PDA

View Full Version : Virtumonde and others that won't go away!



rawfulmayo
2008-05-29, 07:31
Hiya. New here and (surprise surprise) I've got Virtumonde--among other infections apparently. Go easy on me; this isn't exactly my forte`. Any help is welcome!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:23 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
F:\itunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: pvnsmfor - {CB07D6A9-7491-4A84-B8E8-E846CC689DDC} - C:\WINDOWS\pvnsmfor.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Patrick\LOCALS~1\Temp\stdcons.exe/r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [78a3da68] rundll32.exe "C:\WINDOWS\system32\weykiedd.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3457] command /c del "C:\WINDOWS\system32\geBqQKCs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2223] cmd /c del "C:\WINDOWS\system32\geBqQKCs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1748] command /c del "C:\WINDOWS\system32\vtUmKCus.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9774] cmd /c del "C:\WINDOWS\system32\vtUmKCus.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167194648000
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O21 - SSODL: mpfanvqg - {4EED987D-D2DB-430F-8F3F-DBCE86E3BF1B} - (no file)
O21 - SSODL: vbksrofa - {6C361DDB-4828-4727-A583-5A48C146CDFB} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: AvpCD - {4836c14e-a639-462a-bd57-8e9bff70c3ee} - C:\WINDOWS\Resources\AvpCD.dll
O21 - SSODL: A?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11521 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 27, 2008 11:52:53 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/05/2008
Kaspersky Anti-Virus database records: 801185
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 93113
Number of viruses found: 14
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:27:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\Log\logfile.nmapp_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\Log\logfile.nmsrvc_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{0E78FBE6-EF72-42C9-A140-6B8CDD22BDAD}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{807C1B86-8F3E-4327-A40D-A38FDECF7E31}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{92D6BB68-7BE1-42BB-B70D-8E08D6238AB1}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-26_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{4C9C46BE-8DF5-4A2A-B53B-F1518673B3CA}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{4C9C46BE-8DF5-4A2A-B53B-F1518673B3CA}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\1DD2A8AF.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-fc9eb36-2e9dd2a3.zip/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-fc9eb36-2e9dd2a3.zip/OwnClassLoader.class Infected: Trojan.Java.ClassLoader.au skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-fc9eb36-2e9dd2a3.zip/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms03011.jar-fc9eb36-2e9dd2a3.zip ZIP: infected - 3 skipped
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\log\plugin150_10.trace Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012008052620080527\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hsperfdata_HP_Administrator\2424 Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\UCZPTIO8\md0001[1].flv Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Patrick\Local Settings\Temp\stdcons.exe Infected: Trojan-Downloader.Win32.Mutant.yl skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\L0000007.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP280\A0059473.dll Infected: Trojan.Win32.Vapsup.fje skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060684.DLL Infected: Trojan.Win32.Vapsup.fje skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060806.dll Infected: Trojan.Win32.Vapsup.fhj skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060809.dll Infected: Trojan.Win32.Vapsup.fjd skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060814.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060817.exe Infected: Trojan.Win32.Vapsup.fjc skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060822.exe Infected: Trojan.Win32.Agent.mtm skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0061115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tgm skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP283\A0063118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tgn skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP283\A0063287.dll Infected: Trojan.Win32.Vapsup.fjb skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP284\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nnnoLEVN.dll Infected: Trojan.Win32.Inject.ccj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET2565.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-05-29, 16:32
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are right, you have multiple infections. The Vundo may be gone but I am not sure. Let's say this:

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

1) Kapsersky says this is infected and it is probably a false positive.
H:\I386\Apps\APP08603\src\HPSummer2005.exe <<< scan that file here: http://virusscan.jotti.org/
HP has a bad habit of loading adware on you to make a few bucks off the adware company and you suffer the junk. Remember that the next time you shop for a new computer.

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post only the C:\rapport.txt

That is only a start...Thanks

rawfulmayo
2008-05-31, 00:18
Thanks for your help pskelly.
I followed your instructions, but received the following message when I attempted to scan H:\I386\Apps\APP08603\src\HPSummer2005.exe
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file."

Here is the requested report:
SmitFraudFix v2.323

Scan done at 15:11:54.20, Fri 05/30/2008
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
F:\itunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_ADM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\tmp???????.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

[!] Suspicious: AvpCD.dll
SSODL: AvpCD - {4836c14e-a639-462a-bd57-8e9bff70c3ee}


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: D-Link Wireless N USB Adapter DWA-130 #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{93074256-70B7-45ED-BAEC-B73CB301C053}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{93074256-70B7-45ED-BAEC-B73CB301C053}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{93074256-70B7-45ED-BAEC-B73CB301C053}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2008-05-31, 00:23
Thanks for returning your information, Smitfraudfix found the infection and it also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
After we clean, in the next C:\rapport.txt, there may be a very large hosts file (items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from the C:\rapport.txt before you post it.

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\rapport.txt and a new HJT log.

Thanks

rawfulmayo
2008-05-31, 06:48
Alright, so far so good. Here is the smitfraud rapport (sans hosts file) and the new HJT log.
SmitFraudFix v2.323

Scan done at 21:32:27.79, Fri 05/30/2008
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process






»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\Resources\AvpCD.dll deleted


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\tmp???????.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{93074256-70B7-45ED-BAEC-B73CB301C053}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{93074256-70B7-45ED-BAEC-B73CB301C053}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{93074256-70B7-45ED-BAEC-B73CB301C053}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:58, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
F:\itunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: pvnsmfor - {CB07D6A9-7491-4A84-B8E8-E846CC689DDC} - C:\WINDOWS\pvnsmfor.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Patrick\LOCALS~1\Temp\stdcons.exe/r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [78a3da68] rundll32.exe "C:\WINDOWS\system32\weykiedd.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4727] command /c del "C:\WINDOWS\system32\opnlMFyA.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7268] cmd /c del "C:\WINDOWS\system32\opnlMFyA.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1928] command /c del "C:\WINDOWS\system32\tuvvTlkl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3996] cmd /c del "C:\WINDOWS\system32\tuvvTlkl.dll_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167194648000
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O21 - SSODL: mpfanvqg - {4EED987D-D2DB-430F-8F3F-DBCE86E3BF1B} - (no file)
O21 - SSODL: vbksrofa - {6C361DDB-4828-4727-A583-5A48C146CDFB} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: A?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10164 bytes

pskelley
2008-05-31, 14:23
Thanks for returning your information. Vundo is tough to remove at times so read and follow the directions carefully.

1) C:\Program Files\Java\jre1.5.0_10\ <<< out of date, see this link:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

rawfulmayo
2008-06-01, 05:34
Hey pskelly, hope you're having a good weekend. Here are the combofix and HJT reports.

ComboFix 08-05-29.1 - HP_Administrator 2008-05-31 19:56:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.549 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Patrick\Desktop\Privacy Protector.url
C:\Documents and Settings\Patrick\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\AyFMlnpo.ini
C:\WINDOWS\system32\AyFMlnpo.ini2
C:\WINDOWS\system32\ddeikyew.ini
C:\WINDOWS\system32\dfLUBJlm.ini
C:\WINDOWS\system32\dfLUBJlm.ini2
C:\WINDOWS\system32\FPVuCJjl.ini
C:\WINDOWS\system32\FPVuCJjl.ini2
C:\WINDOWS\system32\gyucdktt.ini
C:\WINDOWS\system32\kSBIkUvw.ini
C:\WINDOWS\system32\kSBIkUvw.ini2
C:\WINDOWS\system32\lklTvvut.ini
C:\WINDOWS\system32\lklTvvut.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mpdolorl.ini
C:\WINDOWS\system32\nnnoLEVN.dll
C:\WINDOWS\system32\nphfnxjb.ini
C:\WINDOWS\system32\otcxpbbi.ini
C:\WINDOWS\system32\rachkfdw.ini
C:\WINDOWS\system32\sCKQqBeg.ini
C:\WINDOWS\system32\sCKQqBeg.ini2
C:\WINDOWS\system32\suCKmUtv.ini
C:\WINDOWS\system32\suCKmUtv.ini2
C:\WINDOWS\system32\Suwaayxx.ini
C:\WINDOWS\system32\Suwaayxx.ini2
C:\WINDOWS\system32\tuoirken.ini
D:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 19:57 . 2008-05-31 19:57 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-05-31 19:09 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-31 19:08 . 2008-05-31 19:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-30 21:38 . 2008-05-30 21:38 <DIR> d-------- C:\WINDOWS\resources
2008-05-30 21:20 . 2008-05-30 21:20 324,864 --a------ C:\WINDOWS\system32\wvUkIBSk.dll
2008-05-30 15:12 . 2008-05-30 21:33 4,420 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-30 15:07 . 2008-05-30 15:07 294 --ahs---- C:\WINDOWS\system32\fcmaqplu.ini
2008-05-29 22:22 . 2008-05-30 15:08 354 --ahs---- C:\WINDOWS\system32\pwkoripd.ini
2008-05-28 22:24 . 2008-05-28 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 22:35 . 2008-05-26 22:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 22:35 . 2008-05-26 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 17:13 . 2008-05-21 17:13 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Symantec
2008-05-20 06:24 . 2008-05-20 06:24 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2008-05-20 06:21 . 2008-05-20 06:21 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-20 06:17 . 2008-05-20 06:22 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-20 06:17 . 2008-05-20 06:22 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-20 06:16 . 2008-05-20 06:22 <DIR> d-------- C:\Program Files\Symantec
2008-05-20 04:49 . 2008-05-20 04:49 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-20 04:49 . 2008-05-20 04:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 02:43 . 2008-05-20 02:37 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-20 02:43 . 2008-05-20 02:43 2,559 --a------ C:\WINDOWS\unins000.dat
2008-05-19 22:23 . 2008-05-19 22:23 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 02:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-01 01:09 --------- d-----w C:\Program Files\Java
2008-05-30 08:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 03:51 3,645 ----a-w C:\WINDOWS\viassary-hp.reg
2008-05-20 12:22 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-20 12:22 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-20 12:22 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-20 10:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 09:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 09:13 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-05-20 08:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-20 08:51 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2008-05-04 22:40 724 ----a-w C:\Documents and Settings\Patrick\Application Data\wklnhst.dat
2008-05-02 22:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-28 06:08 --------- d-----w C:\Program Files\iPod
2008-04-28 06:07 --------- d-----w C:\Program Files\iTunes
2008-04-28 06:05 --------- d-----w C:\Program Files\QuickTime
2008-04-02 00:12 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-04-02 00:12 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-04-02 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ultima_T15
2008-04-02 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\EnterNHelp
2008-04-02 00:10 --------- d-----w C:\Program Files\PictureProject In Touch Downloader
2008-04-02 00:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 00:08 --------- d-----w C:\Program Files\Nikon
2008-04-02 00:08 --------- d-----w C:\Program Files\Common Files\Nikon
2008-04-02 00:08 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-04-02 00:08 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Nikon
2008-04-02 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nikon
2008-04-02 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Light Machine
2007-01-15 20:01 0 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132F969E-2442-47BE-8CC8-955483AF951B}]
C:\WINDOWS\fvowketqfgq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4118B7D7-9351-4D51-BD39-582F025C094A}]
C:\WINDOWS\system32\vtUmKCus.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BE72CD2-0B85-4FC1-85BE-01975EBF9029}]
C:\WINDOWS\system32\opnlMFyA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-06 22:05 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-20 06:20 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9239DD29-186B-4D8B-963D-6668E40ACC21}]
C:\WINDOWS\system32\mlJBULfd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B6A424D-9171-4DC3-9D6A-275B0AED94C3}]
2008-05-30 21:20 324864 --a------ C:\WINDOWS\system32\wvUkIBSk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC0B0DED-A63F-495C-953A-6DDE707CF100}]
C:\WINDOWS\system32\tuvvTlkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA075229-E9A0-41B6-91A7-74859875B91D}]
C:\WINDOWS\system32\xxyaawuS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8C970E8-354F-4B7B-99E3-2B621A64BE7E}]
C:\WINDOWS\system32\ljJCuVPF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CB07D6A9-7491-4A84-B8E8-E846CC689DDC}"= "C:\WINDOWS\pvnsmfor.dll" [ ]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-06 22:05 349552]

[HKEY_CLASSES_ROOT\clsid\{cb07d6a9-7491-4a84-b8e8-e846cc689ddc}]
[HKEY_CLASSES_ROOT\pvnsmfor.1]
[HKEY_CLASSES_ROOT\TypeLib\{64C22436-EB2A-4B9A-8D15-CFFA493C3F33}]
[HKEY_CLASSES_ROOT\pvnsmfor]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-06 22:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 23:55 155648]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-27 23:01 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 21:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"SoundMan"="SOUNDMAN.EXE" [2004-07-29 01:40 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-09 22:10 344064]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 02:34 2551808 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 22:54 253952]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 16:42 321088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="F:\itunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 19:47 51048]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [ ]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 00:49 718704]
"78a3da68"="C:\WINDOWS\system32\weykiedd.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-24 18:39:19 532480]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2008-04-01 18:08:27 118784]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-28 13:58:14 45056]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2008-01-30 21:30:11 14020608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"= {6C361DDB-4828-4727-A583-5A48C146CDFB} - C:\WINDOWS\vbksrofa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 12:25:37 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 20:06:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-31 20:09:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 02:09:34

Pre-Run: 123,129,778,176 bytes free
Post-Run: 123,697,410,048 bytes free

224 --- E O F --- 2008-05-20 11:36:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:29, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
F:\itunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Rhythm - {132F969E-2442-47BE-8CC8-955483AF951B} - C:\WINDOWS\fvowketqfgq.dll (file missing)
O2 - BHO: (no name) - {4118B7D7-9351-4D51-BD39-582F025C094A} - C:\WINDOWS\system32\vtUmKCus.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BE72CD2-0B85-4FC1-85BE-01975EBF9029} - C:\WINDOWS\system32\opnlMFyA.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9239DD29-186B-4D8B-963D-6668E40ACC21} - C:\WINDOWS\system32\mlJBULfd.dll (file missing)
O2 - BHO: (no name) - {9B6A424D-9171-4DC3-9D6A-275B0AED94C3} - C:\WINDOWS\system32\wvUkIBSk.dll
O2 - BHO: (no name) - {AC0B0DED-A63F-495C-953A-6DDE707CF100} - C:\WINDOWS\system32\tuvvTlkl.dll (file missing)
O2 - BHO: (no name) - {DA075229-E9A0-41B6-91A7-74859875B91D} - C:\WINDOWS\system32\xxyaawuS.dll (file missing)
O2 - BHO: (no name) - {F8C970E8-354F-4B7B-99E3-2B621A64BE7E} - C:\WINDOWS\system32\ljJCuVPF.dll (file missing)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: pvnsmfor - {CB07D6A9-7491-4A84-B8E8-E846CC689DDC} - C:\WINDOWS\pvnsmfor.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [78a3da68] rundll32.exe "C:\WINDOWS\system32\weykiedd.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167194648000
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O21 - SSODL: mpfanvqg - {4EED987D-D2DB-430F-8F3F-DBCE86E3BF1B} - (no file)
O21 - SSODL: vbksrofa - {6C361DDB-4828-4727-A583-5A48C146CDFB} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: A?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11493 bytes

pskelley
2008-06-01, 14:27
Thanks for returning your information and the feedback. Read and follow the directions carefully. I wish to make you aware that everytime there is an issue with CFSript, it is because the user rushed and did not follow the directions exactly.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\wvUkIBSk.dll
C:\WINDOWS\system32\weykiedd.dll
C:\WINDOWS\system32\fcmaqplu.ini
C:\WINDOWS\system32\pwkoripd.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132F969E-2442-47BE-8CC8-955483AF951B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4118B7D7-9351-4D51-BD39-582F025C094A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BE72CD2-0B85-4FC1-85BE-01975EBF9029}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9239DD29-186B-4D8B-963D-6668E40ACC21}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B6A424D-9171-4DC3-9D6A-275B0AED94C3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC0B0DED-A63F-495C-953A-6DDE707CF100}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA075229-E9A0-41B6-91A7-74859875B91D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8C970E8-354F-4B7B-99E3-2B621A64BE7E}]

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone after running CFScript, don't be concerned)

O2 - BHO: QXK Rhythm - {132F969E-2442-47BE-8CC8-955483AF951B} - C:\WINDOWS\fvowketqfgq.dll (file missing)
O2 - BHO: (no name) - {4118B7D7-9351-4D51-BD39-582F025C094A} - C:\WINDOWS\system32\vtUmKCus.dll (file missing)
O2 - BHO: (no name) - {5BE72CD2-0B85-4FC1-85BE-01975EBF9029} - C:\WINDOWS\system32\opnlMFyA.dll (file missing)
O2 - BHO: (no name) - {9239DD29-186B-4D8B-963D-6668E40ACC21} - C:\WINDOWS\system32\mlJBULfd.dll (file missing)
O2 - BHO: (no name) - {9B6A424D-9171-4DC3-9D6A-275B0AED94C3} - C:\WINDOWS\system32\wvUkIBSk.dll
O2 - BHO: (no name) - {AC0B0DED-A63F-495C-953A-6DDE707CF100} - C:\WINDOWS\system32\tuvvTlkl.dll (file missing)
O2 - BHO: (no name) - {DA075229-E9A0-41B6-91A7-74859875B91D} - C:\WINDOWS\system32\xxyaawuS.dll (file missing)
O2 - BHO: (no name) - {F8C970E8-354F-4B7B-99E3-2B621A64BE7E} - C:\WINDOWS\system32\ljJCuVPF.dll (file missing)
O3 - Toolbar: pvnsmfor - {CB07D6A9-7491-4A84-B8E8-E846CC689DDC} - C:\WINDOWS\pvnsmfor.dll (file missing)
O4 - HKLM\..\Run: [78a3da68] rundll32.exe "C:\WINDOWS\system32\weykiedd.dll",b
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O21 - SSODL: mpfanvqg - {4EED987D-D2DB-430F-8F3F-DBCE86E3BF1B} - (no file)
O21 - SSODL: vbksrofa - {6C361DDB-4828-4727-A583-5A48C146CDFB} - C:\WINDOWS\vbksrofa.dll (file missing) G
O21 - SSODL: A?

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log, a new HJT log and tell me how the computer is running.

Thanks...Phil

rawfulmayo
2008-06-02, 06:01
Hi again. Apologies, but I can't seem to find the combofix log. I followed all directions up to the final reboot, but I don't know where the log saved to. Is there a default spot, or did I screw up by not saving to the desktop?

Also, after the initial reboot, combofix started back up with Windows like normal, but then I received a "Data Execution Prevention" message from windows. The only other info it provided was Name: Windows Explorer and Publisher: Microsoft.

Finally, while using ATF Cleaner, I received the following messages:
"HJT Error Modbackup_makebackup(sitem=021-ssodl:A?) Error # 5-Invalid Procedure call or argument."
I'm really not sure what those mean, or even if they matter. Should I start over from step one of your previous post?
Thanks,
Patrick

rawfulmayo
2008-06-02, 06:07
My mistake. I just found the combofix log. There is also a combofix-quarantine log if you need it. I'll post both to be safe.

2002-10-17 09:56 36 --a------ C:\Qoobox\Quarantine\F\autorun.inf.vir
2004-04-30 22:01 53 --a------ C:\Qoobox\Quarantine\D\Autorun.inf.vir
2006-12-30 12:03 696 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Patrick\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML.vir
2008-05-18 20:02 28800 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnoLEVN.dll.vir
2008-05-19 22:23 1325523 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tuoirken.ini.vir
2008-05-19 22:23 286 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Patrick\Desktop\Privacy Protector.url.vir
2008-05-19 22:30 1352841 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\otcxpbbi.ini.vir
2008-05-20 03:45 907237 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\FPVuCJjl.ini2.vir
2008-05-20 03:46 907237 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\FPVuCJjl.ini.vir
2008-05-20 04:43 2838681 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gyucdktt.ini.vir
2008-05-20 04:44 321 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-05-20 05:15 899350 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dfLUBJlm.ini2.vir
2008-05-20 05:17 899350 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dfLUBJlm.ini.vir
2008-05-22 20:21 1544140 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nphfnxjb.ini.vir
2008-05-22 21:29 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-05-26 19:48 2436758 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mpdolorl.ini.vir
2008-05-26 19:52 344 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sCKQqBeg.ini2.vir
2008-05-26 19:54 615350 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\sCKQqBeg.ini.vir
2008-05-26 21:09 700337 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\suCKmUtv.ini2.vir
2008-05-26 21:10 698340 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\suCKmUtv.ini.vir
2008-05-26 21:51 3220660 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rachkfdw.ini.vir
2008-05-27 22:12 774 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\Suwaayxx.ini2.vir
2008-05-27 22:15 952 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\Suwaayxx.ini.vir
2008-05-29 02:38 1221955 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ddeikyew.ini.vir
2008-05-30 14:13 574204 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\AyFMlnpo.ini2.vir
2008-05-30 14:15 574204 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\AyFMlnpo.ini.vir
2008-05-30 15:07 294 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fcmaqplu.ini.vir
2008-05-30 15:08 354 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pwkoripd.ini.vir
2008-05-30 19:27 578597 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lklTvvut.ini.vir
2008-05-30 19:27 578597 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lklTvvut.ini2.vir
2008-05-30 21:20 324864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUkIBSk.dll.vir
2008-05-31 22:49 1209432 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yhcsetlx.ini.vir
2008-05-31 22:49 95232 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xlteschy.dll.vir
2008-06-01 20:31 578883 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kSBIkUvw.ini.vir
2008-06-01 20:31 578883 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kSBIkUvw.ini2.vir
2008-06-01 20:33 108 --a------ C:\Qoobox\Quarantine\catchme.log

ComboFix 08-05-29.1 - HP_Administrator 2008-06-01 20:31:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.493 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\fcmaqplu.ini
C:\WINDOWS\system32\pwkoripd.ini
C:\WINDOWS\system32\weykiedd.dll
C:\WINDOWS\system32\wvUkIBSk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fcmaqplu.ini
C:\WINDOWS\system32\kSBIkUvw.ini
C:\WINDOWS\system32\kSBIkUvw.ini2
C:\WINDOWS\system32\pwkoripd.ini
C:\WINDOWS\system32\wvUkIBSk.dll
C:\WINDOWS\system32\xlteschy.dll
C:\WINDOWS\system32\yhcsetlx.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-05-31 19:09 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-31 19:08 . 2008-05-31 19:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-30 21:38 . 2008-05-30 21:38 <DIR> d-------- C:\WINDOWS\resources
2008-05-30 15:12 . 2008-05-30 21:33 4,420 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-28 22:24 . 2008-05-28 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 22:35 . 2008-05-26 22:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 22:35 . 2008-05-26 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 17:13 . 2008-05-21 17:13 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\Symantec
2008-05-20 06:24 . 2008-05-20 06:24 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2008-05-20 06:21 . 2008-05-20 06:21 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-20 06:17 . 2008-05-20 06:22 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-20 06:17 . 2008-05-20 06:22 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-20 06:16 . 2008-05-20 06:22 <DIR> d-------- C:\Program Files\Symantec
2008-05-20 04:49 . 2008-05-20 04:49 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-20 04:49 . 2008-05-20 04:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 02:43 . 2008-05-20 02:37 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-20 02:43 . 2008-05-20 02:43 2,559 --a------ C:\WINDOWS\unins000.dat
2008-05-19 22:23 . 2008-05-19 22:23 <DIR> d-------- C:\Documents and Settings\Patrick\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 03:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-01 01:09 --------- d-----w C:\Program Files\Java
2008-05-30 08:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-27 03:51 3,645 ----a-w C:\WINDOWS\viassary-hp.reg
2008-05-20 12:22 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-20 12:22 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-20 12:22 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-20 10:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 09:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 09:13 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-05-20 08:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-20 08:51 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2008-05-04 22:40 724 ----a-w C:\Documents and Settings\Patrick\Application Data\wklnhst.dat
2008-05-02 22:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-28 06:08 --------- d-----w C:\Program Files\iPod
2008-04-28 06:07 --------- d-----w C:\Program Files\iTunes
2008-04-28 06:05 --------- d-----w C:\Program Files\QuickTime
2008-04-02 00:12 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-04-02 00:12 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-04-02 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ultima_T15
2008-04-02 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\EnterNHelp
2008-04-02 00:10 --------- d-----w C:\Program Files\PictureProject In Touch Downloader
2008-04-02 00:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 00:08 --------- d-----w C:\Program Files\Nikon
2008-04-02 00:08 --------- d-----w C:\Program Files\Common Files\Nikon
2008-04-02 00:08 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-04-02 00:08 --------- d-----w C:\Documents and Settings\Patrick\Application Data\Nikon
2008-04-02 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nikon
2008-04-02 00:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Light Machine
2007-01-15 20:01 0 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-31_20.09.13.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 02:05:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 02:35:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 22:22:23 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-01 02:11:49 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-04-14 22:22:22 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-01 02:11:49 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-04-14 22:22:23 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-01 02:11:49 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-04-14 22:22:23 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-01 02:11:49 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-04-14 22:22:23 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-01 02:11:49 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-04-14 22:22:23 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-01 02:11:49 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-04-14 22:22:22 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-01 02:11:49 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-04-14 22:22:23 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-01 02:11:49 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-04-14 22:22:22 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-01 02:11:48 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-04-14 22:22:22 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-01 02:11:48 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-01 02:13:02 2,800 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{90AA69C1-797D-4C94-9458-5FBD549004A3}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-06 22:05 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-20 06:20 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CB07D6A9-7491-4A84-B8E8-E846CC689DDC}"= "C:\WINDOWS\pvnsmfor.dll" [ ]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-06 22:05 349552]

[HKEY_CLASSES_ROOT\clsid\{cb07d6a9-7491-4a84-b8e8-e846cc689ddc}]
[HKEY_CLASSES_ROOT\pvnsmfor.1]
[HKEY_CLASSES_ROOT\TypeLib\{64C22436-EB2A-4B9A-8D15-CFFA493C3F33}]
[HKEY_CLASSES_ROOT\pvnsmfor]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-06 22:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 23:55 155648]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-27 23:01 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 21:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"SoundMan"="SOUNDMAN.EXE" [2004-07-29 01:40 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-09 22:10 344064]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 02:34 2551808 C:\WINDOWS\ALCWZRD.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 22:54 253952]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 16:42 321088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="F:\itunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 19:47 51048]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [ ]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 00:49 718704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-24 18:39:19 532480]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2008-04-01 18:08:27 118784]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-28 13:58:14 45056]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2008-01-30 21:30:11 14020608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"= {6C361DDB-4828-4727-A583-5A48C146CDFB} - C:\WINDOWS\vbksrofa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 12:25:37 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 20:36:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-01 20:39:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-02 02:39:30
ComboFix2.txt 2008-06-01 02:09:43

Pre-Run: 124,110,651,392 bytes free
Post-Run: 124,163,231,744 bytes free

213 --- E O F --- 2008-06-01 02:11:52

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:33, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
F:\itunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167194648000
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O21 - SSODL: A?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10107 bytes

pskelley
2008-06-02, 14:03
Thanks for posting your information. The C:\Qoobox\Quarantine\ is where combofix put the stuff it removes in the event an error is made and something needs restored. Those files are also available in case sUBs needs any of them. We will delete that from your computer when we are done with it.

Your HJT log looks good, this one is optional: O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
http://www.castlecops.com/startuplist-180.html

Remove Smitfraudfix, combofix and the C:\Qoobox\Quarantine\ and run a new Kaspersky Online Scan using these setting:


* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. Let me know how the computer is running also.

Thanks...Phil

rawfulmayo
2008-06-03, 05:32
Hey Phil, sorry for the slow reply. My computer seems to be running fine, and I'm not being bombarded by ads. However, Kaspersky found some Trojans.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 20:31:03
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 732764
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 81459
Number of viruses found: 8
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 01:26:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmapp_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmctxth_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmsrvc_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{8B38916A-81C4-425C-B202-BFF59CE55425}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{92D6BB68-7BE1-42BB-B70D-8E08D6238AB1}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{A252FF0A-1941-4878-AE1C-11957835CC60}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{A750DA06-2C2E-4EE2-8511-6B3B3B3ACC7D}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-06-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{4C9C46BE-8DF5-4A2A-B53B-F1518673B3CA}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{4C9C46BE-8DF5-4A2A-B53B-F1518673B3CA}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\3FB98CA0.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\79AA0270.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012008060220080603\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF964A.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF966D.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\L0000008.FCS Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\309731\Users\Default\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP280\A0059473.dll Infected: Trojan.Win32.Vapsup.fje skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060684.DLL Infected: Trojan.Win32.Vapsup.fje skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060806.dll Infected: Trojan.Win32.Vapsup.fhj skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060809.dll Infected: Trojan.Win32.Vapsup.fjd skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060817.exe Infected: Trojan.Win32.Vapsup.fjc skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP282\A0060822.exe Infected: Trojan.Win32.Agent.mtm skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP283\A0063287.dll Infected: Trojan.Win32.Vapsup.fjb skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP285\A0064641.dll Infected: Trojan.Win32.Agent.qpa skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP288\A0064951.dll Infected: Trojan.Win32.Inject.ccj skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP294\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E25BE9C2-1B95-4463-BE8C-DE3AD59BB44F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETA49C.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP294\change.log Object is locked skipped
F:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP294\change.log Object is locked skipped

Scan process completed.

pskelley
2008-06-03, 14:09
Thanks for returning your scan results, all nine items are infected System Restore files. Clean those like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

No need to post a clean scan results.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

rawfulmayo
2008-06-03, 23:13
Woo! I'm clean! Thank you so much Phil, I literally could NOT have done this without your help. I'll follow your links and hopefully will be better about keeping my computer clean in the future. Thanks again, and keep up the good work!
Patrick