Virtumonde and Vista [Archive] - Safer-Networking Forums

View Full Version : Virtumonde and Vista

Mingus29

2008-05-16, 18:34

I am no computer professional, and I believe I have followed the posting instructions.

Here is my HJT report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:48 AM, on 5/15/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
D:\My Music\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\My Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\eric\AppData\Local\Temp\nnnkHxuV.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\eric\AppData\Local\Temp\ssqRHAqR.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [16b25649] rundll32.exe "C:\Users\eric\AppData\Local\Temp\hqpuroft.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\ProgramData\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8911 bytes

This is my virus scan report from Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 16, 2008 10:24:10 AM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/05/2008
Kaspersky Anti-Virus database records: 775447
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 89433
Number of viruses found: 3
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:05:34

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.bak Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
C:\ProgramData\Symantec\LiveUpdate\2008-05-15_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\ProgramData\Symantec\SubEng\submissions.idx Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012008051520080516\index.dat Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\UsrClass.dat{0691bbe2-02cb-11dd-ad2e-001966580358}.TM.blf Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\UsrClass.dat{0691bbe2-02cb-11dd-ad2e-001966580358}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows\UsrClass.dat{0691bbe2-02cb-11dd-ad2e-001966580358}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\eric\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\eric\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\eric\AppData\Local\Temp\nnnkHxuV.dll Infected: Trojan-Downloader.Win32.ConHook.qj skipped
C:\Users\eric\AppData\Local\Temp\setup_526_1_.exe Infected: Trojan-Downloader.Win32.FraudLoad.ym skipped
C:\Users\eric\AppData\Local\Temp\symlcsv1.exe Infected: Trojan-Clicker.Win32.Agent.aig skipped
C:\Users\eric\AppData\Local\Temp\tmp0000851e Infected: Trojan-Downloader.Win32.ConHook.qj skipped
C:\Users\eric\AppData\Local\Temp\tmp000105f6 Infected: Trojan-Downloader.Win32.ConHook.qj skipped
C:\Users\eric\AppData\Local\Temp\tmp00012bbe Infected: Trojan-Downloader.Win32.ConHook.qj skipped
C:\Users\eric\AppData\Local\Temp\tmp000181dd Infected: Trojan-Downloader.Win32.ConHook.qj skipped
C:\Users\eric\AppData\Local\Temp\tmp00218387 Infected: Trojan-Downloader.Win32.ConHook.qj skipped
C:\Users\eric\AppData\Local\Temp\tmp005de059 Infected: Trojan-Downloader.Win32.ConHook.qj skipped
C:\Users\eric\AppData\Local\Temp\tmp01bbd5c3 Infected: Trojan-Downloader.Win32.ConHook.qj skipped
C:\Users\eric\AppData\Local\Temp\~DFC35A.tmp Object is locked skipped
C:\Users\eric\AppData\Roaming\autobahn.log Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\autobahn-log.txt Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\Swarmcast\cache-ab910b8213ef5ba7\cache\cache-index.dir Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\Swarmcast\cache-ab910b8213ef5ba7\cache\cache-index.pag Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\Swarmcast\cache-ab910b8213ef5ba7\cache\cache-meta.dir Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\Swarmcast\cache-ab910b8213ef5ba7\cache\cache-meta.pag Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\Swarmcast\cache-ab910b8213ef5ba7\metadata\metadata-index.dir Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\Swarmcast\cache-ab910b8213ef5ba7\metadata\metadata-index.pag Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\Swarmcast\cache-ab910b8213ef5ba7\metadata\metadata-meta.dir Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\.autobahn\Swarmcast\cache-ab910b8213ef5ba7\metadata\metadata-meta.pag Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\eric\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\eric\NTUSER.DAT Object is locked skipped
C:\Users\eric\ntuser.dat.LOG1 Object is locked skipped
C:\Users\eric\ntuser.dat.LOG2 Object is locked skipped
C:\Users\eric\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Users\eric\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\eric\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1EBE968EB7AF815A32641E6185350A9E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2B8B1A8B0ACD3EE28B421D3918DC1F29.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7BDE76979585395D59B5DA1D62E63C50.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.

pskelley

2008-05-16, 22:22

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I am still learning Vista, and can only promise my best. You said:

I am no computer professional, and I believe I have followed the posting instructions.
You would not believe how rare that is.

Vundo can be tough so do not expect fast or easy, let's start like this:

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Windows Defender: Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Make sure to turn your protection back on when you finish.

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Mingus29

2008-05-17, 17:09

First, Let me thank you for your help, I truly appreciate it.

Combofix Log

ComboFix 08-05-15.3 - eric 2008-05-17 10:02:11.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1166 [GMT -5:00]
Running from: C:\Users\eric\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
hxxp://au.dowõj
.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-15 12:06 . 2008-05-15 12:06 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-15 11:49 . 2008-05-15 11:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-14 13:15 . 2008-05-14 13:16 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-05-14 13:15 . 2008-05-14 13:16 <DIR> d-------- C:\ProgramData\Lavasoft
2008-05-14 13:15 . 2008-05-14 13:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-14 10:32 . 2008-05-14 10:32 <DIR> d-------- C:\VundoFix Backups
2008-05-13 14:23 . 2008-05-13 15:10 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-13 14:23 . 2008-05-13 15:10 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-13 14:23 . 2008-05-13 14:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 13:44 . 2008-05-13 13:44 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-05-13 11:31 . 2008-05-13 11:31 16 --a------ C:\Windows\System32\coh.cache
2008-05-13 11:30 . 2008-05-13 11:31 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-13 11:30 . 2008-05-13 11:31 1,409 --a------ C:\Windows\QTFont.for
2008-05-13 10:44 . 2008-05-13 11:35 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-05-13 10:43 . 2008-05-13 11:25 123,952 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2008-05-13 10:43 . 2008-05-13 11:25 10,740 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT
2008-05-13 10:43 . 2008-05-13 11:25 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF
2008-05-13 10:42 . 2008-05-15 15:31 <DIR> d-------- C:\Users\All Users\Symantec
2008-05-13 10:42 . 2008-05-15 15:31 <DIR> d-------- C:\ProgramData\Symantec
2008-05-13 10:42 . 2008-05-13 11:25 <DIR> d-------- C:\Program Files\Symantec
2008-05-13 10:40 . 2008-05-14 10:20 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-13 10:28 . 2008-05-13 10:28 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-30 10:15 . 2008-04-30 10:15 <DIR> d-------- C:\Users\All Users\MLB TV Mosaic
2008-04-30 10:15 . 2008-04-30 10:15 <DIR> d-------- C:\ProgramData\MLB TV Mosaic
2008-04-30 10:13 . 2008-04-30 10:13 <DIR> d-------- C:\Users\All Users\Autobahn
2008-04-30 10:13 . 2008-04-30 10:13 <DIR> d-------- C:\ProgramData\Autobahn
2008-04-29 19:56 . 2008-04-29 19:56 245,664 --a------ C:\Windows\System32\ZuneWlanCfgSvc.exe
2008-04-24 22:31 . 2008-04-24 22:31 <DIR> d-------- C:\Users\eric\AppData\Roaming\PureEdge
2008-04-24 22:31 . 2008-04-24 22:31 <DIR> d-------- C:\Users\All Users\PureEdge
2008-04-24 22:31 . 2008-04-24 22:31 <DIR> d-------- C:\ProgramData\PureEdge
2008-04-24 22:31 . 2008-04-24 22:31 <DIR> d-------- C:\Program Files\PureEdge
2008-04-24 22:31 . 2008-04-30 10:15 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-24 22:31 . 2003-11-21 18:02 2,101,248 --a------ C:\Windows\System32\pe_cc.dll
2008-04-24 22:31 . 2003-11-21 18:02 1,167,360 --a------ C:\Windows\System32\pe_java.dll
2008-04-24 22:31 . 2003-11-21 18:02 712,704 --a------ C:\Windows\System32\uwi_java.dll
2008-04-24 22:31 . 2003-02-21 12:44 172,032 --a------ C:\Windows\System32\SSCE5332.dll
2008-04-24 22:31 . 2003-02-21 10:44 167,936 --a------ C:\Windows\System32\MSQOLE.DLL
2008-04-24 22:31 . 2008-04-24 22:31 61 --a------ C:\Windows\PureEdgeAPI.ini
2008-04-20 09:30 . 2008-04-20 09:30 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 08:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-15 08:03 --------- d-----w C:\Program Files\Windows Mail
2008-05-14 18:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 15:26 --------- d-----w C:\Program Files\Zune
2008-04-25 03:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-08 01:51 --------- d-----w C:\Program Files\BeerSmith
2008-04-08 01:43 --------- d-----w C:\Users\eric\AppData\Roaming\Ventrilo
2008-04-08 01:29 --------- d-----w C:\Program Files\Ventrilo
2008-04-07 03:39 --------- d-----w C:\Users\eric\AppData\Roaming\U3
2008-04-07 03:35 --------- d-----w C:\ProgramData\NVIDIA
2008-04-07 00:19 --------- d-----w C:\Program Files\Microsoft Works
2008-04-07 00:18 --------- d-----w C:\Program Files\MSBuild
2008-04-07 00:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-07 00:16 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-04-06 02:26 --------- d-----w C:\Users\eric\AppData\Roaming\Leadertech
2008-04-06 02:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-06 02:16 --------- d-----w C:\Program Files\Google
2008-04-05 16:21 --------- d-----w C:\Users\eric\AppData\Roaming\Apple Computer
2008-04-05 16:21 --------- d-----w C:\ProgramData\Apple Computer
2008-04-05 16:21 --------- d-----w C:\Program Files\QuickTime
2008-04-05 16:21 --------- d-----w C:\Program Files\iPod
2008-04-05 16:21 --------- d-----w C:\Program Files\Bonjour
2008-04-05 16:19 --------- d-----w C:\ProgramData\Apple
2008-04-05 16:19 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-05 05:50 174 --sha-w C:\Program Files\desktop.ini
2008-04-05 05:48 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-05 05:48 --------- d-----w C:\Program Files\Windows Defender
2008-04-05 05:48 --------- d-----w C:\Program Files\Windows Calendar
2008-04-05 05:34 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-04-05 05:34 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-04-05 05:34 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-04-05 05:34 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-04-05 05:34 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-04-05 05:34 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-04-05 05:34 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-04-05 05:34 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-04-05 05:34 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-04-05 05:34 2,923,520 ----a-w C:\Windows\explorer.exe
2008-04-05 05:33 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-04-05 05:33 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-04-05 05:33 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-04-05 05:33 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-04-05 05:31 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-04-05 05:31 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-04-05 05:30 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-04-05 05:30 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-04-05 05:28 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-04-05 05:28 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-05 05:28 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-05 05:28 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-04-05 05:28 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-04-05 05:28 20,024 ----a-w C:\Windows\system32\drivers\viaide.sys
2008-04-05 05:28 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-04-05 05:28 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-04-05 05:28 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-04-05 05:28 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-04-05 05:26 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-04-05 05:26 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-04-05 05:26 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-04-05 05:26 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-04-05 05:26 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-04-05 05:25 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-04-05 05:25 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-04-05 05:25 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-04-05 05:25 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-05 05:24 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-04-05 05:24 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-04-05 05:24 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-04-05 05:24 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-04-05 05:24 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-04-05 05:24 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2008-04-05 05:24 223,232 ----a-w C:\Windows\System32\SLC.dll
2008-04-05 05:24 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2008-04-05 05:24 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-04-05 05:24 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2008-04-05 05:24 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-04-05 05:22 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-04-05 05:22 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-04-05 05:22 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2008-04-05 05:22 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-04-05 05:22 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-04-05 05:22 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-04-05 05:21 974,336 ----a-w C:\Windows\System32\crypt32.dll
2008-04-05 05:21 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-04-05 05:21 5,120 ----a-w C:\Windows\System32\wmi.dll
2008-04-05 05:21 152,576 ----a-w C:\Windows\System32\imagehlp.dll
2008-04-05 05:21 12,800 ----a-w C:\Windows\system32\drivers\fs_rec.sys
2008-04-05 05:19 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-04-05 05:18 633,856 ----a-w C:\Windows\System32\user32.dll
2008-04-05 05:17 750,080 ----a-w C:\Windows\System32\qmgr.dll
2008-04-05 05:16 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-04-05 02:52 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-04-05 02:52 43,352 ----a-w C:\Windows\System32\wups2.dll
2008-04-05 02:52 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2008-04-05 02:52 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2008-04-05 02:51 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-04-05 02:51 549,720 ----a-w C:\Windows\System32\wuapi.dll
2008-04-05 02:51 33,624 ----a-w C:\Windows\System32\wups.dll
2008-04-05 02:51 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-04-05 02:51 163,000 ----a-w C:\Windows\System32\wuwebv.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-04-05 00:22 1232896]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-04-05 21:16 171448]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:33 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-04-05 00:31 1006264]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="D:\My Music\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 12:43 1052672]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-04-29 19:56 158624]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

C:\Users\eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - C:\ProgramData\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 18:52:34 799496]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3A54288C-9045-4B31-AA5B-F16ABA6B0F9C}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{475BFA0E-26D5-4840-B95C-92544D9FB7C6}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{4E1FA2AC-7172-4A3B-8514-C0170D56E428}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{CC7AC22D-0CF8-4F25-87F0-FA95AE2D1A9D}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3DA4CC5B-9D94-4280-B9F5-3307199D6D08}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5A40CA35-9209-4E5A-B794-965D9A67943B}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{09D91733-6BF2-41B7-B734-BCBAC281C3C7}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{A94CB6CB-3BDD-4374-926C-0085D194E825}C:\\users\\eric\\downloads\\wow-burningcrusade-enus-installer-downloader.exe"= UDP:C:\users\eric\downloads\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"UDP Query User{348A4AF0-31E0-43DB-9656-FA9A92145DF0}C:\\users\\eric\\downloads\\wow-burningcrusade-enus-installer-downloader.exe"= TCP:C:\users\eric\downloads\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"TCP Query User{5509011E-16E1-4CFF-AAE5-85EBA3DB62D5}C:\\users\\eric\\downloads\\wowclient-downloader.exe"= UDP:C:\users\eric\downloads\wowclient-downloader.exe:wowclient-downloader.exe
"UDP Query User{A112D19B-26FD-4696-8377-CBBF12C5F704}C:\\users\\eric\\downloads\\wowclient-downloader.exe"= TCP:C:\users\eric\downloads\wowclient-downloader.exe:wowclient-downloader.exe
"TCP Query User{68BD66B7-933B-4F51-BDF5-8E69AB4183BB}D:\\my music\\itunes\\itunes.exe"= UDP:D:\my music\itunes\itunes.exe:iTunes
"UDP Query User{46F02742-7F53-451B-9B66-17525F252E09}D:\\my music\\itunes\\itunes.exe"= TCP:D:\my music\itunes\itunes.exe:iTunes
"TCP Query User{FF40DEDA-54ED-4780-AB23-022D41C30EE6}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{E2BCA973-7208-4776-9763-62CBE598B5C4}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{EEFD8413-622F-48AC-989E-A662C7F3B443}C:\\programdata\\autobahn\\mlb-nexdef-autobahn.exe"= UDP:C:\programdata\autobahn\mlb-nexdef-autobahn.exe:mlb-nexdef-autobahn
"UDP Query User{79A7D87E-F303-44BD-9892-3F66D1750B47}C:\\programdata\\autobahn\\mlb-nexdef-autobahn.exe"= TCP:C:\programdata\autobahn\mlb-nexdef-autobahn.exe:mlb-nexdef-autobahn
"TCP Query User{FAE63821-6C73-4ACD-AFFA-98AAD5100816}C:\\programdata\\mlb tv mosaic\\mlbplayer.exe"= UDP:C:\programdata\mlb tv mosaic\mlbplayer.exe:MLBPlayer
"UDP Query User{8B78E9F5-77F5-45F5-A8D3-47629135BFA0}C:\\programdata\\mlb tv mosaic\\mlbplayer.exe"= TCP:C:\programdata\mlb tv mosaic\mlbplayer.exe:MLBPlayer
"{706FE627-03D6-4370-BD13-890F0AB13FB5}"= UDP:D:\My Music\iTunes\iTunes.exe:iTunes
"{69A76D16-631E-4816-98C5-6EC9C01AB801}"= TCP:D:\My Music\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080513.001\IDSvix86.sys [2008-04-04 17:47]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 17:32]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\Windows\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1473d337-0443-11dd-bef2-001966580358}]
\shell\AutoRun\command - H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87dd6c57-02e3-11dd-abe8-806e6f6e6963}]
\shell\AutoRun\command - E:\CDSTART.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f39bf62-060c-11dd-a6ef-001966580358}]
\shell\AutoRun\command - I:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 04:31:55 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - eric.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-05-16 19:36:33 C:\Windows\Tasks\User_Feed_Synchronization-{CEDA008B-25D5-482D-9FEA-33093FE2ED89}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 10:04:02
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-17 10:04:45
ComboFix-quarantined-files.txt 2008-05-17 15:04:40

Pre-Run: 56,404,574,208 bytes free
Post-Run: 56,456,765,440 bytes free

259 --- E O F --- 2008-05-16 08:02:03

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:48 AM, on 5/15/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
D:\My Music\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\My Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\eric\AppData\Local\Temp\nnnkHxuV.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\eric\AppData\Local\Temp\ssqRHAqR.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [16b25649] rundll32.exe "C:\Users\eric\AppData\Local\Temp\hqpuroft.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\ProgramData\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8911 bytes

What's next?

pskelley

2008-05-17, 17:44

Thanks for returning the scan results, combofix did not pick up what I thought it would. Let's continue like this:

C:\ProgramData\Autobahn\mlb-nexdef-autobahn.exe <<< can you assure me this item is valid.

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
TeaTimer is running and I asked that it be turned off in the first instructions.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
It may have blocked combofix? Please follow the directions carefully. Disable TeaTimer and leave it disabled until we finish.

1) Everything Kaspersky finds is in this folder:
C:\Users\eric\AppData\Local\Temp\ <<< delete the contents
http://www.pctipsbox.com/how-to-manually-clean-out-the-temp-folder-in-windows-vista/

2) Clean these also: http://www.winvistaclub.com/f11.html

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\eric\AppData\Local\Temp\nnnkHxuV.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\eric\AppData\Local\Temp\ssqRHAqR.dll,c
O4 - HKCU\..\Run: [16b25649] rundll32.exe "C:\Users\eric\AppData\Local\Temp\hqpuroft.dll",b

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Restart the computer and post a new HJT log. Tell me how the computer runs now.

Thanks

Mingus29

2008-05-18, 04:22

The autobahn file is for the MLBTV.com high def player for baseball games. I believe it to be valid.

I was a little pissed off at you for accusing me of not following your instructions, when I had followed your instructions to the T. You forgot to tell me to right click spybot and hijackthis and select "Run as Administrator". That is why teatimer didn't shut down, might also be why combofix didn't give you the results you wanted.

I followed you instructions again, however, the RO files you wanted me to check mark and fix in HJT were not present to check mark. Here is my new HJT log after restart:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:17 PM, on 5/17/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
D:\My Music\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ProgramData\Autobahn\mlb-nexdef-autobahn.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\My Music\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\ProgramData\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7996 bytes

pskelley

2008-05-18, 14:03

OK, thanks for the feedback. Keep in mind I help lots of folks at the same time and if I quit everytime someone got "pissed" a lot of folks would get no help. I also stated plainly:

I am still learning Vista, and can only promise my best.
I have considered not fooling with Vista machines at all but if we all do that, no Vista user get help? So...since I do not have the Operating System (I have one 98SE and two WinXP) what should I do?

I shall take your advice and add this to all fixes for Vista: all programs must be "Run as Administrator"

This HJT log: Scan saved at 9:17:17 PM, on 5/17/2008 Looks to be clean of malware, remove combofix and the C:\Qoobox\Quarantine\ folder and run a new Kaspersky Online Scan using these settings to make sure we missed no malware.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. <<< no need to post a clean scan result.

Thanks

pskelley

2008-05-26, 15:34

No response since 2008-05-18, 08:03

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.