PDA

View Full Version : Vundo thingy


sufferinginsilence
2008-06-19, 01:55
I think I may have the Vundo thingy... please help!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:47:58, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Documents and Settings\Brian\Desktop\HiJackThis.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\BRIAN\Application Data\Mozilla\Profiles\default\phapy5tm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\BRIAN\Application Data\Mozilla\Profiles\default\phapy5tm.slt\prefs.js)
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6E95516-27C0-443D-9BA9-ABD8C12BAE16} - C:\WINDOWS\system32\ssqPhICt.dll
O2 - BHO: (no name) - {DA6FB8F8-CC41-46A2-9999-21227436C7DC} - (no file)
O2 - BHO: (no name) - {e1fb57a7-7cdd-4940-82d5-71267aeea413} - (no file)
O2 - BHO: {28fccc4e-3865-c99a-f0e4-f505fd38769f} - {f96783df-505f-4e0f-a99c-5683e4cccf82} - C:\WINDOWS\system32\htmviwyx.dll
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [706ed1cc] rundll32.exe "C:\WINDOWS\system32\amnrfcly.dll",b
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ssqPhICt - C:\WINDOWS\SYSTEM32\ssqPhICt.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8825 bytes
pskelley
2008-06-19, 19:35
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
sufferinginsilence
2008-06-20, 00:10
ComboFix 08-06-19.1 - Brian 2008-06-19 22:40:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.590 [GMT 1:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll
C:\WINDOWS\BM735de250.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acvxgdic.dll
C:\WINDOWS\system32\axfofkkn.dll
C:\WINDOWS\system32\bfgmtolh.dll
C:\WINDOWS\system32\eovjhrrg.ini
C:\WINDOWS\system32\erduhccb.ini
C:\WINDOWS\system32\guxydggw.ini
C:\WINDOWS\system32\hegcjebr.dll
C:\WINDOWS\system32\hesiujpp.ini
C:\WINDOWS\system32\hhPrCcfe.ini
C:\WINDOWS\system32\hhPrCcfe.ini2
C:\WINDOWS\system32\htmviwyx.dll
C:\WINDOWS\system32\huuloqqh.ini
C:\WINDOWS\system32\hwmqvsdk.ini
C:\WINDOWS\system32\jPWwDcdd.ini
C:\WINDOWS\system32\jPWwDcdd.ini2
C:\WINDOWS\system32\jtekuyhm.dll
C:\WINDOWS\system32\kdpdpbpn.dll
C:\WINDOWS\system32\khfGvUoL.dll
C:\WINDOWS\system32\LoUvGfhk.ini
C:\WINDOWS\system32\LoUvGfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mSBLVvut.ini
C:\WINDOWS\system32\mSBLVvut.ini2
C:\WINDOWS\system32\nokyrlvv.dll
C:\WINDOWS\system32\opnmLDwv.dll
C:\WINDOWS\system32\pegjqvfr.dll
C:\WINDOWS\system32\poVuwGgh.ini
C:\WINDOWS\system32\poVuwGgh.ini2
C:\WINDOWS\system32\PssYbccf.ini
C:\WINDOWS\system32\PssYbccf.ini2
C:\WINDOWS\system32\ptrprxmt.ini
C:\WINDOWS\system32\qjofgreq.dll
C:\WINDOWS\system32\qwaiecjc.dll
C:\WINDOWS\system32\rqggytfg.dll
C:\WINDOWS\system32\sbmpgtpv.ini
C:\WINDOWS\system32\server.exe
C:\WINDOWS\system32\ssqPhICt.dll
C:\WINDOWS\system32\udfcwdfd.ini
C:\WINDOWS\system32\ukgffsbm.ini
C:\WINDOWS\system32\upcebphc.ini
C:\WINDOWS\system32\vntlngux.ini
C:\WINDOWS\system32\vnwprlso.ini
C:\WINDOWS\system32\vtUnoNGv.dll
C:\WINDOWS\system32\vvlrykon.ini
C:\WINDOWS\system32\wkemfjws.dll
C:\WINDOWS\system32\wvkpbhjl.ini
C:\WINDOWS\system32\xkisfpcr.dll
C:\WINDOWS\system32\xkoingtx.ini
C:\WINDOWS\system32\yayvTmmn.dll
C:\WINDOWS\system32\ylcfrnma.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-19 01:50 . 2008-06-19 01:50 91,711 --a------ C:\WINDOWS\system32\dcuyrutq.dll
2008-06-18 08:35 . 2008-06-18 08:35 <DIR> d-------- C:\VundoFix Backups
2008-06-17 09:25 . 2008-06-17 09:25 91,711 --a------ C:\WINDOWS\system32\ffjbbyqd.dll
2008-06-17 09:22 . 2008-06-17 09:22 88,776 --a------ C:\WINDOWS\system32\vryvhgfp.dll
2008-06-16 09:21 . 2008-06-16 09:21 91,711 --a------ C:\WINDOWS\system32\lyljftgi.dll
2008-06-15 08:29 . 2008-06-15 08:29 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-15 08:29 . 2008-06-15 08:39 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-15 08:27 . 2008-06-15 10:11 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-15 08:27 . 2008-06-15 10:11 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-15 08:27 . 2008-06-15 10:11 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-15 08:27 . 2008-06-15 10:11 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-14 23:16 . 2008-06-14 23:16 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\NCH Swift Sound
2008-06-13 08:59 . 2008-06-13 09:00 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-13 08:59 . 2004-08-04 08:56 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-06-13 08:54 . 2004-08-04 08:56 1,032,192 --a--c--- C:\WINDOWS\system32\dllcache\conf.exe
2008-06-13 08:53 . 2008-06-15 08:06 <DIR> d-------- C:\Program Files\Norton
2008-06-13 08:43 . 2008-06-13 08:43 <DIR> d-------- C:\Program Files\RedLine
2008-06-13 08:43 . 2008-06-13 08:44 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-13 08:42 . 2008-06-13 08:42 <DIR> d-------- C:\Program Files\MSN Apps
2008-06-13 08:40 . 2008-06-13 08:40 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-13 08:40 . 2008-06-13 08:40 <DIR> d-------- C:\Program Files\Samsung
2008-06-13 08:37 . 2008-06-13 08:37 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-13 08:37 . 2008-06-13 08:37 <DIR> d-------- C:\Program Files\VIA
2008-06-13 08:37 . 2008-06-13 08:37 <DIR> d-------- C:\Program Files\Ulead Systems
2008-06-13 08:36 . 2008-06-13 08:36 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-13 08:36 . 2008-06-13 08:36 <DIR> d-------- C:\Program Files\WildTangent
2008-06-13 08:30 . 2008-06-13 08:30 <DIR> d-------- C:\Program Files\Google
2008-06-13 08:30 . 2008-06-13 08:30 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-06-13 08:30 . 2008-06-13 08:30 <DIR> d-------- C:\Program Files\CyberLink
2008-06-13 08:28 . 2004-08-04 08:56 539,136 --a--c--- C:\WINDOWS\system32\dllcache\dialer.exe
2008-06-13 08:28 . 2004-08-04 08:56 281,088 --a--c--- C:\WINDOWS\system32\dllcache\pinball.exe
2008-06-13 08:21 . 2008-06-13 08:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-13 08:21 . 2008-06-13 08:21 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-06-13 08:20 . 2008-06-13 08:20 <DIR> d-------- C:\Program Files\BBC Multimedia
2008-06-13 08:18 . 2008-06-13 08:19 <DIR> d-------- C:\Program Files\Ahead
2008-06-13 08:18 . 2008-06-13 08:18 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-13 08:17 . 2008-06-19 01:31 <DIR> d-------- C:\Program Files\Bid-O-Matic
2008-06-13 08:16 . 2008-06-14 23:17 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-06-13 08:16 . 2008-06-13 08:16 <DIR> d-------- C:\Program Files\NCH Software
2008-06-12 19:42 . 2008-06-12 19:42 <DIR> d-------- C:\WINDOWS\Recent
2008-06-07 22:37 . 2008-06-07 22:37 <DIR> d-------- C:\TEMP\UBCD4Win User Settings
2008-06-07 22:37 . 2008-06-07 22:37 <DIR> d-------- C:\TEMP\PrintSpool
2008-06-07 22:37 . 2008-06-07 22:37 <DIR> d-------- C:\TEMP\AV7PE
2008-06-07 22:37 . 2008-06-07 22:37 <DIR> d-------- C:\TEMP
2008-06-07 22:37 . 2007-01-02 19:58 172,032 --a------ C:\TEMP\GBCHECK.EXE
2008-06-07 22:37 . 2006-10-28 14:37 1,423 --a------ C:\TEMP\NEW_AV7PE.cmd
2008-06-07 22:37 . 2007-04-12 10:57 95 --a------ C:\TEMP\acl.bat
2008-06-07 12:56 . 2004-08-04 08:56 4,256,768 --a--c--- C:\WINDOWS\system32\dllcache\wmm2res.dll
2008-06-07 12:56 . 2004-08-04 08:56 502,272 --a--c--- C:\WINDOWS\system32\dllcache\wmm2fxa.dll
2008-06-07 12:56 . 2004-08-04 08:56 402,432 --a--c--- C:\WINDOWS\system32\dllcache\wmm2filt.dll
2008-06-07 12:56 . 2004-08-04 08:56 325,632 --a--c--- C:\WINDOWS\system32\dllcache\wmm2fxb.dll
2008-06-07 12:56 . 2004-08-04 08:56 167,936 --a--c--- C:\WINDOWS\system32\dllcache\wmm2ae.dll
2008-06-07 12:56 . 2004-08-04 08:56 7,680 --a--c--- C:\WINDOWS\system32\dllcache\wmm2ext.dll
2008-06-07 12:56 . 2004-08-04 08:56 5,632 --a--c--- C:\WINDOWS\system32\dllcache\wmm2res2.dll
2008-06-07 12:56 . 2004-08-04 08:56 4,096 --a--c--- C:\WINDOWS\system32\dllcache\wmm2eres.dll
2008-06-03 07:27 . 2008-06-14 17:19 2,120 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-29 22:16 . 2008-05-31 00:23 67 --a------ C:\WINDOWS\A1 DVD Audio Ripper.INI
2008-05-29 20:25 . 2008-05-29 22:24 354 --ahs---- C:\WINDOWS\system32\hspkueoq.ini
2008-05-29 19:42 . 2008-05-29 20:00 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-05-29 19:31 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-05-29 19:31 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-05-29 18:59 . 2007-02-06 15:21 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2008-05-29 18:59 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2008-05-29 18:59 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2008-05-29 18:43 . 2008-06-05 07:35 <DIR> d-------- C:\Program Files\Common Files\DVDVIDEOSOFT
2008-05-29 17:37 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 21:52 --------- d-----w C:\Documents and Settings\Brian\Application Data\Skype
2008-06-19 01:19 --------- d-----w C:\Documents and Settings\Brian\Application Data\teamspeak2
2008-06-15 11:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-15 10:44 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-06-15 09:11 --------- d-----w C:\Program Files\Symantec
2008-06-15 08:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-15 08:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 16:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 07:21 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-06-07 21:23 --------- d-----w C:\Program Files\Nokia
2008-06-02 20:12 19,968 ----a-w C:\WINDOWS\LOGI_MWX.EXE
2008-05-11 02:43 --------- d-----w C:\Documents and Settings\Brian\Application Data\Xfire
2008-01-15 00:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-15 08:35 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 10:30 1106944]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-26 02:47 51048]
"Logitech Utility"="Logi_MwX.Exe" [2008-06-02 21:12 19968 C:\WINDOWS\LOGI_MWX.EXE]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-03-04 06:14 163840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-09 10:21:01 110592]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-09 10:21:01 110592]
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2005-08-24 15:06:54 577597]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2006-11-26 15:36:53 884840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\706ed1cc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM735de250]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"Steam"="f:\games\valve\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
"QuickTime Task"="F:\Program Files\QuickTime\QTTask.exe" -atboottime
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"SoundMan"=SOUNDMAN.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Games\\Red Storm Entertainment\\GhostRecon\\GhostRecon.exe"=
"F:\\Ares\\Ares.exe"=
"F:\\Games\\Valve\\Steam.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"F:\\Games\\Valve\\SteamApps\\agent_freeman\\counter-strike source\\hl2.exe"=
"F:\\Games\\Valve\\SteamApps\\agent_freeman\\counter-strike\\hl.exe"=
"F:\\GameSpy Arcade\\Aphex.exe"=
"F:\\Games\\The All-Seeing Eye\\eye.exe"=
"F:\\Program Files\\Netscape\\Netscp.exe"=
"F:\\Games\\Valve\\SteamApps\\agent_freeman\\half-life\\hl.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3783:TCP"= 3783:TCP:gamespy voice chat port
"27900:UDP"= 27900:UDP:gamespy master server UDP heartbeat
"28900:TCP"= 28900:TCP:gamespy master server list request
"27900:TCP"= 27900:TCP:GameSpyArcade
"29900:TCP"= 29900:TCP:GameSpyArcade
"29901:TCP"= 29901:TCP:GameSpyArcade
"13139:UDP"= 13139:UDP:GameSpyArcade
"6515:UDP"= 6515:UDP:GameSpyArcade
"6515:TCP"= 6515:TCP:GameSpyArcade
"6500:TCP"= 6500:TCP:GameSpyArcade

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 11:38]
R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 03:00]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 07:02]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 04:41]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys [2005-09-05 12:21]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-05-01 14:16]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-05-01 14:17]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-05-01 14:17]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-05-01 14:18]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys [2006-05-01 14:15]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys [2006-05-01 14:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 09:46:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Brian.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 22:52:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Netropa\Multimedia Keyboard\Traymon.exe
C:\Program Files\Netropa\Onscreen Display\osd.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
.
**************************************************************************
.
Completion time: 2008-06-19 22:59:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 21:59:21

Pre-Run: 7,445,663,744 bytes free
Post-Run: 8,872,845,312 bytes free

271 --- E O F --- 2008-05-18 21:13:19















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:04:27, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Brian\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\BRIAN\Application Data\Mozilla\Profiles\default\phapy5tm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\BRIAN\Application Data\Mozilla\Profiles\default\phapy5tm.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8365 bytes
pskelley
2008-06-20, 00:33
Thanks for returning your information, follow the directions carefully and in the numbered order.

1) Right click a blank spot and create a new folder called HJT. Move the HJT.exe and the log that is there into that folder. Backups for safety will also store there, once done it will look like this:
C:\Documents and Settings\Brian\Desktop\HJT\HiJackThis.exe
"Before you Post" instructions would not have placed it there.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

(read and follow these directions carefully!)

3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\dcuyrutq.dll
C:\WINDOWS\system32\ffjbbyqd.dll
C:\WINDOWS\system32\vryvhgfp.dll
C:\WINDOWS\system32\lyljftgi.dll
C:\WINDOWS\system32\hspkueoq.ini

Folder::
C:\VundoFix Backups

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log from CFScript, a new HJT log and some feedback. How is the computer running now.

Thanks
sufferinginsilence
2008-06-20, 08:52
ComboFix 08-06-19.1 - Brian 2008-06-20 7:28:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.636 [GMT 1:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\dcuyrutq.dll
C:\WINDOWS\system32\ffjbbyqd.dll
C:\WINDOWS\system32\hspkueoq.ini
C:\WINDOWS\system32\lyljftgi.dll
C:\WINDOWS\system32\vryvhgfp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\b.exe
C:\WINDOWS\system32\dcuyrutq.dll
C:\WINDOWS\system32\ffjbbyqd.dll
C:\WINDOWS\system32\hspkueoq.ini
C:\WINDOWS\system32\lyljftgi.dll
C:\WINDOWS\system32\vryvhgfp.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-15 08:29 . 2008-06-15 08:29 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-15 08:29 . 2008-06-15 08:39 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-15 08:27 . 2008-06-15 10:11 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-15 08:27 . 2008-06-15 10:11 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-15 08:27 . 2008-06-15 10:11 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-15 08:27 . 2008-06-15 10:11 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-14 23:16 . 2008-06-14 23:16 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\NCH Swift Sound
2008-06-13 08:59 . 2008-06-13 09:00 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-13 08:59 . 2004-08-04 08:56 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-06-13 08:54 . 2004-08-04 08:56 1,032,192 --a--c--- C:\WINDOWS\system32\dllcache\conf.exe
2008-06-13 08:53 . 2008-06-15 08:06 <DIR> d-------- C:\Program Files\Norton
2008-06-13 08:43 . 2008-06-13 08:43 <DIR> d-------- C:\Program Files\RedLine
2008-06-13 08:43 . 2008-06-13 08:44 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-13 08:42 . 2008-06-13 08:42 <DIR> d-------- C:\Program Files\MSN Apps
2008-06-13 08:40 . 2008-06-13 08:40 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-13 08:40 . 2008-06-13 08:40 <DIR> d-------- C:\Program Files\Samsung
2008-06-13 08:37 . 2008-06-13 08:37 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-13 08:37 . 2008-06-13 08:37 <DIR> d-------- C:\Program Files\VIA
2008-06-13 08:37 . 2008-06-13 08:37 <DIR> d-------- C:\Program Files\Ulead Systems
2008-06-13 08:36 . 2008-06-13 08:36 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-13 08:36 . 2008-06-13 08:36 <DIR> d-------- C:\Program Files\WildTangent
2008-06-13 08:30 . 2008-06-13 08:30 <DIR> d-------- C:\Program Files\Google
2008-06-13 08:30 . 2008-06-13 08:30 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-06-13 08:30 . 2008-06-13 08:30 <DIR> d-------- C:\Program Files\CyberLink
2008-06-13 08:28 . 2004-08-04 08:56 539,136 --a--c--- C:\WINDOWS\system32\dllcache\dialer.exe
2008-06-13 08:28 . 2004-08-04 08:56 281,088 --a--c--- C:\WINDOWS\system32\dllcache\pinball.exe
2008-06-13 08:21 . 2008-06-13 08:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-13 08:21 . 2008-06-13 08:21 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-06-13 08:20 . 2008-06-13 08:20 <DIR> d-------- C:\Program Files\BBC Multimedia
2008-06-13 08:18 . 2008-06-13 08:19 <DIR> d-------- C:\Program Files\Ahead
2008-06-13 08:18 . 2008-06-13 08:18 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-13 08:17 . 2008-06-19 01:31 <DIR> d-------- C:\Program Files\Bid-O-Matic
2008-06-13 08:16 . 2008-06-14 23:17 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-06-13 08:16 . 2008-06-13 08:16 <DIR> d-------- C:\Program Files\NCH Software
2008-06-12 19:42 . 2008-06-12 19:42 <DIR> d-------- C:\WINDOWS\Recent
2008-06-07 22:37 . 2008-06-07 22:37 <DIR> d-------- C:\TEMP\UBCD4Win User Settings
2008-06-07 22:37 . 2008-06-07 22:37 <DIR> d-------- C:\TEMP\PrintSpool
2008-06-07 22:37 . 2008-06-07 22:37 <DIR> d-------- C:\TEMP\AV7PE
2008-06-07 22:37 . 2008-06-07 22:37 <DIR> d-------- C:\TEMP
2008-06-07 22:37 . 2007-01-02 19:58 172,032 --a------ C:\TEMP\GBCHECK.EXE
2008-06-07 22:37 . 2006-10-28 14:37 1,423 --a------ C:\TEMP\NEW_AV7PE.cmd
2008-06-07 22:37 . 2007-04-12 10:57 95 --a------ C:\TEMP\acl.bat
2008-06-07 12:56 . 2004-08-04 08:56 4,256,768 --a--c--- C:\WINDOWS\system32\dllcache\wmm2res.dll
2008-06-07 12:56 . 2004-08-04 08:56 502,272 --a--c--- C:\WINDOWS\system32\dllcache\wmm2fxa.dll
2008-06-07 12:56 . 2004-08-04 08:56 402,432 --a--c--- C:\WINDOWS\system32\dllcache\wmm2filt.dll
2008-06-07 12:56 . 2004-08-04 08:56 325,632 --a--c--- C:\WINDOWS\system32\dllcache\wmm2fxb.dll
2008-06-07 12:56 . 2004-08-04 08:56 167,936 --a--c--- C:\WINDOWS\system32\dllcache\wmm2ae.dll
2008-06-07 12:56 . 2004-08-04 08:56 7,680 --a--c--- C:\WINDOWS\system32\dllcache\wmm2ext.dll
2008-06-07 12:56 . 2004-08-04 08:56 5,632 --a--c--- C:\WINDOWS\system32\dllcache\wmm2res2.dll
2008-06-07 12:56 . 2004-08-04 08:56 4,096 --a--c--- C:\WINDOWS\system32\dllcache\wmm2eres.dll
2008-06-03 07:27 . 2008-06-14 17:19 2,120 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-29 22:16 . 2008-05-31 00:23 67 --a------ C:\WINDOWS\A1 DVD Audio Ripper.INI
2008-05-29 19:42 . 2008-05-29 20:00 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-05-29 19:31 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-05-29 19:31 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-05-29 18:59 . 2007-02-06 15:21 389,120 --a------ C:\WINDOWS\system32\actskn43.ocx
2008-05-29 18:59 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2008-05-29 18:59 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2008-05-29 18:43 . 2008-06-05 07:35 <DIR> d-------- C:\Program Files\Common Files\DVDVIDEOSOFT
2008-05-29 17:37 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 06:25 --------- d-----w C:\Documents and Settings\Brian\Application Data\Skype
2008-06-19 01:19 --------- d-----w C:\Documents and Settings\Brian\Application Data\teamspeak2
2008-06-15 11:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-15 10:44 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-06-15 09:11 --------- d-----w C:\Program Files\Symantec
2008-06-15 08:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-15 08:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-14 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 16:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 07:21 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-06-07 21:23 --------- d-----w C:\Program Files\Nokia
2008-06-02 20:12 19,968 ----a-w C:\WINDOWS\LOGI_MWX.EXE
2008-05-11 02:43 --------- d-----w C:\Documents and Settings\Brian\Application Data\Xfire
2008-04-30 00:57 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-01-15 00:49 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-19_22.58.58.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 21:50:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 06:16:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-15 08:35 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 10:30 1106944]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-26 02:47 51048]
"Logitech Utility"="Logi_MwX.Exe" [2008-06-02 21:12 19968 C:\WINDOWS\LOGI_MWX.EXE]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-03-04 06:14 163840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-09 10:21:01 110592]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-09 10:21:01 110592]
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]
Bluetooth.lnk - C:\Program Files\Belkin\Bluetooth Software\BTTray.exe [2005-08-24 15:06:54 577597]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2006-11-26 15:36:53 884840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\706ed1cc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM735de250]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"Steam"="f:\games\valve\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
"QuickTime Task"="F:\Program Files\QuickTime\QTTask.exe" -atboottime
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"SoundMan"=SOUNDMAN.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Games\\Red Storm Entertainment\\GhostRecon\\GhostRecon.exe"=
"F:\\Ares\\Ares.exe"=
"F:\\Games\\Valve\\Steam.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"F:\\Games\\Valve\\SteamApps\\agent_freeman\\counter-strike source\\hl2.exe"=
"F:\\Games\\Valve\\SteamApps\\agent_freeman\\counter-strike\\hl.exe"=
"F:\\GameSpy Arcade\\Aphex.exe"=
"F:\\Games\\The All-Seeing Eye\\eye.exe"=
"F:\\Program Files\\Netscape\\Netscp.exe"=
"F:\\Games\\Valve\\SteamApps\\agent_freeman\\half-life\\hl.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3783:TCP"= 3783:TCP:gamespy voice chat port
"27900:UDP"= 27900:UDP:gamespy master server UDP heartbeat
"28900:TCP"= 28900:TCP:gamespy master server list request
"27900:TCP"= 27900:TCP:GameSpyArcade
"29900:TCP"= 29900:TCP:GameSpyArcade
"29901:TCP"= 29901:TCP:GameSpyArcade
"13139:UDP"= 13139:UDP:GameSpyArcade
"6515:UDP"= 6515:UDP:GameSpyArcade
"6515:TCP"= 6515:TCP:GameSpyArcade
"6500:TCP"= 6500:TCP:GameSpyArcade

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 11:38]
R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 03:00]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 07:02]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 04:41]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys [2005-09-05 12:21]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 13:10]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-05-01 14:16]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-05-01 14:17]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-05-01 14:17]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-05-01 14:18]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys [2006-05-01 14:15]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys [2006-05-01 14:15]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 09:46:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Brian.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 07:30:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-20 7:32:30
ComboFix-quarantined-files.txt 2008-06-20 06:32:13
ComboFix2.txt 2008-06-19 21:59:37

Pre-Run: 8,854,425,600 bytes free
Post-Run: 8,841,322,496 bytes free

220 --- E O F --- 2008-05-18 21:13:19















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:04:27, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Brian\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\BRIAN\Application Data\Mozilla\Profiles\default\phapy5tm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\BRIAN\Application Data\Mozilla\Profiles\default\phapy5tm.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - F:\Tools\images\FLASHS~2\FLASHS~1\save.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8365 bytes














My computer seems to load faster now. No annoying random pop-ups are appearing which is good news.
sufferinginsilence
2008-06-20, 09:57
I have just run Spybot and it found something called Win32.Agent.pz
pskelley
2008-06-20, 14:16
Thanks for returning your information and the feedback, you said:

I have just run Spybot and it found something called Win32.Agent.pzWhen I am done, you may do as you wish, in the meantime, run only what I request and post only what I ask for.

Once we finish, if you have issues with Spybot S&D you can address those here:
http://forums.spybot.info/forumdisplay.php?f=4
I also suggest you make sure Spybot is up to date and fully immunized and then run it again.

C:\Program Files\Java\jre1.6.0_05\ <<< update Java, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Thanks
sufferinginsilence
2008-06-20, 17:28
Malwarebytes' Anti-Malware 1.18
Database version: 870

16:19:04 20/06/2008
mbam-log-6-20-2008 (16-19-04).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 359887
Time elapsed: 2 hour(s), 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cuskina.avideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d263b532-c528-49e5-8bb6-80fa67332c9a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7165223d-d2c9-422b-8126-411b11842b8b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\khfGvUoL.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nokyrlvv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\opnmLDwv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4C7E9766-F0E6-48EE-BA62-5A7F6F8C42DC}\RP2\A0000014.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4C7E9766-F0E6-48EE-BA62-5A7F6F8C42DC}\RP2\A0000015.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4C7E9766-F0E6-48EE-BA62-5A7F6F8C42DC}\RP2\A0000016.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4C7E9766-F0E6-48EE-BA62-5A7F6F8C42DC}\RP2\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4C7E9766-F0E6-48EE-BA62-5A7F6F8C42DC}\RP2\A0000018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Services.ini (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
pskelley
2008-06-20, 17:38
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks
sufferinginsilence
2008-06-21, 03:14
I tried to install the Windows XP Recovery Console but when I type d:\i386\winnt32.exe /cmdcons I get a window appear stating:

"Setup cannot continue because the version of windows I have on your computer is newer than the version on the CD"

What do I do now...
sufferinginsilence
2008-06-21, 03:16
correction...

"Setup cannot continue because the version of windows on your computer is newer than the version on the CD"
pskelley
2008-06-21, 15:19
Please read those instructions again, starting here:
How to install and use the Windows XP Recovery Console

If you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:

You DO NOT need a CD to install RC using combofix.

Read those directions a few times before you start to make sure you understand the instructions.

Thanks
sufferinginsilence
2008-06-22, 02:24
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
pskelley
2008-06-22, 02:42
Good job:bigthumb: here is some information about RC from Microsoft who I believe should have installed the tool be default to start with.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654

Remove combofix from your computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run another MBAM scan, it should come back clean. That being the case, update and run a system scan with your resident antivirus program.
Let me know about any issues and how the computer is running.

Thanks...Phil
sufferinginsilence
2008-06-24, 23:30
Hi Phil,

Thanks for your help in this matter. My PC seems to be rid of the trojans and it is back to normal now.
I don't know how you find time to help other people like you do (I guess this is your social life) but I am very grateful to you for your patience and help.

Kind regards
Brian
pskelley
2008-06-24, 23:59
Hi Brian, I retired a few years ago and I enjoy helping folks with their computer malware. A mentor helped me back about ten years ago and that is how I got started. I run a small local business (1 employee) that and helping folks online keeps my mind working as it should. Biking, beaching and basketball take care of the body:laugh:

I'll assume those last scans were clean, and leave you with this great information.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.