PDA

View Full Version : Help removing Virus Please


Koggo
2008-12-02, 02:51
PLEASE HELP!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:53, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0318b3a7-67a5-4255-909a-99db702259e2} - C:\WINDOWS\system32\mupodalu.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cc45cd0f] rundll32.exe "C:\WINDOWS\system32\hekonala.dll",b
O4 - HKLM\..\Run: [noharunava] Rundll32.exe "C:\WINDOWS\system32\visutime.dll",s
O4 - HKLM\..\Run: [CPMcf76fe93] Rundll32.exe "c:\windows\system32\naluwota.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227980217829
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7CFE6FB-D5FC-42F2-A99D-E54CCFA3E256}: NameServer = 166.102.165.11 166.102.165.13
O20 - AppInit_DLLs: c:\windows\system32\vidasasa.dll c:\windows\system32\mivimoru.dll C:\WINDOWS\system32\robudiki.dll c:\windows\system32\naluwota.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\naluwota.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\naluwota.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7285 bytes
Koggo
2008-12-02, 03:29
ComboFix 08-12-01.01 - Zako 2008-12-01 21:15:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1522 [GMT -5:00]
Running from: c:\documents and settings\Zako\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Zako\Application Data\inst.exe
c:\windows\sys306a.dll
c:\windows\system32\_004571_.tmp.dll
c:\windows\system32\_004572_.tmp.dll
c:\windows\system32\_004573_.tmp.dll
c:\windows\system32\_004574_.tmp.dll
c:\windows\system32\_004581_.tmp.dll
c:\windows\system32\_004583_.tmp.dll
c:\windows\system32\_004584_.tmp.dll
c:\windows\system32\_004586_.tmp.dll
c:\windows\system32\_004587_.tmp.dll
c:\windows\system32\_004588_.tmp.dll
c:\windows\system32\alanokeh.ini
c:\windows\system32\etijiyoy.ini
c:\windows\system32\hekonala.dll
c:\windows\system32\iriyifef.ini
c:\windows\system32\mekawiba.dll
c:\windows\system32\mupodalu.dll
c:\windows\system32\naluwota.dll
c:\windows\system32\oyujabes.ini
c:\windows\system32\robudiki.dll
c:\windows\system32\umavayuh.ini
c:\windows\system32\visutime.dll
c:\windows\system32\yamanewa.dll
c:\windows\system32\yevazani.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
hxxp://lp2.patch.station.sony.com:7000
.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 20:41 . 2008-12-01 20:41 <DIR> d-------- c:\program files\Trend Micro
2008-11-30 23:43 . 2008-11-30 23:43 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-30 22:52 . 2008-11-30 22:52 <DIR> d-------- c:\windows\ERUNT
2008-11-30 22:47 . 2008-11-30 23:46 <DIR> d----c--- C:\SDFix
2008-11-30 22:43 . 2008-11-30 22:43 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-30 22:21 . 2008-11-30 22:21 95 --a------ c:\windows\wininit.ini
2008-11-30 21:57 . 2008-11-30 21:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 21:57 . 2008-11-30 21:59 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 20:15 . 2008-11-30 20:15 <DIR> d-------- c:\program files\Auslogics
2008-11-30 20:15 . 2008-11-30 20:15 <DIR> d-------- c:\documents and settings\Zako\Application Data\Auslogics
2008-11-30 15:40 . 2008-11-30 15:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 15:40 . 2008-11-30 15:40 <DIR> d-------- c:\documents and settings\Zako\Application Data\Malwarebytes
2008-11-30 15:40 . 2008-11-30 15:40 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 15:40 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 15:40 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 15:38 . 2008-11-30 08:34 94,772 --------- c:\windows\system32\trz4.tmp
2008-11-30 08:02 . 2008-06-24 12:45 1,414,440 --a------ c:\windows\system32\ShellManager310E2D762.dll
2008-11-30 08:02 . 2008-06-23 16:36 773,120 --a------ c:\windows\system32\NEROINSTAEC43759.DB
2008-11-30 07:57 . 2008-11-30 07:57 <DIR> d-------- c:\windows\nview
2008-11-30 07:57 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-30 07:57 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-11-30 07:57 . 2008-12-01 21:22 204,023 --a------ c:\windows\system32\nvapps.xml
2008-11-30 07:57 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-11-30 07:51 . 2008-11-30 07:51 <DIR> d-------- c:\program files\VS Revo Group
2008-11-29 21:00 . 2008-11-29 21:00 <DIR> d-------- c:\windows\NV38563860.TMP
2008-11-29 20:32 . 2008-11-30 07:55 <DIR> d-------- c:\program files\Driver Sweeper
2008-11-29 19:44 . 2008-11-29 19:44 <DIR> d-------- c:\program files\Alwil Software
2008-11-29 19:36 . 2008-11-29 19:36 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-29 19:36 . 2008-11-29 19:36 <DIR> d-------- c:\documents and settings\Zako\Application Data\SUPERAntiSpyware.com
2008-11-29 19:36 . 2008-11-29 19:36 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-29 19:28 . 2008-11-29 19:28 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Avg8
2008-11-29 14:50 . 2008-11-29 14:50 0 --a------ c:\windows\nsreg.dat
2008-11-29 12:55 . 2004-08-04 07:00 381,425 -----c--- c:\windows\system32\dllcache\copycd.wmv
2008-11-29 12:19 . 2008-04-13 19:11 571,392 --a--c--- c:\windows\system32\dllcache\tintlgnt.ime
2008-11-29 12:18 . 2008-04-13 19:09 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-11-29 12:17 . 2008-04-13 19:11 1,888,992 --a------ c:\windows\system32\OLD396.tmp
2008-11-29 12:15 . 2006-02-28 07:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-11-29 12:15 . 2008-11-29 12:15 749 -rah----- c:\windows\WindowsShell.Manifest
2008-11-29 12:15 . 2008-11-29 12:15 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-11-29 12:15 . 2008-11-29 12:15 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-11-29 12:15 . 2008-11-29 12:15 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-11-29 12:15 . 2008-11-29 12:15 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-11-29 12:03 . 2008-11-29 12:03 <DIR> d-------- c:\windows\NV748848.TMP
2008-11-29 11:58 . 2006-02-28 07:00 1,086,058 -ra------ c:\windows\SET3E.tmp
2008-11-29 11:58 . 2006-02-28 07:00 1,042,903 -ra------ c:\windows\SET3B.tmp
2008-11-29 11:58 . 2006-02-28 07:00 14,573 -ra------ c:\windows\SET7E.tmp
2008-11-29 11:58 . 2006-02-28 07:00 13,753 -ra------ c:\windows\SET4A.tmp
2008-11-29 11:25 . 2008-11-29 11:25 <DIR> d----c--- c:\documents and settings\Administrator
2008-11-28 18:21 . 2008-11-28 18:21 <DIR> d-------- c:\program files\AVG
2008-11-28 17:47 . 2008-11-28 17:47 <DIR> d-------- c:\windows\NV33883964.TMP
2008-11-18 18:48 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-18 18:48 . 2008-10-10 06:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-18 18:48 . 2008-08-18 10:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-15 17:00 . 2008-11-15 17:00 <DIR> d-------- c:\program files\Ventrilo
2008-11-15 17:00 . 2008-11-15 17:00 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 01:23 --------- dc----w c:\documents and settings\All Users\Application Data\Autodesk
2008-12-01 01:23 --------- d-----w c:\program files\AutoCAD 2008
2008-11-30 13:12 --------- d-----w c:\program files\eMule
2008-11-30 13:03 --------- d-----w c:\program files\Common Files\Nero
2008-11-30 13:03 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-30 12:51 --------- d-----w c:\program files\Common Files\Adobe
2008-11-30 00:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-29 16:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-29 15:45 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-29 15:37 --------- d-----w c:\program files\Bentley
2008-11-28 22:48 --------- d-----w c:\program files\AGEIA Technologies
2008-11-19 04:24 --------- d-----w c:\documents and settings\Zako\Application Data\Vso
2008-11-18 23:51 --------- d-----w c:\program files\Google
2008-11-15 22:01 --------- d-----w c:\documents and settings\Zako\Application Data\Ventrilo
2008-11-12 19:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-10-10 02:14 --------- d-----w c:\program files\XNote Stopwatch
2008-08-17 13:50 47,360 ----a-w c:\documents and settings\Zako\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-22 68856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson Wireless Manager UI]
c:\windows\system32\semwltray [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra--c--- 2005-05-03 05:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra--c--- 2006-11-14 04:21 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-ra--c--- 2006-05-16 05:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"setrysvc"=2 (0x2)
"NProtectService"=2 (0x2)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"IDriverT"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Alltel\\QuickLink Mobile\\QuickLink Mobile.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashDisp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-29 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-29 20560]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-01-11 17920]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-01-11 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2008-01-11 22528]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-30 38496]
S3 SEM43XX;Sony Ericsson 802.11 Wireless LAN Adapter Driver SEM43XX;c:\windows\system32\DRIVERS\semwl5.sys [2007-12-01 368896]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\DRIVERS\GCXX.sys [2007-12-01 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\DRIVERS\GCXXNet.sys [2007-12-01 53248]
S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\DRIVERS\GCXXSC.sys [2007-12-01 21888]
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0318b3a7-67a5-4255-909a-99db702259e2} - c:\windows\system32\mupodalu.dll
HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
MSConfigStartUp-cc45cd0f - c:\windows\system32\sebajuyo.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-CPMcf76fe93 - c:\windows\system32\mivimoru.dll
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EA Downloader\Core.exe
MSConfigStartUp-GCXX-Manager-Class - c:\program files\Sony Ericsson\Wireless Manager\GCXXManager.exe
MSConfigStartUp-mSpotAlltelRemix - c:\program files\Alltel Jump Music\Remix\msptcmd.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-noharunava - c:\windows\system32\yosimanu.dll
MSConfigStartUp-NSWosCheck - c:\program files\Norton SystemWorks\osCheck.exe
MSConfigStartUp-osCheck - c:\program files\Norton AntiVirus\osCheck.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Zako\Application Data\Mozilla\Firefox\Profiles\rb6wo46k.default\
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 21:22:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\update\update.exe
.
**************************************************************************
.
Completion time: 2008-12-01 21:24:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 02:24:12

Pre-Run: 7,641,321,472 bytes free
Post-Run: 8,764,854,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

272 --- E O F --- 2008-11-13 08:02:50
pskelley
2008-12-05, 15:17
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I apologize for the wait, we pin (sticky) the instructions at the top of the forum for you to read, stuff like this:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.

ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.

If you still need help, take the time to read the directions and post a new HJT log.

Thanks
pskelley
2008-12-12, 13:22
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.