3. Save file as CFScript to Desktop.

4. Drag and drop CFScript to Combofix as in picture above.

If still problems, please ask :)

mystyflwr
2007-12-22, 01:01
Copied and pasted

ComboFix 07-12-12.3 - ofoor 2007-12-21 14:35:03.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.132 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ofoor\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 22:40 4,124,704 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-20 23:32 48,020 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-20 21:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 20:33 --------- d-----w C:\Program Files\The Cleaner Free
2007-11-19 18:54 5,376 ----a-w C:\WINDOWS\system32\drivers\MS1000.sys
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-15 18:14 --------- d-----w C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-14 21:55 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 20:19 9,216 ----a-w C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 18:32 82,432 ----a-w C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 18:32 44,544 ----a-w C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 18:32 --------- d-----w C:\Program Files\RealVNC
2007-11-14 18:23 --------- d-----w C:\Program Files\Tektegrity
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-08 14:36 426,242 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak2
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:21 6,465 --sha-w C:\WINDOWS\SYSTEM32\ppqss.bak1
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
- 2007-11-14 20:19:29 3,968 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2007-12-20 15:02:14 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
- 2007-11-14 20:38:19 19,904 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2007-12-20 15:01:54 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02e7ee48-9259-44e1-b2e6-2c7e230c7be2}]
C:\WINDOWS\system32\fiysrtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9af47d57-936a-44d9-a4e7-1df3a8a40c6d}]
C:\WINDOWS\system32\suhkasmr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA52D46B-0209-40DF-8E17-015B090BCBDC}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvwvu]
cbxvwvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\coytxylu]
coytxylu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 14:40:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-21 14:42:34
C:\ComboFix2.txt ... 2007-12-14 15:13
C:\ComboFix3.txt ... 2007-12-13 14:38
.
2007-11-14 17:21:55 --- E O F ---

mystyflwr
2007-12-22, 01:07
Here is a new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:06, on 2007-12-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\mmlweb.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {02e7ee48-9259-44e1-b2e6-2c7e230c7be2} - C:\WINDOWS\system32\fiysrtl.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: {d6c04a8a-3fd1-7e4a-9d44-a63975d74fa9} - {9af47d57-936a-44d9-a4e7-1df3a8a40c6d} - C:\WINDOWS\system32\suhkasmr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BA52D46B-0209-40DF-8E17-015B090BCBDC} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1336872296-958668538-1425031988-1008\..\Run: [Sonic RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-1336872296-958668538-1425031988-1008\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1336872296-958668538-1425031988-1008\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-839522115-1129\..\Run: [Sonic RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-839522115-1607\..\Run: [Sonic RecordNow!] (User '?')
O4 - S-1-5-21-1336872296-958668538-1425031988-1008 Startup: Shortcut to MAP F.lnk = C:\MAP F.BAT (User '?')
O4 - S-1-5-21-790525478-688789844-839522115-1129 Startup: CPWin.lnk = cpwin\CPWin.exe (User '?')
O4 - S-1-5-21-790525478-688789844-839522115-1129 Startup: PowerReg Scheduler V3.exe (User '?')
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: cbxvwvu - cbxvwvu.dll (file missing)
O20 - Winlogon Notify: coytxylu - coytxylu.dll (file missing)
O20 - Winlogon Notify: winrkq32 - winrkq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12166 bytes

mystyflwr
2007-12-22, 01:25
UPDATE
I think this is what you wanted.

ComboFix 07-12-12.3 - ofoor 2007-12-21 15:13:24.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.101 [GMT -8:00]
Running from: C:\Documents and Settings\ofoor\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ofoor\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\ppqss.bak1
C:\WINDOWS\SYSTEM32\ppqss.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\ppqss.bak1
C:\WINDOWS\SYSTEM32\ppqss.bak2

.
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-07 23:03 . 2007-12-07 23:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-06 02:41 . 2007-08-20 02:04 6,058,496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-12-06 02:41 . 2007-04-17 01:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2007-12-06 02:41 . 2007-03-07 21:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2007-12-06 02:41 . 2007-08-20 02:04 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-12-06 02:41 . 2007-08-20 02:04 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-12-06 02:41 . 2007-08-20 02:04 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-12-06 02:41 . 2007-08-20 02:04 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-12-06 02:41 . 2007-08-20 02:04 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-12-06 02:41 . 2007-08-17 02:20 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 02:28 . 2007-12-06 02:30 <DIR> d-------- C:\de4829dd77365fae207638b3625e35
2007-12-06 02:00 . 2007-12-06 02:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-06 01:59 . 2007-12-06 01:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-04 11:49 . 2007-12-04 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 10:53 . 2007-12-04 10:53 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 23:18 4,147,232 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-20 23:32 48,020 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-13 14:45 1,368,052 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-06 11:17 --------- d-----w C:\Program Files\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Yahoo!
2007-12-06 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-06 11:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 21:31 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-20 21:27 --------- d-----w C:\Documents and Settings\ofoor\Application Data\Lavasoft
2007-11-20 21:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 20:33 --------- d-----w C:\Program Files\The Cleaner Free
2007-11-19 18:54 5,376 ----a-w C:\WINDOWS\system32\drivers\MS1000.sys
2007-11-16 18:27 --------- d-----w C:\Program Files\RogueRemover FREE
2007-11-15 18:14 --------- d-----w C:\Documents and Settings\ofoor\Application Data\AVG7
2007-11-14 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-14 21:55 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-14 20:19 9,216 ----a-w C:\WINDOWS\SYSTEM32\avgwlntf.dll
2007-11-14 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-14 18:32 82,432 ----a-w C:\WINDOWS\SYSTEM32\msxml4r.dll
2007-11-14 18:32 44,544 ----a-w C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-11-14 18:32 --------- d-----w C:\Program Files\RealVNC
2007-11-14 18:23 --------- d-----w C:\Program Files\Tektegrity
2007-11-11 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-11 01:47 --------- d-----w C:\Program Files\iolo
2007-11-07 21:26 --------- d-----w C:\Documents and Settings\ofoor\Application Data\U3
2007-11-07 18:10 117 ----a-w C:\Documents and Settings\ofoor\mit.bat
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-03-10 18:20 561,152 -c--a-w C:\Documents and Settings\ofoor\chatlnk.exe
.

((((((((((((((((((((((((((((( snapshot_2007-12-06_23.48.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 11:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 03:04:27 142,336 ----a-w C:\WINDOWS\catchme.exe
+ 2004-08-04 07:56:43 25,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mslbui.dll
+ 2004-08-04 07:56:46 43,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemsvc.dll
- 2007-11-14 20:19:29 3,968 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2007-12-20 15:02:14 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
- 2007-11-14 20:38:19 19,904 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2007-12-20 15:01:54 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2006-12-04 22:37:58 1,317,648 ----a-w C:\WINDOWS\SYSTEM32\msxml6.dll
+ 2006-10-05 12:31:10 79,872 ----a-w C:\WINDOWS\SYSTEM32\msxml6r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 06:59]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" [2004-10-26 15:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\SYSTEM32\rundll32.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 10:35]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 10:18]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 10:37]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-03-13 19:21]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-14 23:11]
"Kaseya Agent Service Helper"="c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe" [2007-06-04 20:04]

C:\Documents and Settings\jeff.BILLING_01\Start Menu\Programs\Startup\
Shortcut to MAP F.lnk - C:\MAP F.BAT [2004-04-30 15:55:03]

C:\Documents and Settings\ofoor\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - C:\Documents and Settings\ofoor\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-26 12:37:21]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-08-01 15:04:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-14 12:19 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll,cdaEngineMain

R2 KaseyaAgent;TekTegrity Agent;"c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe" -s
R2 KaseyaAVService;Kaseya Security Service;"c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe" -s
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a432314-4ca7-11db-bf3f-000cf1e4889b}]
\Shell\AutoRun\command - E:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 15:18:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2007-12-21 15:20:28
C:\ComboFix2.txt ... 2007-12-21 14:42
C:\ComboFix3.txt ... 2007-12-14 15:13
.
2007-11-14 17:21:55 --- E O F ---

Shaba
2007-12-22, 11:57
Hi

Yes, latter is correct :)

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

mystyflwr
2007-12-27, 02:11
Kaspersky Report

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
December 26, 2007 4:08:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/12/2007
Kaspersky Anti-Virus database records: 494953
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\
R:\
T:\

Scan Statistics:
Total number of scanned objects: 67158
Number of viruses found: 3
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:25:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EF40000.VBN/core.sys Infected: Rootkit.Win32.Agent.mb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EF40000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EF40000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EF40001.VBN/core.sys Infected: Rootkit.Win32.Agent.mb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EF40001.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EF40001.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ofoor\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\History\History.IE5\MSHist012007122620071227\index.dat Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8657.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8658.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8659.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8660.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8661.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8662.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8663.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8664.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8665.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8667.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8668.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8669.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8670.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8671.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8672.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\jar_cache8673.tmp Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\Perflib_Perfdata_a98.dat Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temp\toolbox_healer8666.log Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ofoor\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ofoor\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ofoor\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_ofoor.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_ofoor.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\GIPS.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_ofoor.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\p2pce.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\voice.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSDP.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\YSIP.log Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Online Services\profsyxymi.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\PPPATC~1\nοtepad.exe.vir Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP22\A0007872.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP42\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\BILLING_01.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\00002.SHD Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT051c1.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT051c5.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

mystyflwr
2007-12-27, 02:12
HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:07 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mmlweb.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] c:\Program Files\Tektegrity\Client\Agent\KaUsrTsk.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LaunchU3.exe.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195060347187
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://tsm.tektegrity.com/inc/kaxRemote.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\Software\..\Telephony: DomainName = SurgCenter.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD0C18CD-2069-47C8-86C5-827E4183EC34}: NameServer = 192.168.1.20,216.111.116.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SurgCenter.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SurgCenter.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: TekTegrity Agent (KaseyaAgent) - Kaseya - c:\Program Files\Tektegrity\Client\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - c:\Program Files\Tektegrity\Client\Agent\KasAVSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10813 bytes

Shaba
2007-12-27, 15:38
Hi

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\
C:\qoobox\Quarantine

Empty Recycle Bin.

Still problems?

Shaba
2008-01-03, 11:43
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.

In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.

Everyone else please begin a New Topic.