PDA

View Full Version : Virtumonde again


Connery
2008-03-03, 03:31
Still working my way through getting updates working as described here:
http://forums.spybot.info/showpost.php?p=162686&postcount=35
Not working so far, and meanwhile I've been hit again.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 29, 2008 2:32:40 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 587936
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 75186
Number of viruses found: 23
Number of infected objects: 318
Number of suspicious objects: 0
Duration of the scan process: 02:03:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\SDSD\KodakSvc\1.2.484.0\System.ServiceProcess, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.html Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\x\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\x\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\x\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\History\History.IE5\MSHist012008022920080301\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temp\A43AD1E.dmp Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX60F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX615.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX618.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX61E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX624.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX627.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX62A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX634.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX637.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX63D.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX643.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX646.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX649.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX66F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX67F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX69B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX6BE.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX6DB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX6EC.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX715.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX718.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX71E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX725.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX728.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCX72B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXD89.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXD94.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXDA2.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXDA8.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXDBA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\RCXDC7.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\x\Local Settings\Temp\TMP37.tmp Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\Documents and Settings\x\Local Settings\Temp\winvsnet.exe Infected: not-a-virus:Downloader.Win32.WinFixer.dz skipped
C:\Documents and Settings\x\Local Settings\Temp\yazzsnet.exe/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and Settings\x\Local Settings\Temp\yazzsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\0VW3UDCB\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\4N7VMKPT\cmp638[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\K1O5W1OH\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\M3830VK1\cmd[2].htm Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\U7E5GVCT\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\x\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\x\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Accessories\vawok89104.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Common Files\Symantec Shared\ccApp.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Logitech\Video\ISStart.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Logitech\Video\LogiTray.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0183NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0767NAV~.TMP Object is locked skipped
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Support.com\Charter\bin\SSRunScript.exe Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3364.exe Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3367 Infected: Trojan.Win32.Zapchast.dt skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3374.tmp Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3375.tmp Infected: Virus.Win32.Trats.d skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3376.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3377.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3378.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3379.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-682003330-1801674531-1000\Dc3380.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Connery
2008-03-03, 03:33
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP0\A0000001.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP0\A0000013.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP0\A0000014.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000032.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000033.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000034.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000035.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000036.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000039.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000040.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000041.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000042.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000043.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000044.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000046.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000047.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000048.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000049.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000050.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000051.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000052.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000053.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000054.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000055.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000056.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000057.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000059.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000060.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000061.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000062.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000063.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000065.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000067.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000068.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000069.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000070.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000071.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000072.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000073.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000074.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000075.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000076.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000077.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000078.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000079.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000080.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000081.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000082.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000083.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000084.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000085.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000086.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000087.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000088.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000089.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000090.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000091.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000092.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000093.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000094.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000095.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000096.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000097.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000098.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000099.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000100.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000101.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000102.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000103.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000104.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000105.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000106.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000107.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000108.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000109.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000110.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000111.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000112.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000113.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000114.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000115.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000116.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000117.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000118.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000119.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000120.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000121.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000123.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000124.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000125.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000126.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000127.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000128.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000129.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000130.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000131.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP1\A0000132.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000171.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000172.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000173.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000174.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000175.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000177.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000178.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000179.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000180.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP2\A0000181.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000182.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000183.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000184.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000185.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000186.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000187.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000188.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000191.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000192.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000193.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000194.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000195.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000198.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000199.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000200.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000201.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000209.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000211.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000212.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000213.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000214.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000215.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000216.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000217.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000218.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000219.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000220.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP3\A0000224.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP35\A0007779.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
Connery
2008-03-03, 03:34
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP35\A0007791.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009762.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009764.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009766.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009767.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009768.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009769.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009770.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009771.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009772.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009773.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009774.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009782.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0009791.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0010759.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011762.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011764.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011765.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011766.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011767.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011768.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011769.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011770.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011771.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011772.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011773.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011776.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011781.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011781.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011782.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011792.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011793.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011794.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011795.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011796.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011797.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011798.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011799.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011800.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP36\A0011801.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011820.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011834.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011837.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011838.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011839.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011840.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011841.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011842.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011843.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011844.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011845.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011846.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011847.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\A0011848.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP39\change.log Object is locked skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000236.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000237.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000238.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000239.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000240.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000241.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000242.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000243.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000244.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000245.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000246.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000247.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP4\A0000269.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP5\A0000270.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP6\A0000314.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP6\A0000315.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP7\A0000316.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP7\A0000320.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP7\A0000321.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0000332.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0000337.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0000338.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0000346.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001371.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/a_bcd.dll Infected: Backdoor.IRC.Cloner skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/abc2.dll Infected: Backdoor.IRC.Cloner.x skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/abcd.jpg Infected: Backdoor.IRC.Cloner skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/adobea.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/adobes.exe Infected: Backdoor.Win32.mIRC-based skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/gg.bat Infected: Backdoor.IRC.Cloner.k skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe ZIP: infected - 7 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001373.exe CryptFF: infected - 7 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001375.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001377.dll Infected: Trojan-Downloader.Win32.Agent.yf skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001378.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001379.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001380.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001381.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001382.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001382.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001383.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001384.exe Infected: Trojan-Proxy.Win32.Wopla.at skipped
C:\System Volume Information\_restore{4B5B3A2F-C5D8-4066-89CE-08B7D62B9AD7}\RP8\A0001385.exe Infected: Virus.Win32.Trats.d skipped
C:\WINNT\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\UserMode\boot.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\WINNT\mrofinu572.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\WINNT\mrofinu572.exe.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{51BBA5FA-6AC7-4488-B2D4-172AED976C78}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\awtqnmn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\boctkxqj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\ctfmon.exe.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINNT\system32\drivers\drmkk.sys Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\hc4\pon89104.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\WINNT\system32\hc4\pon89104.exe NSIS: infected - 1 skipped
C:\WINNT\system32\hgqiwwvy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\iDlo01\iDlo011065.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\WINNT\system32\jlsmhoii.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINNT\system32\mlnmp.ini Object is locked skipped
C:\WINNT\system32\niujwtjl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\pmnlm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\pmnlm.exe Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\pvptixxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\rbyhwciy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\WINNT\system32\windows_tobedeleted_old Infected: Trojan.Win32.Zapchast.dt skipped
C:\WINNT\system32\ypnedfdp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\tk58.exe Infected: Trojan.Win32.BHO.ab skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
Connery
2008-03-03, 03:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:59 PM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\LVComS.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\cidaemon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\Program Files\Trend Micro\HijackThis\connery.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {05F1D121-6A5B-4756-818C-23BEDF093E30} - C:\Program Files\Accessories\vawok89104.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35FBE3AD-9375-441A-B30C-9473D6A07935} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINNT\system32\ypnedfdp.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: {dcb77d86-b8ec-8628-9c24-81e01c34132c} - {c23143c1-0e18-42c9-8268-ce8b68d77bcd} - C:\WINNT\system32\pvptixxw.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINNT\system32\awtqnmn.dll
O2 - BHO: 0 - {F550F5E6-F62A-423C-2F8A-E2B2439513A0} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O20 - Winlogon Notify: awtqnmn - C:\WINNT\SYSTEM32\awtqnmn.dll
O20 - Winlogon Notify: ypnedfdp - C:\WINNT\SYSTEM32\ypnedfdp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 11781 bytes
little eagle
2008-03-10, 04:08
Download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.

* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Post the log from the scan please.
Connery
2008-03-11, 10:50
Didn't find any log from the scan. It found 2 items and deleted them successfully. Neither shows up if I repeat the scan.

Here's a new hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:11 AM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\drivers\svchost.exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI .exe
C:\WINNT\system32\ctfmon .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\drivers\svchost .exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\WINNT\System32\alg.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
F3 - REG:win.ini: run="C:\WINNT\system32\winupdate.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {05F1D121-6A5B-4756-818C-23BEDF093E30} - C:\Program Files\Accessories\vawok89104.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2AE6DFF5-EABE-4A8F-BB26-C88F5D375D28} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 0 - {D38FEDDD-5116-46E5-E993-B24BA7717E2B} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O2 - BHO: {b751cb9a-9e49-adba-5254-56c522b5ef7d} - {d7fe5b22-5c65-4525-abda-94e9a9bc157b} - C:\WINNT\system32\cyarguir.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINNT\system32\awtqnmn.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\system32\wscmp.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [7cbc824f] rundll32.exe "C:\WINNT\system32\nssigidw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O20 - Winlogon Notify: awtqnmn - C:\WINNT\SYSTEM32\awtqnmn.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 13083 bytes
little eagle
2008-03-11, 12:21
It should be located here C:\vundofix.txt

---------------------------------------

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Connery
2008-03-12, 06:43
VundoFix V7.0.1
Scan started at 11:59:22 PM 3/9/2008

Listing files found while scanning....

VundoFix V7.0.1

Scan started at 6:24:22 AM 3/10/2008

Listing files found while scanning....

C:\WINNT\system32\ypnedfdp.dll
C:\WINNT\tk58.exe

Beginning removal...

Attempting to delete C:\WINNT\system32\ypnedfdp.dll
C:\WINNT\system32\ypnedfdp.dll Has been deleted!

Attempting to delete C:\WINNT\tk58.exe
C:\WINNT\tk58.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.1

Scan started at 12:36:06 AM 3/11/2008

Listing files found while scanning....

No infected files were found.


ComboFix 08-03-10.1 - x 2008-03-11 18:49:53.5 - NTFSx86
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Accessories\vawok89104.dll
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\ISStart.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\Support.com\Charter\bin\SSRunScript.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\awtqnmn.dll
C:\WINNT\system32\boctkxqj.dll
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\cyarguir.dll
C:\WINNT\system32\drivers\drmkk.sys
C:\WINNT\system32\drivers\svchost.exe
C:\WINNT\system32\edgvqvpu.ini
C:\WINNT\system32\hgqiwwvy.dll
C:\WINNT\system32\iDlo01
C:\WINNT\system32\iDlo01\iDlo011065.exe
C:\WINNT\system32\jlsmhoii.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\niujwtjl.dll
C:\WINNT\system32\nssigidw.dll
C:\WINNT\system32\ntload.sys
C:\WINNT\system32\pac.txt
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\pvptixxw.dll
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINNT\system32\upvqvgde.dll
C:\WINNT\system32\wdigissn.ini
C:\WINNT\system32\windows
C:\WINNT\system32\winupdate.exe
C:\WINNT\system32\wscmp.dll
C:\WINNT\system32\yvwwiqgh.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_DRMKK
-------\LEGACY_NTLOAD
-------\drmkk
-------\ntload


((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-10 21:42 . 2008-03-10 21:42 338,944 --a------ C:\WINNT\system32\RCX26.tmp
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-10 21:43 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-03-08 15:36 . 2008-03-08 15:36 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-03-04 07:42 . 2008-03-04 07:42 0 --a------ C:\WINNT\system32\sex2.ico.tmp
2008-03-03 20:42 . 2008-03-03 20:42 0 --a------ C:\WINNT\system32\sex1.ico.tmp
2008-03-03 20:31 . 2008-03-10 21:43 22,016 --a------ C:\WINNT\system32\drivers\svchost .exe
2008-03-02 18:16 . 2008-03-02 18:16 3,262 --a------ C:\WINNT\system32\sex5.ico
2008-03-02 18:15 . 2008-03-02 18:15 3,262 --a------ C:\WINNT\system32\sex4.ico
2008-03-02 18:15 . 2008-03-02 18:15 3,262 --a------ C:\WINNT\system32\sex3.ico
2008-03-02 18:14 . 2008-03-04 07:41 3,262 --a------ C:\WINNT\system32\sex2.ico
2008-03-02 18:14 . 2008-03-02 18:14 3,262 --a------ C:\WINNT\system32\sex1.ico
2008-03-02 18:11 . 2008-03-02 18:11 87,040 --a------ C:\WINNT\e01.exe
2008-03-02 18:11 . 2008-03-02 18:11 23,040 --a------ C:\acuqb6.exe
2008-02-29 21:54 . 2008-02-29 21:54 167,545 --a------ C:\WINNT\system32\drivers\core.cache.dsk
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-02-28 07:37 . 2008-02-28 22:55 294 ---hs---- C:\WINNT\system32\yicwhybr.ini
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-11 19:15 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:49 . 2008-03-10 19:48 23,362 ---hs---- C:\WINNT\system32\ypnedfdp.dllbox
2008-02-26 20:47 . 2008-02-26 20:47 36,864 --a------ C:\WINNT\17PHolmes572.exe
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\jk8
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\hc4
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\fs7
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\ax3
2008-02-26 20:41 . 2008-02-26 21:34 376,832 --a------ C:\WINNT\mrofinu572.exe.tmp
2008-02-26 20:41 . 2008-02-26 21:34 36,864 --a------ C:\WINNT\mrofinu572.exe
2008-02-26 20:41 . 2008-02-26 20:41 36,864 --a------ C:\WINNT\mrofinu1000106.exe
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 03:16 335,360 ----a-w C:\WINNT\system32\pmnlm.dll
2008-03-12 03:08 --------- d-----w C:\Program Files\iTunes
2008-03-12 03:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w 151,597 2008-03-11 05:42:45 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 52,840 2008-03-11 05:43:03 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 267,048 2008-03-11 05:43:06 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 32,881 2008-03-11 05:42:49 C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
----a-w 188,416 2008-03-11 05:42:57 C:\Program Files\Logitech\Video\ISStart .exe
----a-w 77,824 2008-03-11 05:42:54 C:\Program Files\Logitech\Video\LogiTray .exe
----a-w 40,960 2008-03-11 05:42:54 C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w 420,352 2008-03-12 03:18:03 C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w 40,960 2008-03-11 05:42:41 C:\Program Files\Support.com\Charter\bin\SSRunScript .exe
----a-w 15,360 2008-03-11 05:43:13 C:\WINNT\system32\ctfmon .exe
----a-w 22,016 2008-03-11 05:43:16 C:\WINNT\system32\drivers\svchost .exe
----a-w 753,664 2008-03-11 05:43:08 C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8FDB8E2-E646-47B1-888E-F960D2AA8D6A}]
2008-03-11 19:16 335360 --a------ C:\WINNT\system32\pmnlm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38FEDDD-5116-46E5-E993-B24BA7717E2B}]
C:\Program Files\Windows Media Player\rybiv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-11 19:18 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\pmnlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINNT\\system32\\drivers\\svchost .exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-12 00:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 19:15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\mlnmp.ini2 318 bytes
C:\WINNT\system32\pmnlm.exe 338944 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe [6.00.2900.2180]
-> C:\WINNT\system32\pmnlm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-11 19:26:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 03:25:51
ComboFix2.txt 2008-02-06 15:31:22
ComboFix3.txt 2008-02-05 17:23:33
ComboFix4.txt 2008-02-05 04:38:31
ComboFix5.txt 2008-02-03 21:52:40
.
2008-03-12 03:24:25 --- E O F ---
Connery
2008-03-12, 06:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:28 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 0 - {D38FEDDD-5116-46E5-E993-B24BA7717E2B} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O2 - BHO: (no name) - {F11D0CCE-84A1-40B9-A192-EDDCBCE0BDF9} - C:\WINNT\system32\pmnlm.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 11673 bytes
little eagle
2008-03-12, 12:43
Open notepad and copy/paste the text in the codebox below into it:



Driver::
drmkk
ntload
File::
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\Program Files\Accessories\vawok89104.dll
C:\WINNT\system32\sex5.ico
C:\WINNT\system32\sex4.ico
C:\WINNT\system32\sex2.ico.tmp
C:\WINNT\system32\sex1.ico.tmp
C:\WINNT\system32\sex3.ico
C:\WINNT\system32\sex2.ico
C:\WINNT\system32\sex1.ico
C:\acuqb6.exe
C:\WINNT\system32\yicwhybr.ini
C:\WINNT\mrofinu572.exe
C:\WINNT\mrofinu1000106.exe
C:\WINNT\system32\RCX26.tmp
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\system32\cyarguir.dll
C:\WINNT\system32\wscmp.dll
C:\WINNT\system32\awtqnmn.dll
C:\WINNT\system32\nssigidw.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8FDB8E2-E646-47B1-888E-F960D2AA8D6A}]
RenV::
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\Program Files\Logitech\Video\ISStart .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\Support.com\Charter\bin\SSRunScript .exe
C:\WINNT\system32\ctfmon .exe
C:\WINNT\system32\drivers\svchost .exe
C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe



Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Connery
2008-03-12, 15:37
ComboFix 08-03-10.1 - x 2008-03-12 6:02:25.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.52 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\acuqb6.exe
C:\Program Files\Accessories\vawok89104.dll
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\mrofinu1000106.exe
C:\WINNT\mrofinu572.exe
C:\WINNT\system32\awtqnmn.dll
C:\WINNT\system32\cyarguir.dll
C:\WINNT\system32\nssigidw.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\RCX26.tmp
C:\WINNT\system32\sex1.ico
C:\WINNT\system32\sex1.ico.tmp
C:\WINNT\system32\sex2.ico
C:\WINNT\system32\sex2.ico.tmp
C:\WINNT\system32\sex3.ico
C:\WINNT\system32\sex4.ico
C:\WINNT\system32\sex5.ico
C:\WINNT\system32\wscmp.dll
C:\WINNT\system32\yicwhybr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\acuqb6.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\mrofinu1000106.exe
C:\WINNT\mrofinu572.exe
C:\WINNT\pskt.ini
C:\WINNT\system32\ctpqwaby.ini
C:\WINNT\system32\drivers\svchost.exe
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\RCX26.tmp
C:\WINNT\system32\sex1.ico
C:\WINNT\system32\sex1.ico.tmp
C:\WINNT\system32\sex2.ico
C:\WINNT\system32\sex2.ico.tmp
C:\WINNT\system32\sex3.ico
C:\WINNT\system32\sex4.ico
C:\WINNT\system32\sex5.ico
C:\WINNT\system32\wghexnsu.dll
C:\WINNT\system32\xywhkjyp.dll
C:\WINNT\system32\ybawqptc.dll
C:\WINNT\system32\yicwhybr.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-10 21:43 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-03-02 18:11 . 2008-03-02 18:11 87,040 --a------ C:\WINNT\e01.exe
2008-02-29 21:54 . 2008-02-29 21:54 167,545 --a------ C:\WINNT\system32\drivers\core.cache.dsk
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-12 06:11 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:49 . 2008-03-10 19:48 23,362 ---hs---- C:\WINNT\system32\ypnedfdp.dllbox
2008-02-26 20:47 . 2008-02-26 20:47 36,864 --a------ C:\WINNT\17PHolmes572.exe
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\jk8
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\hc4
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\fs7
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\ax3
2008-02-26 20:41 . 2008-02-26 21:34 376,832 --a------ C:\WINNT\mrofinu572.exe.tmp
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 14:01 --------- d-----w C:\Program Files\iTunes
2008-03-12 14:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w 420,352 2008-03-12 14:13:13 C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38FEDDD-5116-46E5-E993-B24BA7717E2B}]
C:\Program Files\Windows Media Player\rybiv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-10 21:43 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-12 06:13 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-10 21:42 151597]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2008-03-10 21:42 32881]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2008-03-10 21:42 40960]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-03-10 21:42 77824]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-03-10 21:42 188416]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-10 21:43 267048]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-03-10 21:43 753664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-10 21:43 52840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINNT\\system32\\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-12 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 06:11:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\pmnlm.dll 335360 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2008-03-12 6:22:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 14:21:52
ComboFix2.txt 2008-03-12 03:26:02
ComboFix3.txt 2008-02-06 15:31:22
ComboFix4.txt 2008-02-05 17:23:33
ComboFix5.txt 2008-02-05 04:38:31
.
2008-03-12 09:57:53 --- E O F ---
Connery
2008-03-12, 15:38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:00 AM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\LVComS.exe
C:\WINNT\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 0 - {D38FEDDD-5116-46E5-E993-B24BA7717E2B} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 11951 bytes
little eagle
2008-03-13, 02:26
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

* Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.
* Once the desktop loads, post the text that will open (report.txt)
Connery
2008-03-13, 06:08
Username "x" - 03/12/2008 19:23:23 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.140 85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}
"nameserver"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}
"nameserver"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}
"DhcpNameServer"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0E2AD612-CAFB-4077-A91F-1B670B3DFF66}
"DhcpNameServer"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{91D11D59-A131-498D-9F0C-D0F5037CBFDD}
"DhcpNameServer"="85.255.113.140,85.255.112.93" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"SSRunScript"="\"C:\\Program Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script \"C:\\Program Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args //b startupdelay"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Synchronization Manager"="mobsync.exe /logon"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LoadQM"="loadqm.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"EKIJ5000StatusMonitor"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\EKIJ5000MUI.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"BM7f8fb1d3"="Rundll32.exe \"C:\\WINNT\\system32\\nwciwigq.dll\",s"
"7cbc824f"="rundll32.exe \"C:\\WINNT\\system32\\jukvwmck.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor .exe"
"SVCHOST.EXE"="C:\\WINNT\\system32\\drivers\\svchost.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
little eagle
2008-03-13, 13:29
Open notepad and copy/paste the text in the codebox below into it:



RenV::
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe



Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Connery
2008-03-13, 15:42
ComboFix 08-03-10.1 - x 2008-03-13 6:16:06.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.55 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\ISStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\dgmnkfdd.dll
C:\WINNT\system32\jukvwmck.dll
C:\WINNT\system32\kcmwvkuj.ini
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\nwciwigq.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.

2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-13 05:51 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-03-02 18:11 . 2008-03-02 18:11 87,040 --a------ C:\WINNT\e01.exe
2008-02-29 21:54 . 2008-02-29 21:54 167,545 --a------ C:\WINNT\system32\drivers\core.cache.dsk
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-02-28 22:44 . 2008-03-10 21:43 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-13 06:27 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:49 . 2008-03-10 19:48 23,362 ---hs---- C:\WINNT\system32\ypnedfdp.dllbox
2008-02-26 20:47 . 2008-02-26 20:47 36,864 --a------ C:\WINNT\17PHolmes572.exe
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\jk8
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\hc4
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\fs7
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\ax3
2008-02-26 20:41 . 2008-02-26 21:34 376,832 --a------ C:\WINNT\mrofinu572.exe.tmp
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 14:23 --------- d-----w C:\Program Files\iTunes
2008-03-13 14:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w 151,597 2008-03-13 13:50:33 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 52,840 2008-03-13 13:50:46 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 267,048 2008-03-13 13:50:41 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 32,881 2008-03-13 13:50:34 C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
----a-w 188,416 2008-03-13 13:50:39 C:\Program Files\Logitech\Video\ISStart .exe
----a-w 77,824 2008-03-13 13:50:36 C:\Program Files\Logitech\Video\LogiTray .exe
----a-w 40,960 2008-03-13 13:50:35 C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w 15,360 2008-03-13 13:50:48 C:\WINNT\system32\ctfmon .exe
----a-w 753,664 2008-03-13 13:50:44 C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38FEDDD-5116-46E5-E993-B24BA7717E2B}]
C:\Program Files\Windows Media Player\rybiv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-10 21:43 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [ ]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-13 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 06:28:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-13 6:32:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-13 14:32:44
ComboFix2.txt 2008-03-12 14:22:00
ComboFix3.txt 2008-03-12 03:26:02
ComboFix4.txt 2008-02-06 15:31:22
ComboFix5.txt 2008-02-05 17:23:33
.
2008-03-13 08:44:50 --- E O F ---
Connery
2008-03-13, 15:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:15 AM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: 0 - {D38FEDDD-5116-46E5-E993-B24BA7717E2B} - C:\Program Files\Windows Media Player\rybiv.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10538 bytes
little eagle
2008-03-14, 02:55
Well I'm working on a fix.
Please read the instructions on how to install the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post back here when done or before you follow my next post.
little eagle
2008-03-14, 03:12
I would like to see a copy of the file/folder in bold.

Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.
This makes a copy it does not delete it.
Please zip the file and upload it here (http://forums.security-central.us/showthread.php?t=270)
Or email it here (little_eagle@security-central.us)

Please include a link to this thread.



C:\WINNT\system32\jk8
C:\WINNT\system32\hc4
C:\WINNT\system32\fs7
C:\WINNT\system32\ax3
little eagle
2008-03-14, 03:16
Well on with the fix.

Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINNT\e01.exe
C:\WINNT\17PHolmes572.exe
C:\WINNT\mrofinu572.exe.tmp
C:\WINNT\mrofinu572.exe
C:\Program Files\Windows Media Player\rybiv.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D38FEDDD-5116-46E5-E993-B24BA7717E2B}]


RenV::
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\Program Files\Logitech\Video\ISStart .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
C:\WINNT\system32\ctfmon .exe
C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Connery
2008-03-14, 05:00
Well I'm working on a fix.
Please read the instructions on how to install the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post back here when done or before you follow my next post.

When finished it said to post this log and not reboot until given the okay. I hope I can go ahead and run your new fix without rebooting. We'll see.

Here's the log from the recovery console install:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Connery
2008-03-14, 05:02
I would like to see a copy of the file/folder in bold.

Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.
This makes a copy it does not delete it.
Please zip the file and upload it here (http://forums.security-central.us/showthread.php?t=270)
Or email it here (little_eagle@security-central.us)

Please include a link to this thread.



C:\WINNT\system32\jk8
C:\WINNT\system32\hc4
C:\WINNT\system32\fs7
C:\WINNT\system32\ax3

Did that. The ax3 folder was empty so it didn't get included in the zip.
Connery
2008-03-14, 05:30
Okay, here's the combofix log from your fix:

ComboFix 08-03-10.1 - x 2008-03-13 20:05:45.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.56 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

FILE ::
C:\Program Files\Windows Media Player\rybiv.dll
C:\WINNT\17PHolmes572.exe
C:\WINNT\e01.exe
C:\WINNT\mrofinu572.exe
C:\WINNT\mrofinu572.exe.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\17PHolmes572.exe
C:\WINNT\e01.exe
C:\WINNT\mrofinu572.exe.tmp
C:\WINNT\pskt.ini
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\gvqpxmir.dll
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\ndckeped.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\rimxpqvg.ini
C:\WINNT\system32\ykxygpko.dll
C:\WINNT\system32\ypnedfdp.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-13 05:51 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-13 20:14 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\jk8
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\hc4
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\fs7
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\ax3
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 04:05 --------- d-----w C:\Program Files\iTunes
2008-03-14 04:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-13 05:50 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [ ]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-13 05:50 151597]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2008-03-13 05:50 32881]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2008-03-13 05:50 40960]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-03-13 05:50 77824]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-03-13 05:50 188416]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-13 05:50 267048]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-03-13 05:50 753664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-13 05:50 52840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-14 04:05:01 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 20:14:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-13 20:19:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 04:19:09
ComboFix2.txt 2008-03-13 14:32:49
ComboFix3.txt 2008-03-12 14:22:00
ComboFix4.txt 2008-03-12 03:26:02
ComboFix5.txt 2008-02-06 15:31:22
.
2008-03-13 08:44:50 --- E O F ---
Connery
2008-03-14, 05:32
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:43 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10419 bytes
little eagle
2008-03-14, 12:42
Open notepad and copy/paste the text in the codebox below into it:



Folder::
C:\WINNT\system32\jk8
C:\WINNT\system32\hc4
C:\WINNT\system32\fs7
C:\WINNT\system32\ax3



Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Connery
2008-03-14, 15:14
ComboFix 08-03-10.1 - x 2008-03-14 5:46:47.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.43 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\pskt.ini
C:\WINNT\system32\ax3
C:\WINNT\system32\eabilfjl.dll
C:\WINNT\system32\fs7
C:\WINNT\system32\fs7\cilcstat01.exe
C:\WINNT\system32\hc4
C:\WINNT\system32\hc4\pon89104.exe
C:\WINNT\system32\jk8
C:\WINNT\system32\jk8\propbar68.exe
C:\WINNT\system32\jqesexal.ini
C:\WINNT\system32\laxeseqj.dll
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\rhtkmidq.dll
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-12 19:09 . 2008-03-14 06:00 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-14 05:29 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-14 05:59 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 14:00 338,944 ----a-w C:\WINNT\system32\pmnlm.exe
2008-03-14 14:00 335,360 ----a-w C:\WINNT\system32\pmnlm.dll
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-14 13:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w 420,352 2008-03-14 14:04:41 C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8625AB0F-FB15-4404-A4EA-7AAB1BEFDC6A}]
2008-03-14 06:00 335360 --a------ C:\WINNT\system32\pmnlm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-13 05:50 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-14 06:04 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\pmnlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-14 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 06:00:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe [6.00.2900.2180]
-> C:\WINNT\system32\pmnlm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-14 6:09:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 14:09:19
ComboFix2.txt 2008-03-14 04:19:14
ComboFix3.txt 2008-03-13 14:32:49
ComboFix4.txt 2008-03-12 14:22:00
ComboFix5.txt 2008-03-12 03:26:02
.
2008-03-14 09:03:37 --- E O F ---
Connery
2008-03-14, 15:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:23 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {8625AB0F-FB15-4404-A4EA-7AAB1BEFDC6A} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10817 bytes
little eagle
2008-03-14, 15:29
Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\pmnlm.dll
RenV::
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Close all programs leaving only HijackThis running. Place a check against each of the following,

F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: (no name) - {8625AB0F-FB15-4404-A4EA-7AAB1BEFDC6A} - C:\WINNT\system32\pmnlm.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball...GameLoader.dll
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.



Then post the results log and a new HijackThis log.
Connery
2008-03-14, 16:29
ComboFix 08-03-10.1 - x 2008-03-14 6:41:37.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.65 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

FILE ::
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\RCX7.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-14 06:34 . 2008-03-14 06:34 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-14 05:29 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-14 07:09 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 15:10 335,360 ----a-w C:\WINNT\system32\pmnlm.dll
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-14 13:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w 420,352 2008-03-14 15:14:51 C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w 15,360 2008-03-14 14:34:50 C:\WINNT\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5871A7E9-661E-4175-93B7-FCABAC2900A1}]
2008-03-14 07:10 335360 --a------ C:\WINNT\system32\pmnlm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-13 05:50 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-14 07:14 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\pmnlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-14 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 07:10:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\mlnmp.ini2 318 bytes
C:\WINNT\system32\pmnlm.exe 338944 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe [6.00.2900.2180]
-> C:\WINNT\system32\pmnlm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-14 7:20:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 15:19:55
ComboFix2.txt 2008-03-14 14:09:29
ComboFix3.txt 2008-03-14 04:19:14
ComboFix4.txt 2008-03-13 14:32:49
ComboFix5.txt 2008-03-12 14:22:00
.
2008-03-14 09:03:37 --- E O F ---
Connery
2008-03-14, 16:30
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:59 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5871A7E9-661E-4175-93B7-FCABAC2900A1} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10668 bytes
little eagle
2008-03-14, 18:31
What a ruff little bugger :lip:

Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.exe

RenV::
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\ctfmon .exe


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Connery
2008-03-15, 05:46
It sure is. I'm starting to think I should ask pmnlm.exe for rent money :mad:

ComboFix 08-03-10.1 - x 2008-03-14 20:12:25.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

FILE ::
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\jkfvnbtp.ini
C:\WINNT\system32\jwqandkx.dll
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\plytrcof.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\ptbnvfkj.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-14 19:56 . 2008-03-14 19:56 338,944 --a------ C:\WINNT\system32\RCX8.tmp
2008-03-14 08:49 . 2008-03-14 08:49 338,944 --a------ C:\WINNT\system32\RCX7.tmp
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-14 05:29 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-14 20:27 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 04:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w 420,352 2008-03-15 04:31:07 C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{958DA74F-8EF5-4F84-AEDD-C5E98C6D3E3E}]
2008-03-14 20:29 335360 --a------ C:\WINNT\system32\pmnlm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-14 19:56 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-14 20:31 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\pmnlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-15 04:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2008-03-15 04:00:00 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 20:28:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\mlnmp.ini2 318 bytes
C:\WINNT\system32\pmnlm.dll 335360 bytes executable
C:\WINNT\system32\pmnlm.exe 338944 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe [6.00.2900.2180]
-> C:\WINNT\system32\pmnlm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-14 20:38:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 04:37:51
ComboFix2.txt 2008-03-14 15:20:04
ComboFix3.txt 2008-03-14 14:09:29
ComboFix4.txt 2008-03-14 04:19:14
ComboFix5.txt 2008-03-13 14:32:49
.
2008-03-14 09:03:37 --- E O F ---
Connery
2008-03-15, 05:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:30 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {958DA74F-8EF5-4F84-AEDD-C5E98C6D3E3E} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10603 bytes
little eagle
2008-03-15, 12:10
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...but you can kill these

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\mlnmp.ini2 318 bytes
C:\WINNT\system32\pmnlm.dll 335360 bytes executable
C:\WINNT\system32\pmnlm.exe 338944 bytes executable

There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
Connery
2008-03-15, 18:56
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next

That page doesn't seem to work anymore. I did find a link to blacklight on the page http://www.f-secure.com/security_center/ at the bottom. Doesn't have the name blbeta.exe though, it's fsbl.exe. Is it the wrong version, or have they gone beyond beta now?
Connery
2008-03-15, 19:15
I did run that fsbl.exe scan, and it didn't find anything. Here's the log file it generated.

03/15/08 09:56:18 [Info]: BlackLight Engine 1.0.67 initialized
03/15/08 09:56:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/15/08 09:56:18 [Note]: 7019 4
03/15/08 09:56:18 [Note]: 7005 0
03/15/08 09:56:29 [Note]: 7006 0
03/15/08 09:56:29 [Note]: 7011 3596
03/15/08 09:56:29 [Note]: 7026 0
03/15/08 09:56:30 [Note]: 7026 0
03/15/08 09:56:37 [Note]: FSRAW library version 1.7.1024
03/15/08 10:10:24 [Note]: 7007 0
little eagle
2008-03-16, 03:36
Do you have the CD for C:\Program Files\OLYMPUS?

Think we will have to kill the program the start up is infected and reinfecting the PC. I think. :cool:
Connery
2008-03-16, 06:52
That's no problem. I'm sure I still have the CD.

This time when I started up the machine it told me it couldn't find the pmnlm file being called out in the registry. :scratch:
little eagle
2008-03-16, 12:45
Well that is a good thing............

Open notepad and copy/paste the text in the codebox below into it:



Folder::
C:\Program Files\OLYMPUS



Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Connery
2008-03-16, 19:55
ComboFix 08-03-10.1 - x 2008-03-16 10:13:44.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.56 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OLYMPUS
C:\Program Files\OLYMPUS\OLYMPUS Master\Artworks\Background\0001\back_color_00.obg
.
.
.
a whole bunch of files that make this 85714 characters long - do I need to post them all?
.
.
.
C:\Program Files\OLYMPUS\OLYMPUS Master\VPrintOnlineHelper40.dll
C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\jhcmuhhy.ini
C:\WINNT\system32\lbctvrfr.dll
C:\WINNT\system32\mjrvvotb.dll
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\njduokij.dll
C:\WINNT\system32\phswtnnx.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\yhhumchj.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-15 09:22 . 2008-03-15 09:22 338,944 --a------ C:\WINNT\system32\RCXC.tmp
2008-03-14 21:58 . 2008-03-15 21:43 594 ---hs---- C:\WINNT\system32\lblhsuck.ini
2008-03-14 21:55 . 2008-03-14 21:55 338,944 --a------ C:\WINNT\system32\RCXB.tmp
2008-03-14 21:31 . 2008-03-14 21:31 338,944 --a------ C:\WINNT\system32\RCXA.tmp
2008-03-14 20:57 . 2008-03-14 20:57 338,944 --a------ C:\WINNT\system32\RCX9.tmp
2008-03-14 20:57 . 2008-03-16 10:04 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-03-14 19:56 . 2008-03-14 19:56 338,944 --a------ C:\WINNT\system32\RCX8.tmp
2008-03-14 08:49 . 2008-03-14 08:49 338,944 --a------ C:\WINNT\system32\RCX7.tmp
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-16 10:30 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 04:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w 15,360 2008-03-16 18:04:17 C:\WINNT\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-14 19:56 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [ ]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 05:56:00 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-16 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2008-03-15 04:00:00 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 10:31:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-16 10:38:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 18:38:46
ComboFix2.txt 2008-03-15 04:38:01
ComboFix3.txt 2008-03-14 15:20:04
ComboFix4.txt 2008-03-14 14:09:29
ComboFix5.txt 2008-03-14 04:19:14
.
2008-03-16 18:22:20 --- E O F ---
Connery
2008-03-16, 19:56
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:59 AM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10323 bytes
little eagle
2008-03-16, 23:08
Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINNT\system32\RCXC.tmp
C:\WINNT\system32\RCXB.tmp
C:\WINNT\system32\RCXA.tmp
C:\WINNT\system32\RCX9.tmp
C:\WINNT\system32\RCX8.tmp
C:\WINNT\system32\RCX7.tmp


RenV::
C:\WINNT\system32\ctfmon .exe


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Connery
2008-03-17, 05:04
ComboFix 08-03-10.1 - x 2008-03-16 19:32:30.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.54 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

FILE ::
C:\WINNT\system32\RCX7.tmp
C:\WINNT\system32\RCX8.tmp
C:\WINNT\system32\RCX9.tmp
C:\WINNT\system32\RCXA.tmp
C:\WINNT\system32\RCXB.tmp
C:\WINNT\system32\RCXC.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\RCX7.tmp
C:\WINNT\system32\RCX8.tmp
C:\WINNT\system32\RCX9.tmp
C:\WINNT\system32\RCXA.tmp
C:\WINNT\system32\RCXB.tmp
C:\WINNT\system32\RCXC.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-14 21:58 . 2008-03-15 21:43 594 ---hs---- C:\WINNT\system32\lblhsuck.ini
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-16 19:39 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 04:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-14 19:56 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [ ]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 05:56:00 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-17 00:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2008-03-15 04:00:00 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 19:40:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-16 19:48:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-17 03:48:13
ComboFix2.txt 2008-03-16 18:38:54
ComboFix3.txt 2008-03-15 04:38:01
ComboFix4.txt 2008-03-14 15:20:04
ComboFix5.txt 2008-03-14 14:09:29
.
2008-03-16 18:22:20 --- E O F ---
Connery
2008-03-17, 05:05
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:10 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10322 bytes
little eagle
2008-03-17, 12:28
Run this online scan from ESET (http://www.eset.eu/online-scanner)

You will need to use Internet explorer for this scan!
First, accept the Terms of Use
Click: Start
When asked, allow the ActiveX control to install
Click: Start
Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!
Click: Scan


When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt
Connery
2008-03-17, 16:35
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2952 (20080317)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=bdbb33a43a93db4988abe5b1edd5f118
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-17 03:16:45
# local_time=2008-03-17 07:16:45 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=187164
# found=48
# scan_time=3538
C:\QooBox\Quarantine\catchme2008-03-11_191520.45.zip Win32/Adware.Virtumonde application (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-03-11_191520.45.zip »ZIP »awtqnmn.dll Win32/Adware.Virtumonde application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir probably a variant of Win32/TrojanDownloader.PurityScan trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Common Files\Real\Update_OB\realsched.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Common Files\Symantec Shared\ccApp.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Java\j2re1.4.2_04\bin\jusched.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Logitech\Video\ISStart.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Logitech\Video\LogiTray.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Support.com\Charter\bin\SSRunScript.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\17PHolmes572.exe.vir Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\e01.exe.vir Win32/TrojanDownloader.Zlob.BQV trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\mrofinu1000106.exe.vir Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\mrofinu572.exe.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\mrofinu572.exe.vir Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\boctkxqj.dll.vir Win32/Adware.AdMedia application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\ctfmon.exe.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\ctfmon.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\cyarguir.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\hgqiwwvy.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\jlsmhoii.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\niujwtjl.dll.vir Win32/Adware.AdMedia application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\nssigidw.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\ntload.sys.vir Win32/TrojanDownloader.Delf.OBJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\pmnlm.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\pvptixxw.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\RCX26.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\RCX7.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\RCX8.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\RCX9.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\RCXA.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\RCXB.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\RCXC.tmp.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\upvqvgde.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\windows.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\winupdate.exe.vir Win32/TrojanDownloader.Zlob.BQV trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\wscmp.dll.vir Win32/Adware.BHO.NBS application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\drivers\svchost.exe.vir Win32/TrojanDownloader.Agent.NWF trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\iDlo01\iDlo011065.exe.vir a variant of Win32/TrojanDownloader.VB.AW trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe.vir Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\tk58.exe.bad Win32/Adware.ZQuest application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\ypnedfdp.dll.bad Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINNT\Debug\UserMode\Libparse.exe Win32/PrcView application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINNT\system32\remote.ini probably a variant of IRC/Cloner.Y trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINNT\system32\windows_tobedeleted_old Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
little eagle
2008-03-18, 02:22
Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

---------------------------------

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.
Connery
2008-03-18, 05:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:30 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10447 bytes

----------------------------

Generally the pc's acting pretty well, but there are a couple lingering issues. Often when shutting down it stalls at the "Your computer is shutting down" screen (it did this time when OTMoveIt generated a reboot). Also, the system tray isn't showing my Norton AV stuff, even though it seems to be running, and it also doesn't show my printer, even though it's still working.

And of course I still need to get my updates working or I'm afraid I'll be dragging someone through some similar mess to help me out again. I'm going through the steps in this list - http://support.microsoft.com/kb/822798 - but so far they still aren't working. Hopefully one of those steps does the trick.
Connery
2008-03-18, 05:40
Also, that last line in the HJT log... http://www.theappliance.com/airavata/Lila62631.jpg doesn't exist and I'm sure it was installed by some malware. Do I just check it and have HJT remove it?
little eagle
2008-03-18, 12:38
Are you able to remove the old java?

It is important to remove older versions as these are the ones with the holes in them.

Download Newest >>>> http://www.java.com/en/download/index.jsp
Once installed you can test to see that it is in fact installed >>>>
Sun Java Test (http://www.java.com/en/download/installed.jsp)
Connery
2008-03-18, 15:48
I downloaded the newest one, but my add/remove programs list shows up blank now, as though nothing's installed!

Any idea how to fix that, and/or how to remove the old java versions manually?

(or when Sun/whoever is going to remove the old ones automatically when you upgrade?) :rolleyes:
little eagle
2008-03-19, 04:09
Reboot and rescan with HiJackThis and post a new log here.


(or when Sun/whoever is going to remove the old ones automatically when you upgrade?) The yshould do that I here they started doing that with the latest version.
Connery
2008-03-19, 05:42
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:55 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10796 bytes
little eagle
2008-03-19, 12:35
Also, that last line in the HJT log... http://www.theappliance.com/airavata/Lila62631.jpg doesn't exist and I'm sure it was installed by some malware. Do I just check it and have HJT remove it?
Yes.

----------------------


I downloaded the newest one, but my add/remove programs list shows up blank now, as though nothing's installed!

Any idea how to fix that, and/or how to remove the old java versions manually?
Not seeing the anything but the new version.

--------------------------------------------------

Not seeing anything that looks like malware.vAs far as the other issues not really sure how to fix them.
Connery
2008-03-19, 15:35
Well that's good.

Any ideas on how to get things back in my system tray, and why my add/remove programs console might be blank?

Also, along with getting my updates working, I'm overdue to renew my Norton subscription. I'm getting the idea that Norton might not be the best choice these days. Any alternative suggestions since it's time to shell out money anyway?
little eagle
2008-03-20, 02:38
Have you already done this!
Right click on the Taskbar,'Properties'.
Under the 'Taskbar' tab,uncheck 'Hide Inactive Icons',then click on 'Customize'.
Under the 'Current Items' list,make sure they're all set to 'Always Show'.
Then Ok your when done.

You can also try this fix from kellys korner

http://www.kellys-korner-xp.com/regs_edits/xp_pastitems.vbs

Down load and open the script.
Connery
2008-03-20, 07:53
Well that didn't really work. Strangely, when I did the first part the functions all showed up in the list, but selecting 'Always Show' didn't make them show in the system tray. Then after running that script, they don't even show up when I go back to customize taskbar properties.
little eagle
2008-03-20, 12:15
Well I'm out of my league here might want to ask here. (http://forums.whatthetech.com/index.php?act=SR&f=119)
Connery
2008-03-20, 15:25
Thanks for the link. I'll try it out.
You've been really helpful and patient. Things are working so much better now - just a couple cleanup things.

Thanks a bunch!!!!!:bigthumb::cool:
little eagle
2008-03-21, 00:32
Your welcome I keep this thread open for awhile in case you have some security questions.