PDA

View Full Version : My first Virtumonde threat :(



Holo_Emiter
2007-12-22, 22:51
Ok, so somehow I got the Virtumonde. Spybot detected and deleted everything but virtumonde.dll.
Here's the info:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:42 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\miwedebr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [kjatenmv] rundll32.exe "C:\Program Files\ferkjgpc\rurelgpg.dll",Init
O4 - HKLM\..\Run: [lknajgle] regsvr32 /u "C:\Documents and Settings\All Users.WINDOWS\Application Data\lknajgle.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [lufgtkjo] regsvr32 /u "C:\Documents and Settings\All Users.WINDOWS\Application Data\lufgtkjo.dll"
O4 - HKLM\..\Run: [ecc165e3] rundll32.exe "C:\WINDOWS\system32\itueclvq.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA5889] command /c del "C:\WINDOWS\system32\awvvt.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9181] cmd /c del "C:\WINDOWS\system32\awvvt.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6903] command /c del "C:\WINDOWS\system32\awvvt.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4943] cmd /c del "C:\WINDOWS\system32\awvvt.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9460] command /c del "C:\WINDOWS\system32\awvvt.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6890] cmd /c del "C:\WINDOWS\system32\awvvt.dll_tobedeleted"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\miwedebr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191360247342
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191360238436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\miwedebr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9619 bytes

The Kaspersky Online Scanner report is WAY too long to post... way. If you need it please let me know.

Thank you to anyone who decides to help me. It will be greatly appreciated. I'll be patient and cooperative. Thanks again.

-H_E

Simon V.
2007-12-23, 18:13
Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

In the future, please run HijackThis in Normal Mode.

Step 1

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1). Double-click on ATF-Cleaner.exe to start the program.

Under the Main tab, put a check next to Select All.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

If you use the Firefox browser:
Click on Firefox at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

If you use the Opera browser:
Click on Opera at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Step 2

Please download Combofix:

From BleepingComputer (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
From InfoSpyware (http://www.forospyware.com/sUBs/ComboFix.exe)
From GeeksToGo (http://subs.geekstogo.com/ComboFix.exe)

Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Step 3

Please download and install CCleaner (http://www.ccleaner.com/download/builds/downloading-slim).

Open CCleaner. In the Left Pane, click Tools.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save.
Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.

Step 4

In your next reply, please post:

the Combofix log (C:\Combofix.txt)
the CCleaner Uninstall List (install.txt)
a new HijackThis log

Holo_Emiter
2007-12-24, 07:20
ComboFix 07-12-21.4 - Brandon Ford 2007-12-23 22:12:05.1 - NTFSx86
Running from: C:\Documents and Settings\Brandon Ford\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data.\hululyfq.dll
C:\Documents and Settings\Brandon Ford\Application Data\inst.exe
C:\Documents and Settings\Sir Brando\Application Data\FNTS~1
C:\Documents and Settings\Sir Brando\Application Data\inst.exe
C:\Documents and Settings\Sir Brando\Application Data\install.dat
C:\Documents and Settings\Sir Brando\Application Data\macromedia\Flash Player\#SharedObjects\RV9ABY42\www.broadcaster.com
C:\Documents and Settings\Sir Brando\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Sir Brando\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Sir Brando\Desktop\Error Cleaner.url
C:\Documents and Settings\Sir Brando\Desktop\Privacy Protector.url
C:\Documents and Settings\Sir Brando\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Sir Brando\Favorites\Error Cleaner.url
C:\Documents and Settings\Sir Brando\Favorites\Privacy Protector.url
C:\Documents and Settings\Sir Brando\Favorites\Spyware&Malware Protection.url
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\dobe~1
C:\Program Files\ferkjgpc
C:\Program Files\ferkjgpc\rurelgpg.dll
C:\Program Files\Gxgyikpb
C:\Program Files\Gxgyikpb\wxegbcku.dll
C:\Program Files\Nqwmibix
C:\Program Files\Nqwmibix\bcbhmfsf.dll
C:\Program Files\Puzvbnbq
C:\Program Files\Puzvbnbq\xnotfsnr.dll
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\adlnjktp.ini
C:\WINDOWS\system32\aghhlgtk.dll
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\gmpgrqhj.dll
C:\WINDOWS\system32\irwatwgh.dll
C:\WINDOWS\system32\itueclvq.dll
C:\WINDOWS\system32\iupqhwwr.dll
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\njprckha\bg1.gif
C:\WINDOWS\system32\njprckha\bgtop.gif
C:\WINDOWS\system32\njprckha\bottom1.gif
C:\WINDOWS\system32\njprckha\essentials.gif
C:\WINDOWS\system32\njprckha\icon1.ico
C:\WINDOWS\system32\njprckha\install1.gif
C:\WINDOWS\system32\njprckha\left1.gif
C:\WINDOWS\system32\njprckha\li.gif
C:\WINDOWS\system32\njprckha\logo.gif
C:\WINDOWS\system32\njprckha\main.htm
C:\WINDOWS\system32\njprckha\mainframe.htm
C:\WINDOWS\system32\njprckha\njprckha1.exe
C:\WINDOWS\system32\njprckha\njprckha3.exe
C:\WINDOWS\system32\njprckha\reinstall1.gif
C:\WINDOWS\system32\njprckha\right1.gif
C:\WINDOWS\system32\njprckha\s1.htm
C:\WINDOWS\system32\njprckha\s2.htm
C:\WINDOWS\system32\njprckha\s3.htm
C:\WINDOWS\system32\njprckha\SMTop1.gif
C:\WINDOWS\system32\njprckha\SMTop2.gif
C:\WINDOWS\system32\njprckha\SMTop3.gif
C:\WINDOWS\system32\njprckha\SMTop4.gif
C:\WINDOWS\system32\njprckha\soft1_off.gif
C:\WINDOWS\system32\njprckha\soft1_off_ext.gif
C:\WINDOWS\system32\njprckha\soft1_on.gif
C:\WINDOWS\system32\njprckha\soft1_on_ext.gif
C:\WINDOWS\system32\njprckha\soft2_off.gif
C:\WINDOWS\system32\njprckha\soft2_off_ext.gif
C:\WINDOWS\system32\njprckha\soft2_on.gif
C:\WINDOWS\system32\njprckha\soft2_on_ext.gif
C:\WINDOWS\system32\njprckha\soft3_off.gif
C:\WINDOWS\system32\njprckha\soft3_off_ext.gif
C:\WINDOWS\system32\njprckha\soft3_on.gif
C:\WINDOWS\system32\njprckha\soft3_on_ext.gif
C:\WINDOWS\system32\njprckha\softbottom_off.gif
C:\WINDOWS\system32\njprckha\softbottom_on.gif
C:\WINDOWS\system32\njprckha\softleft_off.gif
C:\WINDOWS\system32\njprckha\softleft_on.gif
C:\WINDOWS\system32\njprckha\top1.gif
C:\WINDOWS\system32\njprckha\top2.gif
C:\WINDOWS\system32\njprckha\turnoff1.gif
C:\WINDOWS\system32\njprckha\turnon1.gif
C:\WINDOWS\system32\pirekydb.dll
C:\WINDOWS\system32\pkxiduxy.dll
C:\WINDOWS\system32\ptkjnlda.dll
C:\WINDOWS\system32\qvlceuti.ini
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak2
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
C:\WINDOWS\system32\tvvwa.tmp
C:\WINDOWS\system32\xhheczxt.dllbox
C:\WINDOWS\system32\yxqjpacm.dll
C:\WINDOWS\system32\yxudixkp.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-23 22:46 . 2007-12-23 22:52 18,996 ---hsc--- C:\WINDOWS\system32\xhheczxt.dllbox
2007-12-23 22:00 . 2007-12-23 22:01 14,033 --a--c--- C:\pos1EEC.tmp
2007-12-23 21:32 . 2007-12-23 21:53 7,168 --a--c--- C:\WINDOWS\system32\windows
2007-12-23 21:14 . 2007-12-23 21:15 14,033 --a--c--- C:\pos1C60.tmp
2007-12-23 20:51 . 2007-12-23 20:51 14,033 --a--c--- C:\pos1B81.tmp
2007-12-23 14:39 . 2007-12-23 14:39 14,033 --a--c--- C:\pos1994.tmp
2007-12-23 14:38 . 2007-12-23 14:38 14,033 --a--c--- C:\pos196A.tmp
2007-12-23 14:37 . 2007-12-23 14:37 14,033 --a--c--- C:\pos1861.tmp
2007-12-22 21:50 . 2007-12-23 21:16 990,750 ---hsc--- C:\WINDOWS\system32\vgdeablf.ini
2007-12-22 21:44 . 2007-12-22 21:44 14,033 --a--c--- C:\pos1644.tmp
2007-12-22 02:39 . 2007-12-22 02:39 14,033 --a--c--- C:\pos159F.tmp
2007-12-22 02:38 . 2007-12-22 02:38 14,033 --a--c--- C:\pos1469.tmp
2007-12-21 22:57 . 2007-12-21 22:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 22:54 . 2007-12-21 22:54 <DIR> d----c--- C:\WINDOWS\system32\Kaspersky Lab
2007-12-21 22:54 . 2007-12-21 22:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-12-21 22:32 . 2007-12-22 02:32 991,571 ---hsc--- C:\WINDOWS\system32\whaomvbo.ini
2007-12-21 22:26 . 2007-12-21 22:26 14,033 --a--c--- C:\pos121D.tmp
2007-12-20 17:50 . 2007-12-20 17:50 14,033 --a--c--- C:\pos11BD.tmp
2007-12-20 17:49 . 2007-12-20 17:49 14,033 --a--c--- C:\posFF2.tmp
2007-12-20 16:48 . 2007-12-20 16:48 14,033 --a--c--- C:\posF92.tmp
2007-12-20 16:47 . 2007-12-20 16:48 14,033 --a--c--- C:\posDDE.tmp
2007-12-20 15:45 . 2007-12-20 15:45 14,033 --a--c--- C:\posDAB.tmp
2007-12-20 15:41 . 2007-12-22 03:14 628 --a--c--- C:\WINDOWS\wininit.ini
2007-12-20 14:45 . 2007-12-20 15:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-12-20 14:29 . 2007-12-20 14:29 14,033 --a--c--- C:\posADE.tmp
2007-12-20 14:28 . 2007-12-20 14:29 14,033 --a--c--- C:\pos932.tmp
2007-12-19 23:44 . 2007-12-19 23:44 12,033 --a--c--- C:\pos8E8.tmp
2007-12-19 23:44 . 2007-12-19 23:44 5,033 --a--c--- C:\pos8E7.tmp
2007-12-19 23:42 . 2007-12-19 23:42 14,033 --a--c--- C:\pos784.tmp
2007-12-19 22:28 . 2007-12-19 22:28 14,033 --a--c--- C:\pos6DD.tmp
2007-12-19 22:27 . 2007-12-19 22:27 14,033 --a--c--- C:\pos61E.tmp
2007-12-19 22:26 . 2007-12-19 22:27 14,033 --a--c--- C:\pos50C.tmp
2007-12-19 19:07 . 2007-12-19 19:07 14,033 --a--c--- C:\pos4EB.tmp
2007-12-19 19:06 . 2007-12-19 19:07 14,033 --a--c--- C:\pos415.tmp
2007-12-19 18:15 . 2007-12-19 18:15 14,033 --a--c--- C:\pos307.tmp
2007-12-19 18:14 . 2007-12-19 18:15 14,033 --a--c--- C:\pos240.tmp
2007-12-19 17:06 . 2007-12-19 17:06 14,033 --a--c--- C:\pos1155.tmp
2007-12-19 17:05 . 2007-12-19 17:05 143 --a--c--- C:\WINDOWS\system32\mcrh.tmp
2007-12-19 17:04 . 2007-12-19 17:04 165,472 --a--c--- C:\WINDOWS\system32\xhheczxt.dll
2007-12-19 17:04 . 2007-12-19 17:04 165,472 --a------ C:\WINDOWS\system32\ayjmynrl.dll
2007-12-19 04:15 . 2007-12-19 04:50 685,816 --a--c--- C:\WINDOWS\system32\drivers\sptd.sys
2007-12-19 03:42 . 2007-12-19 03:42 39,936 --a--c--- C:\WINDOWS\system32\jkkkllj.dll
2007-12-19 03:41 . 2007-12-19 03:41 39,936 --a--c--- C:\WINDOWS\system32\khfddba.dll
2007-12-19 03:40 . 2007-12-19 03:40 39,936 --a--c--- C:\WINDOWS\system32\pmnmmno.dll
2007-12-19 03:40 . 2007-12-19 03:40 24,576 --a--c--- C:\WINDOWS\system32\winzoa32.dll
2007-12-10 15:43 . 2007-12-10 15:43 <DIR> d--h-c--- C:\WINDOWS\PIF
2007-12-07 00:29 . 2007-12-07 00:29 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2007-12-07 00:29 . 2007-12-07 00:29 1,409 --a--c--- C:\WINDOWS\QTFont.for
2007-12-06 14:43 . 2007-12-06 14:42 127,034 -r---c--- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-12-02 23:09 . 2007-12-02 23:10 <DIR> d-------- C:\Documents and Settings\Doug Hafenstine\Application Data\CamTrack
2007-12-02 00:35 . 2007-12-02 00:42 <DIR> d----c--- C:\WINDOWS\system32\URTTemp
2007-12-02 00:26 . 2007-12-02 00:26 <DIR> d-------- C:\Program Files\Vidiac
2007-12-01 23:16 . 2007-12-01 23:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PY_Software
2007-12-01 23:15 . 2007-12-01 23:21 <DIR> d-------- C:\Program Files\Active WebCam
2007-12-01 22:41 . 2007-12-01 22:41 <DIR> d----c--- C:\WINDOWS\system32\windows media
2007-12-01 22:40 . 2007-12-01 22:41 <DIR> d--h-c--- C:\WINDOWS\msdownld.tmp
2007-12-01 22:40 . 2007-12-01 22:40 <DIR> d-------- C:\Program Files\Windows Media Components
2007-12-01 21:47 . 2007-12-01 21:47 13 --a--c--- C:\WINDOWS\system32\WinVid.crc
2007-12-01 21:25 . 2007-12-01 21:25 <DIR> d-------- C:\Documents and Settings\Brandon Ford\Application Data\EarthCam
2007-12-01 12:01 . 2007-12-01 20:38 <DIR> d-------- C:\Documents and Settings\Christy Hafenstine\Application Data\CamTrack
2007-12-01 03:15 . 2007-12-01 03:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-30 23:16 . 2007-12-02 01:08 <DIR> d-------- C:\Documents and Settings\Brandon Ford\awc_SirBrando
2007-11-30 23:11 . 2007-12-07 00:05 <DIR> d-------- C:\Program Files\anywebcam
2007-11-29 22:28 . 2007-12-02 21:07 <DIR> d-------- C:\Documents and Settings\Brandon Ford\Application Data\CamTrack
2007-11-29 22:25 . 2007-02-28 13:00 108,752 --a--c--- C:\WINDOWS\system32\drivers\dptrackerd.sys
2007-11-29 22:24 . 2007-11-29 22:24 <DIR> d-------- C:\Program Files\DigitalPeers
2007-11-29 21:38 . 2007-11-29 21:38 118,784 -r---c--- C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
2007-11-29 21:36 . 2007-11-29 21:36 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-11-29 21:34 . 2007-11-29 21:38 <DIR> d-------- C:\Program Files\Logitech
2007-11-29 21:34 . 2007-11-29 21:44 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2007-11-29 21:34 . 2007-11-29 21:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Logitech
2007-11-29 21:26 . 2004-08-04 01:07 59,264 --a--c--- C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-11-29 21:26 . 2004-08-04 01:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-11-27 00:26 . 2007-11-27 00:26 <DIR> d-------- C:\Documents and Settings\Brandon Ford\Application Data\Hewlett-Packard
2007-11-26 15:35 . 2007-12-23 22:38 30,096 --a--c--- C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2007-11-26 15:35 . 2007-12-23 22:38 30,096 --a--c---

Holo_Emiter
2007-12-24, 07:22
C:\WINDOWS\system32\BMXState-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2007-11-26 15:35 . 2007-12-23 22:38 27,240 --a--c--- C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2007-11-26 15:35 . 2007-12-23 22:38 27,240 --a--c--- C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2007-11-26 15:35 . 2007-12-23 22:38 11,564 --a--c--- C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-00581102}.rfx
2007-11-26 15:35 . 2007-12-23 22:38 1,080 --a--c--- C:\WINDOWS\system32\settingsbkup.sfm
2007-11-26 15:35 . 2007-12-23 22:38 1,080 --a--c--- C:\WINDOWS\system32\settings.sfm
2007-11-26 15:34 . 2007-12-23 22:37 3,162,278 --a--c--- C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-00581102}.BAK
2007-11-26 15:29 . 2007-12-23 22:37 3,162,278 --a--c--- C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-00581102}.CDF
2007-11-26 15:26 . 2006-08-11 15:14 86,446 --a--c--- C:\WINDOWS\system32\instwdm.ini
2007-11-26 15:26 . 2006-08-11 14:55 10,240 --a--c--- C:\WINDOWS\CTDCRES.DLL
2007-11-26 15:04 . 2007-11-26 15:09 <DIR> d----c--- C:\WINDOWS\SHELLNEW
2007-11-26 14:57 . 2007-11-28 02:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-11-26 14:43 . 2007-11-26 14:43 <DIR> d----c--- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 03:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-22 05:18 --------- d-----w C:\Documents and Settings\Brandon Ford\Application Data\Azureus
2007-12-22 05:11 --------- d-----w C:\Program Files\Azureus
2007-12-10 23:40 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2007-12-10 05:09 --------- d-----w C:\Program Files\Multi Theft Auto
2007-12-09 15:29 --------- d-----w C:\Documents and Settings\Brandon Ford\Application Data\Vso
2007-12-02 08:43 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-30 03:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-26 21:28 86,016 -c--a-w C:\WINDOWS\system32\OpenAL32.dll
2007-11-26 21:28 409,600 -c--a-w C:\WINDOWS\system32\wrap_oal.dll
2007-11-26 21:28 --------- d-----w C:\Documents and Settings\Brandon Ford\Application Data\Creative
2007-11-21 01:10 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe Systems
2007-11-17 05:24 --------- d-----w C:\Program Files\QuickTime
2007-11-17 05:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-11-17 05:20 --------- d-----w C:\Program Files\Apple Software Update
2007-11-17 05:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-11-16 04:18 --------- d-----w C:\Program Files\Project64 1.6
2007-11-14 00:09 --------- d-----w C:\Documents and Settings\Kim Ford\Application Data\MySpace
2007-11-13 10:25 20,480 -c--a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:36 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Creative
2007-11-10 03:02 --------- d-----w C:\Program Files\M-Audio USB Midisport Uno
2007-11-10 03:01 82,944 -c--a-w C:\WINDOWS\system32\usbmn1x1.dll
2007-11-10 03:01 724,992 -c--a-w C:\WINDOWS\iun6002.exe
2007-11-10 03:01 22,272 -c--a-w C:\WINDOWS\system32\drivers\usbmn1x1.sys
2007-11-10 03:01 13,504 -c--a-w C:\WINDOWS\system32\drivers\usb11ldr.sys
2007-11-09 23:54 --------- d-----w C:\Documents and Settings\Doug Hafenstine\Application Data\MySpace
2007-11-07 19:54 47,360 -c--a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-07 19:54 47,360 ----a-w C:\Documents and Settings\Brandon Ford\Application Data\pcouffin.sys
2007-11-05 03:41 --------- d-----w C:\Documents and Settings\Christy Hafenstine\Application Data\MySpace
2007-11-04 02:09 --------- d-----w C:\Documents and Settings\Brandon Ford\Application Data\MySpace
2007-11-02 03:50 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\vsosdk
2007-10-31 19:03 245,408 -c--a-w C:\WINDOWS\system32\unicows.dll
2007-10-31 02:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
2007-10-30 05:54 --------- d-----w C:\Program Files\Windows Live
2007-10-30 05:54 --------- d-----w C:\Program Files\MSN Messenger
2007-10-30 05:54 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-10-29 22:43 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 -c--a-w C:\WINDOWS\system32\wmasf.dll
2007-10-03 22:36 60,800 -c--a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-27 00:01 45,056 -c--a-w C:\WINDOWS\system32\PCTKRNT.SYS
2007-09-26 23:55 126,976 -c--a-w C:\WINDOWS\system32\unzdll.dll
2007-09-26 03:22 155,995 -c--a-w C:\WINDOWS\java\Packages\V3DBP77F.ZIP
2007-06-26 03:28 47,360 ----a-w C:\Documents and Settings\Sir Brando\Application Data\pcouffin.sys
2007-04-30 02:22 87,608 ----a-w C:\Documents and Settings\Sir Brando\Application Data\ezpinst.exe
2006-10-05 05:14 69,080 ----a-w C:\Documents and Settings\Sir Brando\Application Data\GDIPFONTCACHEV1.DAT
2006-09-17 23:42 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-02-06 05:48 0 -c--a-w C:\Program Files\Global.sw
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-12-19 17:04 165472 --a--c--- C:\WINDOWS\system32\xhheczxt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
2007-12-19 03:40 39936 --a--c--- C:\WINDOWS\system32\pmnmmno.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-27 01:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-12-06 14:43]
"DCAM"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" []
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 13:50 C:\WINDOWS\system32\SK9910DM.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [2002-03-28 09:55 C:\WINDOWS\GWMDMMSG.exe]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-06-26 12:48]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 01:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 12:27]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-12-22 12:28]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-06 14:43:35]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E85D85-F6EE-4655-A639-E33983612A6E}"= C:\WINDOWS\system32\pmnmmno.dll [2007-12-19 03:40 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmmno]
pmnmmno.dll 2007-12-19 03:40 39936 C:\WINDOWS\system32\pmnmmno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xhheczxt]
xhheczxt.dll 2007-12-19 17:04 165472 C:\WINDOWS\system32\xhheczxt.dll

S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows [2007-12-23 21:53]
S3 USB11LDR;USB Midi 1x1 Loader;C:\WINDOWS\system32\drivers\usb11ldr.sys [2007-11-09 21:01]
S3 USBMN1X1;USB Midi 1x1;C:\WINDOWS\system32\drivers\usbmn1x1.sys [2007-11-09 21:01]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 06:26:26 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1192178931.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-12-18 02:24:54 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Brandon Ford.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 22:49:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\xhheczxt.dll
.
Completion time: 2007-12-23 22:56:09 - machine was rebooted
.
2007-12-17 07:14:24 --- E O F ---

Holo_Emiter
2007-12-24, 07:23
Ccleaner install.txt

2Wire Wireless Client
Active WebCam
Adobe Acrobat 5.0
Adobe Audition 2.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Help Center 2.0
Adobe Reader 8.1.1
Adobe Shockwave Player
AppCore
Apple Software Update
AT&T Yahoo! Applications
AV
CamTrack
ccCommon
CCleaner (remove only)
CoffeeCup WebCam
ConvertXtoDVD 2.2.3.258
Creative Audio Console
Gateway Desktop Manager
Google Toolbar for Internet Explorer
GTW V.92 Voicemodem
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2100 series
hp psc 2100 series
Intel(R) PRO Ethernet Adapter and Software
Java(TM) 6 Update 3
Kaspersky Online Scanner
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech Audio Echo Cancellation Component
Logitech Desktop Messenger
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Excel 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office PowerPoint 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.11)
MSRedist
MSXML 4.0 SP2 (KB936181)
MVision
MySpaceIM
Norton AntiVirus
Norton Internet Security
Norton Protection Center
PS/2 Millennium Keyboard
QuickTime
SBC Yahoo! DSL Home Networking Installer
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB936509)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Sound Blaster Audigy
SPBBC 32bit
Symantec Real Time Storage Protection Component
SymNet
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Word 2007 (KB934173)
URGE
USB Midisport Uno 1.0.1.0
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Install Manager

Holo_Emiter
2007-12-24, 07:24
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:28 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SK9910DM.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\DigitalPeers\CamTrack\camtrack.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xhheczxt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B9E85D85-F6EE-4655-A639-E33983612A6E} - C:\WINDOWS\system32\pmnmmno.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191360247342
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191360238436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: pmnmmno - C:\WINDOWS\SYSTEM32\pmnmmno.dll
O20 - Winlogon Notify: xhheczxt - C:\WINDOWS\SYSTEM32\xhheczxt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11637 bytes

Simon V.
2007-12-24, 13:16
Hi :)

Step 1

Please go to VirusTotal (http://www.virustotal.com/) or Jotti (http://virusscan.jotti.org/) and upload C:\WINDOWS\system32\windows for scanning.

For VirusTotal:

Please copy and paste C:\WINDOWS\system32\windows in the text box next to the Browse... button.
Click on Send File.

For Jotti:

Please copy and paste C:\WINDOWS\system32\windows in the text box next to the Browse... button.
Click on Submit.

Copy/paste the results in Notepad and save them to your desktop.

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:


File::

C:\WINDOWS\system32\xhheczxt.dllbox
C:\pos1EEC.tmp
C:\pos1C60.tmp
C:\pos1B81.tmp
C:\pos1994.tmp
C:\pos196A.tmp
C:\pos1861.tmp
C:\WINDOWS\system32\vgdeablf.ini
C:\pos1644.tmp
C:\pos159F.tmp
C:\pos1469.tmp
C:\WINDOWS\system32\whaomvbo.ini
C:\pos121D.tmp
C:\pos11BD.tmp
C:\posFF2.tmp
C:\posF92.tmp
C:\posDDE.tmp
C:\posDAB.tmp
C:\posADE.tmp
C:\pos932.tmp
C:\pos8E8.tmp
C:\pos8E7.tmp
C:\pos784.tmp
C:\pos6DD.tmp
C:\pos61E.tmp
C:\pos50C.tmp
C:\pos4EB.tmp
C:\pos415.tmp
C:\pos307.tmp
C:\pos240.tmp
C:\pos1155.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\xhheczxt.dll
C:\WINDOWS\system32\ayjmynrl.dll
C:\WINDOWS\system32\jkkkllj.dll
C:\WINDOWS\system32\khfddba.dll
C:\WINDOWS\system32\pmnmmno.dll
C:\WINDOWS\system32\winzoa32.dll
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9E85D85-F6EE-4655-A639-E33983612A6E}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DCAM"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmmno]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xhheczxt]

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner).

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available, otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK.
Now under Select a Target to Scan:

Select My Computer.

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button and save the file to your desktop.

Step 4

In your next reply, please post:

the Virustotal/Jotti results
the Combofix log (C:\Combofix.txt)
the Kaspersky Online Scan report
a new HijackThis log

Simon V.
2007-12-28, 22:28
Are you still with me?

Holo_Emiter
2007-12-30, 06:11
Yeah sorry... I've been having a real hard time getting on without the computer slowing way down. I'll try to post what you requested.

Holo_Emiter
2007-12-30, 06:21
C:\WINDOWS\system32\windows isn't there!

Simon V.
2007-12-30, 12:49
Hi :)

Don't worry about that for now, and please continue with the instructions.

Simon V.
2008-01-03, 13:08
Are you still with me?

tashi
2008-01-13, 18:58
This topic has been archived due to inactivity.

As it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread. :)