Virtumonde [Archive] - Safer-Networking Forums

View Full Version : Virtumonde

new_sd_user

2008-01-21, 22:16

First off, thanks for a great product with spybot!

I got infected with Virtumonde, probably sometime in late Dec or early Jan, not sure how.

Neither WindowsDefender nor McAfee have ever been able to see it.

The problem gradually got worse: symptoms included very long bootup, slow computer that would eventually freeze altogether. Weird 'shortcut' icons started appearing on my desktop that I couldnt delete (I never clicked on them - directed to a shady looking site called storageprotection.com). Also would lose the ability to move icons on the desktop, or open files or applications by doubleclicking on icons the desktop (could still open stuff within applications and from start menus). Overall things generally got worse, but it was erratic and inconsistent.

Scariest of all - system restore stopped working - would run and run, then at the very end would tell me there was an error and it had failed. Also, on startup my McAfee security settings would occasionally be shut off. Neither of these things ever happened to me before.

Spybot has always been able to see Virtumonde (and several apparently related files), and has been able to remove all but one related file (WINDOWS\SYSTEM32\pmkhi.dll). pmkhi.exe and other related files would apparently magically re-spawn on startup.

Have tried Spybot in various combinations - letting it run on startup, running it in safe mode, et cetera. Every time it would get all but pmkhi.dll, and the rest would re-spawn.

Downloaded a free Symantec tool that was supposed to remove Admonde. Got it from this site:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-120914-4108-99&tabid=3
Ran for over an hour. It couldnt even detect it.

In another support forum I found a reference to VundoFix.exe. Ran it last night. It seemed to have the same problem as Spybot (i.e. pmkhi.dll couldnt be removed), but appears to have worked. pmkhi.dll is still there, but no more symptoms. other Virtumonde files (ie pmkhi.exe) do not re-spawn. Was able to delete the weird 'shortcut' icons on my desktop and the computer appears to be running normally. The only strange thing is an error window on startup telling me "pmkhi.exe cannot be found," which sounds like a good thing to me.

Got VundoFix.exe from here:
http://www.atribune.org/content/view/24/2/

Things running normally, but Ive really been up and running again for a day.

Im still worried - that darn pmkhi.exe is still sitting there in my SYSTEM32 folder - would really like to get rid of it.

will post my Kaspersky and HJT logs below after theyre done running.

Thanks again guys and gals - great product!

new_sd_user

2008-01-21, 22:19

whoops - one important typo in my last message.

I wrote:
"Im still worried - that darn pmkhi.exe is still sitting there in my SYSTEM32 folder - would really like to get rid of it."

I meant to write "that darn pmkhi.dll is still..."

pmkhi.exe is gone, pmkhi.dll still there

thanks

steamwiz

2008-01-21, 23:19

Hi

I'll wait for your logs ...

steam

new_sd_user

2008-01-22, 02:16

Thank you in advance.

HJT Log (damn - i see that friggin "F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhi.exe" again):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:44 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhi.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [745c2c84] rundll32.exe "C:\WINDOWS\system32\aotliovh.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA463] command /c del "C:\WINDOWS\SYSTEM32\pmkhi.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3410] cmd /c del "C:\WINDOWS\SYSTEM32\pmkhi.dll_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB8743] command /c del "C:\WINDOWS\SYSTEM32\pmkhi.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4743] cmd /c del "C:\WINDOWS\SYSTEM32\pmkhi.dll_tobedeleted"
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191523292156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191523254359
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://campuscentercam.its.wesleyan.edu/activex/AMC.cab
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - http://www.thomsononeanalytics.com/plugins/BatchPrintNT.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: McAfee Application Installer Cleanup (0164451200937388) (0164451200937388mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\016445~1.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 9480 bytes

new_sd_user

2008-01-22, 02:19

(Part I)

KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 8:07:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 526068

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
E:\
F:\

Scan Statistics
Total number of scanned objects 98214
Number of viruses found 7
Number of infected objects 113
Number of suspicious objects 0
Duration of the scan process 01:58:33

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{322563D9-DD7D-4B7B-BA86-10F4B4649980}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{C3929A60-D181-4008-972B-6484A4F648D9}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12052006-184733.log Object is locked skipped

C:\Documents and Settings\Derk\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped

C:\Documents and Settings\Derk\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\cert8.db Object is locked skipped

C:\Documents and Settings\Derk\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\history.dat Object is locked skipped

C:\Documents and Settings\Derk\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\key3.db Object is locked skipped

C:\Documents and Settings\Derk\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Derk\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Derk\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{5083F557-C8C5-4112-8737-71FC6AB311D0} Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Application Data\Mozilla\Firefox\Profiles\mgfk339i.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX10.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX100.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX102.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX103.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX105.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX109.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX10C.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX10F.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX115.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX118.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX11E.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX1447.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX21.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX22.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX24.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX251.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX254.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX257.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX25D.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX26.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX260.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX263.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX269.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX26D.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX2D.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX2E.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX30.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3B.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3BD.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3C0.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3C3.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3C9.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3CC.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3CF.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3D5.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3D8.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3DE.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX3E.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX41.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX43.tmp Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX48.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX49.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX4B.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX4C.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX4E.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX4F.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX54.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX55.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX57.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX58.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX5A.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX5D.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

new_sd_user

2008-01-22, 02:20

C:\Documents and Settings\Derk\Local Settings\Temp\RCX6.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX60.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX63.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX66.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX69.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX82.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX85.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX88.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX8E.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX91.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX94.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX9A.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCX9D.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXA9.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXAC.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXAF.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXB5.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXB8.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXBB.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXC1.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXC4.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXC7.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXCA.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXEA.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXED.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXF0.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXF6.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXF9.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXFC.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\RCXFD.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\Setup195.exe/data0002 Infected: Trojan-Clicker.Win32.VB.yh skipped

C:\Documents and Settings\Derk\Local Settings\Temp\Setup195.exe/data0008 Infected: Trojan-Clicker.Win32.VB.vx skipped

C:\Documents and Settings\Derk\Local Settings\Temp\Setup195.exe/data0009 Infected: Trojan-Clicker.Win32.VB.vx skipped

C:\Documents and Settings\Derk\Local Settings\Temp\Setup195.exe NSIS: infected - 3 skipped

C:\Documents and Settings\Derk\Local Settings\Temp\TMP41.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temp\TMP7F.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\Documents and Settings\Derk\Local Settings\Temporary Internet Files\Content.IE5\HHH22OT8\apst377[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ez skipped

C:\Documents and Settings\Derk\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Derk\Local Settings\Temporary Internet Files\Content.IE5\JGCVAZE7\tr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\Documents and Settings\Derk\ntuser.dat Object is locked skipped

C:\Documents and Settings\Derk\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Windows Defender\MSASCui.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped

C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped

C:\System Volume Information\catalog.wci\00010010.ci Object is locked skipped

C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped

C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped

C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped

C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped

C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116832.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116851.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116866.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116904.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116905.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116906.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116908.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116910.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116930.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1079\A0116944.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1080\A0116973.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1080\A0116986.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1080\change.log Object is locked skipped

C:\VundoFix Backups\itketekb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\VundoFix Backups\pbwhgrsg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\VundoFix Backups\pmkhi.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\VundoFix Backups\runrdpis.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\VundoFix Backups\wkjsskkq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\ctfmon.exe.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\pmkhi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\WINDOWS\SYSTEM32\RCX32.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\WINDOWS\SYSTEM32\RCX33.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_ed7YUdbuu4hFpvv Object is locked skipped

C:\WINDOWS\Temp\mcmsc_5XRrgqtLiGbOXeZ Object is locked skipped

C:\WINDOWS\Temp\mcmsc_cf9yaeSYZ83BD1e Object is locked skipped

C:\WINDOWS\Temp\mcmsc_kReGgEkRJmi8WwB Object is locked skipped

C:\WINDOWS\Temp\mcmsc_pGpFjJRxQ1a9UjU Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.CDF Object is locked skipped

Scan process completed.

steamwiz

2008-01-23, 19:58

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Please remember to post :-

1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)

steam

new_sd_user

2008-01-24, 01:53

steam - thanks for your help!

One thing, since I posted those logs things go bad again, so I ran Admonde.exe again (which seems to have helped).

Downloaded and ran both SuperAntiSpyware and ComboFix and ran both according to your directions. The first took almost 2hrs. The second was a little scary (warned that "1/100" computer dont survive its process, and had several misspellings in its dialog boxes).

Logs posted next

new_sd_user

2008-01-24, 01:54

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/23/2008 at 06:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:55:27

Memory items scanned : 485
Memory threats detected : 1
Registry items scanned : 7590
Registry threats detected : 5
File items scanned : 101093
File threats detected : 32

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\PMKHI.DLL
C:\WINDOWS\SYSTEM32\PMKHI.DLL
HKLM\Software\Classes\CLSID\{68F10E56-249E-401B-8CCD-F0DD123A5B48}
HKCR\CLSID\{68F10E56-249E-401B-8CCD-F0DD123A5B48}
HKCR\CLSID\{68F10E56-249E-401B-8CCD-F0DD123A5B48}\InprocServer32
HKCR\CLSID\{68F10E56-249E-401B-8CCD-F0DD123A5B48}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F10E56-249E-401B-8CCD-F0DD123A5B48}

Adware.Tracking Cookie
C:\Documents and Settings\Derk\Cookies\derk@doubleclick[1].txt
C:\Documents and Settings\Derk\Cookies\derk@questionmarket[1].txt
C:\Documents and Settings\Derk\Cookies\derk@revsci[1].txt
C:\Documents and Settings\Derk\Cookies\derk@richmedia.yahoo[1].txt
C:\Documents and Settings\Derk\Cookies\derk@ads.revsci[1].txt
C:\Documents and Settings\Derk\Cookies\derk@realmedia[1].txt
C:\Documents and Settings\Derk\Cookies\derk@specificclick[2].txt
C:\Documents and Settings\Derk\Cookies\derk@tacoda[1].txt
C:\Documents and Settings\Derk\Cookies\derk@adopt.specificclick[2].txt
C:\Documents and Settings\Derk\Cookies\derk@tribalfusion[1].txt
C:\Documents and Settings\Derk\Cookies\derk@atdmt[2].txt
C:\Documents and Settings\Derk\Cookies\derk@anad.tacoda[2].txt
C:\Documents and Settings\Derk\Cookies\derk@ads.goyk[1].txt
C:\Documents and Settings\Derk\Cookies\derk@collective-media[2].txt
C:\Documents and Settings\Derk\Cookies\derk@2o7[1].txt
C:\Documents and Settings\Derk\Cookies\derk@advertising[2].txt
C:\Documents and Settings\Derk\Cookies\derk@ad2networks.advertserve[1].txt
C:\Documents and Settings\Derk\Cookies\derk@adredired[2].txt
C:\Documents and Settings\Derk\Cookies\derk@statsgod[1].txt
C:\Documents and Settings\Derk\Cookies\derk@www.burstbeacon[1].txt
C:\WINDOWS\Temp\Cookies\derk@ad.uk.tangozebra[1].txt
C:\WINDOWS\Temp\Cookies\derk@ad.yieldmanager[2].txt
C:\WINDOWS\Temp\Cookies\derk@adopt.specificclick[1].txt
C:\WINDOWS\Temp\Cookies\derk@adrevolver[1].txt
C:\WINDOWS\Temp\Cookies\derk@ads.ft[1].txt
C:\WINDOWS\Temp\Cookies\derk@ads.pointroll[1].txt
C:\WINDOWS\Temp\Cookies\derk@media.adrevolver[1].txt
C:\WINDOWS\Temp\Cookies\derk@realmedia[2].txt
C:\WINDOWS\Temp\Cookies\derk@revsci[2].txt
C:\WINDOWS\Temp\Cookies\derk@rotator.adjuggler[1].txt
C:\WINDOWS\Temp\Cookies\derk@specificclick[2].txt

new_sd_user

2008-01-24, 01:57

***Im posting an abbreviated version, see notes***

ComboFix 08-01-23.2 - Derk 2008-01-23 18:47:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.598 [GMT -5:00]
Running from: C:\Documents and Settings\Derk\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\blp\API\Office Tools\bbxlcmd .exe
C:\Documents and Settings\Derk\My Documents\pos1000.tmp
C:\Documents and Settings\Derk\My Documents\pos1001.tmp
C:\Documents and Settings\Derk\My Documents\pos1002.tmp
C:\Documents and Settings\Derk\My Documents\pos1003.tmp
C:\Documents and Settings\Derk\My Documents\pos1004.tmp
C:\Documents and Settings\Derk\My Documents\pos1005.tmp
C:\Documents and Settings\Derk\My Documents\pos1006.tmp
C:\Documents and Settings\Derk\My Documents\pos1007.tmp
C:\Documents and Settings\Derk\My Documents\pos1008.tmp

****bla bla bla...goes on through posFFF.tmp****

C:\Documents and Settings\Derk\My Documents\posFFF.tmp
C:\pos10.tmp
C:\pos100.tmp
C:\pos1000.tmp
C:\pos1001.tmp
C:\pos1002.tmp
C:\pos1003.tmp
C:\pos1004.tmp
C:\pos1005.tmp
C:\pos1006.tmp
C:\pos1007.tmp
C:\pos1008.tmp
C:\pos1009.tmp
C:\pos100A.tmp
C:\pos100B.tmp
C:\pos100C.tmp
C:\pos100D.tmp
C:\pos100E.tmp
C:\pos100F.tmp
C:\pos101.tmp

****bla bla bla, again goes on through posFFF.tmp****

C:\posFFF.tmp
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\QdrDrive
C:\Program Files\WinAble
C:\Program Files\Windows Defender\MSASCui .exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\SYSTEM32\ihkmp.ini
C:\WINDOWS\SYSTEM32\ihkmp.ini2
C:\WINDOWS\system32\jzbkqfvl.dllbox
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\RCX32.tmp
C:\WINDOWS\system32\RCX33.tmp

<pre>
C:\blp\API\Office Tools\bbxlcmd .exe ---> QooBox
C:\Program Files\Common Files\Real\Update_OB\realsched .exe ---> QooBox
C:\Program Files\McAfee.com\Agent\mcagent .exe ---> QooBox
C:\Program Files\Windows Defender\MSASCui .exe ---> QooBox
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 18:43 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 16:25 . 2008-01-23 18:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-23 16:24 . 2008-01-23 16:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 11:47 . 2008-01-23 11:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-23 11:45 . 2008-01-23 11:45 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2008-01-23 11:45 . 2008-01-23 11:45 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2008-01-23 11:29 . 2008-01-23 11:31 23,392 --a------ C:\WINDOWS\SYSTEM32\nscompat.tlb
2008-01-23 11:29 . 2008-01-23 11:31 16,832 --a------ C:\WINDOWS\SYSTEM32\amcompat.tlb
2008-01-22 14:03 . 2008-01-22 14:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-21 20:08 . 2008-01-21 20:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 15:48 . 2008-01-21 15:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-20 17:21 . 2008-01-22 13:05 <DIR> d-------- C:\VundoFix Backups
2008-01-08 17:39 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\SYSTEM32\msonpmon.dll
2008-01-08 16:45 . 2008-01-08 16:45 <DIR> d-------- C:\Program Files\MSBuild
2008-01-08 16:31 . 2008-01-08 16:31 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-08 16:23 . 2008-01-08 16:23 <DIR> dr-h----- C:\MSOCache
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\SYSTEM32\divxdec.ax
2008-01-06 22:25 . 2008-01-20 11:48 <DIR> d-------- C:\Program Files\QuickTime
2008-01-06 14:46 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2008-01-06 14:46 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
2008-01-06 14:46 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbscan.sys
2008-01-06 14:46 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
2008-01-04 16:59 . 2008-01-04 16:59 524,288 --a------ C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-01-04 16:59 . 2008-01-04 16:59 4,816 --a------ C:\WINDOWS\SYSTEM32\divxsm.tlb
2008-01-04 16:58 . 2008-01-04 16:58 3,596,288 --a------ C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-01-04 16:58 . 2008-01-04 16:58 1,044,480 --a------ C:\WINDOWS\SYSTEM32\libdivx.dll
2008-01-04 16:58 . 2008-01-04 16:58 200,704 --a------ C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-01-04 16:56 . 2008-01-04 16:56 156,992 --a------ C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-01-04 16:56 . 2008-01-04 16:56 12,288 --a------ C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-01-02 23:26 . 2008-01-23 19:30 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.CDF
2008-01-02 23:26 . 2008-01-23 19:30 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.BAK
2008-01-02 23:23 . 2008-01-23 19:30 30,912 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-01-02 23:23 . 2008-01-23 19:30 30,912 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-01-02 23:23 . 2008-01-23 19:30 30,120 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-01-02 23:23 . 2008-01-23 19:30 30,120 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-01-02 23:23 . 2008-01-23 19:30 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-01-02 23:23 . 2008-01-23 19:30 1,080 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-01-02 23:23 . 2008-01-23 19:30 1,080 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-01-02 17:55 . 2008-01-02 17:55 409,600 --a------ C:\WINDOWS\SYSTEM32\wrap_oal.dll
2008-01-02 17:55 . 2008-01-02 17:55 86,016 --a------ C:\WINDOWS\SYSTEM32\OpenAL32.dll
2008-01-02 17:50 . 2006-08-11 15:14 86,446 --a------ C:\WINDOWS\SYSTEM32\instwdm.ini
2008-01-02 17:50 . 2006-08-11 14:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2008-01-02 17:50 . 2006-08-11 14:56 3,072 --a------ C:\WINDOWS\CTXFIRES.DLL
2008-01-02 17:28 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\SYSTEM32\audiopid.vxd
2008-01-02 13:58 . 2008-01-02 16:47 1,828 --a------ C:\WINDOWS\SYSTEM32\CTHELPER.RPT
2008-01-02 11:55 . 2008-01-22 14:07 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-02 11:48 . 2008-01-23 10:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-12-29 10:04 . 2008-01-09 09:43 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2007-12-29 10:04 . 2008-01-09 09:43 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2007-12-29 10:03 . 2008-01-20 23:41 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 00:29 --------- d-----w C:\Program Files\Windows Defender
2008-01-23 16:54 --------- d-----w C:\Program Files\DivX
2008-01-23 16:46 --------- d-----w C:\Program Files\Common Files\Real
2008-01-23 16:45 --------- d-----w C:\Program Files\Real
2008-01-22 19:31 --------- d-----w C:\Program Files\McAfee
2008-01-20 16:17 --------- d-----w C:\Program Files\FileZilla
2008-01-08 21:46 --------- d-----w C:\Program Files\Microsoft Works
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-03 04:22 --------- d-----w C:\Program Files\Creative
2008-01-02 22:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 19:23 --------- d-----w C:\Program Files\Maxtor
2007-12-21 18:58 3,012 ----a-w C:\drmHeader.bin
.

<pre>
----a-w 335,872 2008-01-03 15:31:24 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 110,592 2008-01-08 14:20:45 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w 45,056 2008-01-09 14:43:10 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet .EXE
----a-w 49,152 2008-01-09 14:43:07 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol .exe
----a-w 204,800 2008-01-08 14:20:41 C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w 712,704 2008-01-02 18:57:04 C:\Program Files\Maxtor\ManagerApp\Onetouch .exe
----a-w 81,920 2008-01-02 18:57:01 C:\Program Files\Maxtor\OneTouch Status\maxmenumgr .exe
----a-w 1,694,208 2007-12-31 17:18:25 C:\Program Files\Messenger\MSMSGS .EXE
----a-w 33,648 2008-01-11 23:08:35 C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w 286,720 2008-01-13 20:51:14 C:\Program Files\QuickTime\qttask .exe
----a-w 90,112 2008-01-09 14:43:12 C:\WINDOWS\UpdReg .EXE
----a-w 15,360 2008-01-21 04:41:33 C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w 28,672 2008-01-09 14:43:15 C:\WINDOWS\SYSTEM32\DSentry .exe
----a-w 114,744 2008-01-09 14:43:07 C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be24949a-9713-48a3-a5f6-64b8016a2907}]
C:\WINDOWS\system32\ssavhnkx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [ ]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [ ]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [ ]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-01-23 18:47 582992]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-23 18:47 185896]

C:\Documents and Settings\Derk\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\Palm\register.exe [2005-09-19 12:20:36 2367488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-01-15 21:49:48 49254]
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:16:08 471040]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:16:08 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\pmkhi.exe

.
Contents of the 'Scheduled Tasks' folder
"2004-01-08 00:30:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2007-07-14 14:32:30 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-07-14 14:32:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-01-24 00:35:57 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 19:36:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

new_sd_user

2008-01-24, 02:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: {7092a610-8b46-6f5a-3a84-3179a94942eb} - {be24949a-9713-48a3-a5f6-64b8016a2907} - C:\WINDOWS\system32\ssavhnkx.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191523292156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191523254359
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://campuscentercam.its.wesleyan.edu/activex/AMC.cab
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - http://www.thomsononeanalytics.com/plugins/BatchPrintNT.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 9131 bytes

new_sd_user

2008-01-24, 04:07

FYI - ran spybot again. no trace of the aforementioned garbage. looks like it may be fixed.

will post again if i have more trouble. otherwise, thank you kindly for your help.

steamwiz

2008-01-24, 18:31

Hi

Your computer is no where near clean yet, there is still plenty to do, your last post suggests you do not intend to return to this thread, please let me know what you intend to do ?

steam

new_sd_user

2008-01-27, 21:33

Steam,

My computer appears to be running very well.

Thank you very much for your help.

What else do you think I need to do?

steamwiz

2008-01-28, 00:09

Hi

First ...

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history

under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...

under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)

Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

---
Second ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word Folder:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be24949a-9713-48a3-a5f6-64b8016a2907}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

RenV::
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet .EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol .exe
C:\Program Files\Dell\Media Experience\PCMService .exe
C:\Program Files\Maxtor\ManagerApp\Onetouch .exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr .exe
C:\Program Files\Messenger\MSMSGS .EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\UpdReg .EXE
C:\WINDOWS\SYSTEM32\ctfmon .exe
C:\WINDOWS\SYSTEM32\DSentry .exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

---
Third ...

his will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-

Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

---
Fourth and last ...

Run a new KASPERSKY ONLINE SCAN & post the report

steam

new_sd_user

2008-01-29, 01:44

I did everything as directed.

On applying the ComboFix script you pasted it ran for over an hour before I forced a restart. I tried it a second time and it did the same - desktop disappeared but the mouse was still responsive. ctrl-alt-del worked and showed no applications running, but allowed a restart. Tried ComboFix on its own (started the application itself without your script) and had the same result.

Kaversky online scan runs to 72% and then stops. Tried it twice today (more than an hour each time). Then left it running while I went to dinner. Was at 72% when I left and hadnt moved 3hrs later when I got home. Killed It.

Ccleaner did run, and a hjthis log is posted below.

Btw - my computer appears to be running fine now - what do you think is wrong?

many thanks

new_sd_user

2008-01-29, 01:45

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:18, on 2008-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\blp\Wintrv\wintrv.exe
C:\blp\Wintrv\SmartClient\blpsmarthost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: {7092a610-8b46-6f5a-3a84-3179a94942eb} - {be24949a-9713-48a3-a5f6-64b8016a2907} - C:\WINDOWS\system32\ssavhnkx.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191523292156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191523254359
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://campuscentercam.its.wesleyan.edu/activex/AMC.cab
O16 - DPF: {80922B68-D8DE-11D5-8D10-0050DAD09327} (Batch Processing Control) - http://www.thomsononeanalytics.com/plugins/BatchPrintNT.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 9616 bytes

pskelley

2008-02-05, 01:16

Hello, I apologize for the wait, steamwiz is not available just now. In your last post you indicated:

Btw - my computer appears to be running fine now - what do you think is wrong?

Use HJT to remove this line, it is leftovers:
O2 - BHO: {7092a610-8b46-6f5a-3a84-3179a94942eb} - {be24949a-9713-48a3-a5f6-64b8016a2907} - C:\WINDOWS\system32\ssavhnkx.dll (file missing)

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.