PDA

View Full Version : virtumonde/vundo(?) purgatory



BillG
2008-01-31, 16:57
Been going around in circles for 4 days. Spybot, Panda and Microsoft Live OneCare can all "find" traces of it, can all "fix" it, but none can "remove" it! Always comes back right away. Only way I seem to be able to go on line without being jerked all over the place is if I boot up in SafeMode.

Followed your forum's online step by step procedure. HJT log follows then the Kaspersky log. Kaspersky scan found a number of problems but forum instructions didn't say to fix anything, so I didn't.

Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:02 AM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\WebProxy.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\avciman.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\psimreal.exe
C:\WINNT\System32\svchost.exe
D:\Hijack\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [64e50835] rundll32.exe "C:\WINNT\system32\oevmekrd.dll",b
O4 - HKLM\..\Run: [BM67d63ba9] Rundll32.exe "C:\WINNT\system32\waxreovs.dll",s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1292428093-1364589140-725345543-1000\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185916500250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185916458640
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD233832-A5AD-4D0C-9786-758C676BCBD8}: NameServer = 24.158.63.8,24.158.63.9
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software International - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/ww/bt1/ml.gif

--
End of file - 7724 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 30, 2008 9:19:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/01/2008
Kaspersky Anti-Virus database records: 538921
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 40301
Number of viruses found: 1
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:18:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Asus\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Asus\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Asus\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Asus\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Asus\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Asus\ntuser.dat Object is locked skipped
C:\Documents and Settings\Asus\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES Object is locked skipped
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\cace2423dfb97c58fe7dd9f120557063PSK_NAMES2 Object is locked skipped
C:\RECYCLER\NPROTECT\00000000.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000001.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000002.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000003.LIV Object is locked skipped
C:\RECYCLER\NPROTECT\00000006.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000007.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000015.edb Object is locked skipped
C:\RECYCLER\NPROTECT\00000016.dll Object is locked skipped
C:\RECYCLER\NPROTECT\00000021.rbf Object is locked skipped
C:\RECYCLER\NPROTECT\00000022.rbf Object is locked skipped
C:\RECYCLER\NPROTECT\00000023.rbf Object is locked skipped
C:\RECYCLER\NPROTECT\00000028.000 Object is locked skipped
C:\RECYCLER\NPROTECT\00000029.exe Object is locked skipped
C:\RECYCLER\NPROTECT\00000030.exe Object is locked skipped
C:\RECYCLER\NPROTECT\00000031.exe Object is locked skipped
C:\RECYCLER\NPROTECT\00000032.exe Object is locked skipped
C:\RECYCLER\NPROTECT\00000033.exe Object is locked skipped
C:\RECYCLER\NPROTECT\00000034.exe Object is locked skipped
C:\RECYCLER\NPROTECT\00000035.acs Object is locked skipped
C:\RECYCLER\NPROTECT\00000036.ISU Object is locked skipped
C:\RECYCLER\NPROTECT\00000037.exe Object is locked skipped
C:\RECYCLER\NPROTECT\00000038.chm Object is locked skipped
C:\RECYCLER\NPROTECT\00000039.dll Object is locked skipped
C:\RECYCLER\NPROTECT\00000040.exe Object is locked skipped
C:\RECYCLER\NPROTECT\00000041.dll Object is locked skipped
C:\RECYCLER\NPROTECT\00000042.sys Object is locked skipped
C:\RECYCLER\NPROTECT\00000046.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000047.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000054.PNF Object is locked skipped
C:\RECYCLER\NPROTECT\00000055.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000056.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000059.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000060.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000075.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000076.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000078.PNF Object is locked skipped
C:\RECYCLER\NPROTECT\00000086.386 Object is locked skipped
C:\RECYCLER\NPROTECT\00000087.DLL Object is locked skipped
C:\RECYCLER\NPROTECT\00000088.SYS Object is locked skipped
C:\RECYCLER\NPROTECT\00000089.386 Object is locked skipped
C:\RECYCLER\NPROTECT\00000090.DLL Object is locked skipped
C:\RECYCLER\NPROTECT\00000091.SYS Object is locked skipped
C:\RECYCLER\NPROTECT\00000092.INF Object is locked skipped
C:\RECYCLER\NPROTECT\00000093.CAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000094.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000095.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000096.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000097.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000098.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000099.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000100.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000101.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000102.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000103.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000104.LIV Object is locked skipped
C:\RECYCLER\NPROTECT\00000105.dat Object is locked skipped
C:\RECYCLER\NPROTECT\00000107.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000108.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000109.DAT Object is locked skipped
C:\RECYCLER\NPROTECT\00000110.isu Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINNT\system32\config\sam Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\security Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\A0000217.exe/RegistrySmart/RegistrySmart.exe Infected: not-a-virus:FraudTool.Win32.RegistrySmart.a skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\A0000217.exe 7-Zip: infected - 1 skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\A0000217.exe UPX: infected - 1 skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\A0000217.exe PE_Patch.UPX: infected - 1 skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\A0000226.exe/RegistrySmart/RegistrySmart.exe Infected: not-a-virus:FraudTool.Win32.RegistrySmart.a skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\A0000226.exe 7-Zip: infected - 1 skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\A0000226.exe UPX: infected - 1 skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\A0000226.exe PE_Patch.UPX: infected - 1 skipped
D:\System Volume Information\_restore{26E8A554-6586-42CC-ACC3-A92E700341E5}\RP1\change.log Object is locked skipped

Scan process completed.

ken545
2008-02-01, 21:46
Hello BillG

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Delete the copy of HJT that you installed on your D:\ drive and download a fresh copy, install it in the default location on your C:\ drive.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe



Its important that you download and run this program from your desktop.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Post the Combofix log and a New HJT log please

BillG
2008-02-02, 20:03
Thanks for your reply ken545. I now know how shipwreck victims feel when a resue helicopter comes in to view and heads towards their lifeboat.

Logs you requested follow.

Would have posted sooner except between my original post and your reply I had uninstalled Panda and installed Kaspersky Anti-Virus in hopes of a miracle (none occurred). Probably should have mentioned it to you before following your advice since KAV seems much more powerful than Panda and KAV didn't think much of ComboFix. Kept saying it had a "heur.invader" virus everytime I tried to down load it from Bleepingcomputer. After a stressful evening, I finally determined what was happening and that it wasn't a problem. First download site listed in your reply (techsupportforum) does not download correctly and brings in a file of 0 bytes - "not a valid win32 app" when you try to run it".

ComboFix 08-02.02.5 - Asus 2008-02-02 11:30:41.1 - NTFSx86

Running from: C:\Documents and Settings\Asus\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\ddccc.dll
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINNT\cookies.ini
C:\WINNT\system32\cccdd.ini
C:\WINNT\system32\cccdd.ini2
C:\WINNT\system32\chnokaym.dll
C:\WINNT\system32\daxwlodo.dll
C:\WINNT\system32\ddccc.dll
C:\WINNT\system32\drkemveo.ini
C:\WINNT\system32\ewdnrtif.dll
C:\WINNT\system32\figxnfup.ini
C:\WINNT\system32\grouppolicy\machine\scripts\scripts.ini
C:\WINNT\system32\hohhctww.dll
C:\WINNT\system32\jvhqgbey.ini
C:\WINNT\system32\lymkdvdg.dll
C:\WINNT\system32\odolwxad.ini
C:\WINNT\system32\oevmekrd.dll
C:\WINNT\system32\pyjwqlke.ini
C:\WINNT\system32\srqss.ini
C:\WINNT\system32\srqss.ini2
C:\WINNT\system32\ueulghpa.dll
C:\WINNT\system32\waxreovs.dll
C:\WINNT\system32\wqyiokxw.dll
C:\WINNT\system32\yebgqhvj.dll
C:\WINNT\system32\yebhskkk.dll
C:\WINNT\system32\ynuwusuv.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 13:48 . 2008-02-01 15:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 09:55 . 2008-02-01 10:06 91,700 --a------ C:\WINNT\system32\drivers\klin.dat
2008-02-01 09:55 . 2008-02-01 09:55 85,860 --a------ C:\WINNT\system32\drivers\klick.dat
2008-02-01 09:54 . 2008-02-01 09:54 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 09:54 . 2008-02-02 11:52 2,243,616 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-02-01 09:54 . 2008-02-02 11:52 31,952 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2008-02-01 09:54 . 2008-02-02 11:53 17,952 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-02-01 09:54 . 2008-02-02 11:52 3,776 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
2008-02-01 09:47 . 2008-02-01 09:47 <DIR> d-------- C:\kav
2008-01-30 15:56 . 2008-01-30 15:56 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-01-30 15:56 . 2008-02-02 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-30 10:51 . 2008-01-30 10:55 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-29 18:17 . 2008-01-29 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 14:30 . 2008-02-02 11:11 22 --a------ C:\WINNT\pskt.ini
2008-01-29 13:07 . 2008-01-29 13:30 <DIR> d-------- C:\Program Files\RegistrySmart
2008-01-28 16:40 . 2008-01-28 17:39 92,544 --a------ C:\WINNT\system32\drivers\~av5flt.sys
2008-01-28 12:30 . 2008-01-28 12:30 <DIR> d-------- C:\Documents and Settings\Asus\Application Data\MSN6
2008-01-28 12:30 . 2008-01-28 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-01-28 11:48 . 2008-01-29 09:01 <DIR> d----c--- C:\WINNT\system32\DRVSTORE
2008-01-28 11:48 . 2008-01-16 11:06 19,568 --a------ C:\WINNT\system32\drivers\adwarealert.sys
2008-01-27 10:10 . 2006-08-21 04:14 128,896 -----c--- C:\WINNT\system32\dllcache\fltmgr.sys
2008-01-27 10:10 . 2006-08-21 04:14 23,040 -----c--- C:\WINNT\system32\dllcache\fltmc.exe
2008-01-27 10:10 . 2006-08-21 07:21 16,896 -----c--- C:\WINNT\system32\dllcache\fltlib.dll
2008-01-27 10:05 . 2008-01-27 10:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-26 17:06 . 2007-09-07 05:04 524,317 -----c--- C:\WINNT\system32\dllcache\kodakimg.exe
2008-01-26 17:06 . 2007-09-07 12:57 448,029 -----c--- C:\WINNT\system32\dllcache\oieng400.dll
2008-01-26 17:06 . 2007-09-07 05:04 73,245 -----c--- C:\WINNT\system32\dllcache\kodakprv.exe
2008-01-26 17:06 . 2007-09-07 12:57 38,941 -----c--- C:\WINNT\system32\dllcache\jpeg2x32.dll
2008-01-26 17:06 . 2007-09-07 12:57 33,307 -----c--- C:\WINNT\system32\dllcache\tifflt.dll
2008-01-26 16:20 . 2007-07-09 08:09 584,192 -----c--- C:\WINNT\system32\dllcache\rpcrt4.dll
2008-01-26 15:48 . 2008-01-26 15:51 <DIR> d-------- C:\Program Files\RegCure
2008-01-26 15:36 . 2008-01-28 17:23 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-26 10:57 . 2007-07-30 19:19 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2008-01-26 10:56 . 2007-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-01-24 11:04 . 2007-04-03 10:19 1,990 --a------ C:\WINNT\system32\drivers\net_m32.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 14:51 --------- d-----w C:\Program Files\Panda Software
2008-02-01 14:51 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-01-30 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 18:07 --------- d-----w C:\Documents and Settings\Asus\Application Data\RegistrySmart
2008-01-29 17:34 --------- d--h--w C:\Program Files\Zero G Registry
2008-01-29 17:34 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-29 17:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-29 17:28 --------- d-----w C:\Program Files\EAGLE-4.16
2008-01-28 22:39 92,544 ----a-w C:\WINNT\system32\drivers\~av5flt.sys
2008-01-05 00:45 --------- d-----w C:\Program Files\Real
2007-12-18 05:43 23,396 ----a-w C:\WINNT\system32\drivers\klopp.dat
2007-12-13 18:28 24,592 ----a-w C:\WINNT\system32\drivers\klim5.sys
2007-05-08 14:33 115,912 ----a-w C:\Documents and Settings\Asus\Application Data\GDIPFONTCACHEV1.DAT
2005-06-02 03:28 271 --sh--w C:\Program Files\desktop.ini
2005-06-02 03:28 21,952 ---h--w C:\Program Files\folder.htt
2007-03-06 16:16 88 --sha-r C:\WINNT\system32\D6F8C7A873.sys
2007-06-29 13:49 2,516 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 14:53 307200]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2004-08-04 02:56 143360 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 09:23 46592 C:\WINNT\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-25 10:26 77824]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2006-03-20 15:26 516096]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 02:56 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 00:59 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-03-07 18:59:15 118784]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]


.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 16:54:51 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-26 20:48:25 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-02 08:30:00 C:\WINNT\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 11:54:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-02 12:00:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 17:00:16
.
2008-01-29 14:34:41 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:13 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1292428093-1364589140-725345543-1000\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185916500250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185916458640
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD233832-A5AD-4D0C-9786-758C676BCBD8}: NameServer = 24.158.63.8,24.158.63.9
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/ww/bt1/ml.gif

--
End of file - 6032 bytes

ken545
2008-02-03, 02:17
Hello,

You did have a Vundo infection going on and it looks like most of it is gone. :bigthumb: Lets do a few more things.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =



C:\Program Files\RegistrySmart <-- this program falls somewhere in the Grey area and not recommended. You can uninstall it via the Add Remove Programs in the Control Pane. A word on Registry Cleaners, unless your a windows expert and know 100% what your removing I would not fool with a Reg Cleaner, remove the wrong entires and you can bork your system big time.


Before you run OtMoveIt, the second file in my fix is related to Panda which you said you removed.

Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



C:\WINNT\pskt.ini
C:\WINNT\system32\drivers\~av5flt.sysi

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Post the OtMoveIt log and a new HJT log please

BillG
2008-02-03, 21:29
Followed your instuctions. Also uninstalled the registry cleaner program per your advice. I'm aware of how dangerous they can be and never had one before my Vundo attack made me desperate.

After reading the OTMoveIt results, I searched my PC for *av5* and found ~av5flt.sys (no "i") in the drivers folder.

I'll wait for your instuctions.

Thanks


C:\WINNT\pskt.ini moved successfully.
File/Folder C:\WINNT\system32\drivers\~av5flt.sysi not found.

OTMoveIt2 v1.0.17 log created on 02032008_140636

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:57 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1292428093-1364589140-725345543-1000\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185916500250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185916458640
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD233832-A5AD-4D0C-9786-758C676BCBD8}: NameServer = 24.158.63.8,24.158.63.9
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/ww/bt1/ml.gif

--
End of file - 5921 bytes

ken545
2008-02-03, 23:45
Bad typing my my end :red: ~av5flt.sys <-- this is correct. You can try deleting it manually , it should let you since Panda is gone , if not, run it through OtMoveIt.

The rest of your log looks fine :bigthumb: How are things running now ??

BillG
2008-02-04, 19:39
A big thanks for getting rid of this for me. Been running just fine for 2 days now. A simple delete of ~av5flt.sys removed it. Wish more computer people were like you folks at the forum instead of the creeps who come up with this garbage. Just looking at the number of posts related to this problem indicates it's not going away anytime soon.

It's also disheartening to see how many companies advertise a solution when they really don't have one. Even the big, well known anti-virus guys!

I've made a donation before and I'm about to send another one.

Safer Networking Forums is now in my Favorites but sincerely hope that I don't need you again!

ken545
2008-02-04, 20:05
Thanks Bill,


With all the removal forums I have to estimate there are 1000s of people posting with infected computers. A larger percentage of this garbage comes from the RBN ( Russian Business Network ) just Google it and it will give you a ton of info about these cyber crooks. Most of this stuff comes from off shore where the US has no control.



Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs


Glad we could help

Safe Surfn
Ken