PDA

View Full Version : Vicious Malware Cycle (Fraud.SecurityCenter, Tinbar.C, Virtumonde, etc..)



ryanjt
2009-03-01, 00:05
Hello,

First I just want to say I think this place is a fantastic resource, so thank you to all of the volunteers who take the time to help out those suffering folks like myself.

Over the past several weeks I have been stuck in a malware trap. My computer will be taken over by malware, my desktop will be changed to some sort of flashing "INFECTED" thing, browsers won't work, the Task manager is disabled, a fake warning bubble pops up in my task bar, and sometimes windows won't even start. The only way to get to be able to use the computer at all is to run ComboFix, which seemingly gets everything back working fine. Then, a week later, the same malware symptoms come back, and I run ComboFix again, then MalwareBytes again. Obviously i'm not getting to the heart of the problem. I was hoping you could help.

I will post all the logs I have so far, hopefully that will help.

1. First is a HJT log while the computer was completely taken over by malware.

2. The ComboFix log after seemingly eliminating the malware.

3. A HJT log after ComboFix was run.

4. A MalwareBytes log after it finishes running.

==============================================

First HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:44:27 PM, on 2/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iSnooze\iSnooze.exe
C:\WINDOWS\TEMP\E171.tmp
C:\Program Files\AIM\aim.exe
C:\WINDOWS\TEMP\E171.tmp
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\rmoa8z4c9r.exe
C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\erykfp5jmnc.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\hhs3ijndfd.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hhs3ijndfd.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Clitihagonaman] rundll32.exe "C:\WINDOWS\ehiwogijanilerih.dll",e
O4 - HKLM\..\Run: [Esebozewujon] rundll32.exe "C:\WINDOWS\Xyijoha.dll",e
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [framework windows] frmwrk32.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ctsysvol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [cthelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [8474f5ff] rundll32.exe "C:\WINDOWS\system32\dvtuhgae.dll",b
O4 - HKCU\..\Run: [zizj1w7za3rh2w97vsu5ytk9q] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\rwtvnb.exe
O4 - HKCU\..\Run: [ziekkgel3am3t1wgpeyepn51eoqguqrbyn79e] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\lsk5ljlh5.exe
O4 - HKCU\..\Run: [wutnkdfbq3j5ddqfvg2fl] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\cd75y2t8p5n.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [uhb5q53v0q9py0lthdypjie51rlb] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\zsw7uv.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [qugph775l2o9ihj3so2u8frxmw7g5tbmlyfs1ld] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\pcn5nj24tamh.exe
O4 - HKCU\..\Run: [qe21pqdnjkuhcgkk] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\r6pic95tndo9e.exe
O4 - HKCU\..\Run: [owf0pmj5zab2yqi9hic] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\vfdsifj2fm4v.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [l3na8bn5qdlg7rrzuv8lj5m7vy78e02bczp6h4al8qjckgq7e] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\g1euvk0dud.exe
O4 - HKCU\..\Run: [isnooze] C:\Program Files\iSnooze\iSnooze.exe
O4 - HKCU\..\Run: [hjgz5vht8gq946zfhila40qmvboa27zjvt] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\dy4t95kkc.exe
O4 - HKCU\..\Run: [h5jcnevawhr] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\yoy1jnixi4.exe
O4 - HKCU\..\Run: [fdctsrllkpsw] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\qjaxylg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bzr6gzw88vg9tfw9votumwel] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\lr7ispg5.exe
O4 - HKCU\..\Run: [bmkuiqd48e9916] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\f7odjdm.exe
O4 - HKCU\..\Run: [anmhw3g4fgk21] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\a7i95rh.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cyt3db7zv3jj6jqiq60wd] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\ht0ylch.exe
O4 - HKCU\..\Run: [scn5fjflt8] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\lxet5rgdy.exe
O4 - HKCU\..\Run: [ppe5dt14vo6h9nr8hq02cxxmvbhoray8xw33xp] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\i9h3b1jl8bi3.exe
O4 - HKCU\..\Run: [iz8jfb2df4to725n8je3m4jpv2j7y6y37qow6o] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\a0t4u7y.exe
O4 - HKCU\..\Run: [miea48hmjvau0b90pajyb4haaawjfcde6c] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\lwzwzrr8.exe
O4 - HKCU\..\Run: [nzuhe3kdanjybvz4t87u280n99rstanwf9l] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\rmoa8z4c9r.exe
O4 - HKCU\..\Run: [zh8eb44tw95qqtz4umt7jnlceeoveyp2bfwu] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\o4v15xha5nc.exe
O4 - HKCU\..\Run: [d3iv540ld2fcvwl] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\erykfp5jmnc.exe
O4 - HKCU\..\Run: [x3u58qmvi82qjc6dq79zofkefjadmrpiymvzxz5q] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\dhtm7plrla.exe
O4 - HKCU\..\Run: [steimccfgtzz2i1wrs2t7czd86yi8bkrkpdaiwp1lk9k] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\ddetw4j.exe
O4 - HKCU\..\Run: [ck6692xk0bx9b1brm010qtv8q6namyddjjfv7exjqalp] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\wn5leuwt5ho.exe
O4 - HKCU\..\Run: [dmpyjqvp8j28jivh6o2tomgv4nassf1vy] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\m2ayahe0.exe
O4 - HKCU\..\Run: [i4huok3mg65x1a8i88ghho1yom270196l5qz0p94xxg6dc32] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\pbubsem9gnp.exe
O4 - HKCU\..\Run: [e8xhaskcqu8xn903r] C:\DOCUME~1\RYANTO~1\LOCALS~1\Temp\djm1fsw63sx.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VTAgentReboot.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126057634845
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175529866322
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: lrlzuo.dll eyvpnu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\system32\svchost.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Imap Burn Control (IBServ) - Unknown owner - C:\WINDOWS\system32\IBCServ.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Control - Unknown owner - C:\Program Files\firefly-remote\firefly.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ryanjt
2009-03-01, 00:06
Combofix log:

ComboFix 09-02-21.01 - Ryan Townsend 2009-02-28 13:07:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.680 [GMT -8:00]
Running from: c:\documents and settings\Ryan Townsend\Desktop\fix.exe.exe
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ahtn.htm
c:\windows\system32\algtrt.dll
c:\windows\system32\avwvyhfq.ini
c:\windows\system32\bboqoeqh.dll
c:\windows\system32\bvpmlpje.ini
c:\windows\system32\cniloc.dll
c:\windows\system32\crypts.dll
c:\windows\system32\djffww.dll
c:\windows\system32\dnxfexqo.dll
c:\windows\system32\drivers\UACcdatbueb.sys
c:\windows\system32\eaghutvd.ini
c:\windows\system32\ebmdwbmj.ini
c:\windows\system32\eqnrwyhp.ini
c:\windows\system32\eyvpnu.dll
c:\windows\system32\frbmxuly.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\gunajlwb.ini
c:\windows\system32\hhs3ijndfd.dll
c:\windows\system32\hrmljivo.dll
c:\windows\system32\ilbsucxj.ini
c:\windows\system32\mmhlvt.dll
c:\windows\system32\nhcbnj.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\odzfgi.dll
c:\windows\system32\orcxvfjr.dll
c:\windows\system32\pywcoucw.dll
c:\windows\system32\sdnjenpk.dll
c:\windows\system32\sgkstvmx.dll
c:\windows\system32\spdhon.dll
c:\windows\system32\UACbplnvqfa.dat
c:\windows\system32\UACfnbxonro.dll
c:\windows\system32\UACqophkvkn.dll
c:\windows\system32\UACrgweddel.dll
c:\windows\system32\UACtkdckafg.dll
c:\windows\system32\UACuetdaqmy.log
c:\windows\system32\UACvqrqpjdt.log
c:\windows\system32\UACwmijonwe.log
c:\windows\system32\ueurux.dll
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wqunykrp.ini
c:\windows\system32\wtstwahr.dll
c:\windows\system32\ycqecvev.ini
c:\windows\system32\yvyxrtdj.ini
c:\windows\system32\yyyoithv.dll
c:\windows\system32\zcmdfy.dll
c:\windows\Tasks\wpetpjdz.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 )))))))))))))))))))))))))))))))
.

2009-02-28 12:05 . 2009-02-28 13:19 4 --a------ c:\windows\mzvtwjtt
2009-02-28 11:25 . 2009-02-28 11:25 134,144 --a------ c:\windows\ehiwogijanilerih.dll
2009-02-28 11:13 . 2009-02-28 11:13 81,920 --a------ C:\vlcj.exe
2009-02-28 11:13 . 2009-02-28 11:13 30,720 --a------ C:\tjaq.exe
2009-02-28 11:13 . 2009-02-28 11:13 5,164 --a------ c:\windows\SYSTEM32\uacinit.dll
2009-02-28 11:13 . 2009-02-28 11:13 705 --a------ C:\mseljj.exe
2009-02-28 11:13 . 2009-02-28 11:13 2 --a------ C:\-2072709808
2009-02-28 11:13 . 2009-02-28 12:27 0 --a------ c:\windows\SYSTEM32\DRIVERS\e4821216.sys
2009-02-28 11:12 . 2009-02-28 11:12 88,064 --a------ c:\windows\SYSTEM32\futddmdg.dll
2009-02-28 11:12 . 2009-02-28 11:12 39,936 --a------ C:\wjfrks.exe
2009-02-28 11:12 . 2009-02-28 11:12 39,936 --a------ c:\windows\Xyijoha.dll
2009-02-23 00:00 . 2009-02-23 00:01 <DIR> d-------- c:\program files\FileZilla FTP Client
2009-02-22 23:57 . 2009-02-23 08:44 <DIR> d-------- c:\program files\backups
2009-02-22 23:38 . 2009-02-22 23:38 <DIR> d-------- c:\program files\Secunia
2009-02-22 23:34 . 2009-02-22 23:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 23:34 . 2009-02-22 23:34 <DIR> d-------- c:\documents and settings\Ryan Townsend\Application Data\Malwarebytes
2009-02-22 23:34 . 2009-02-22 23:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 23:34 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-22 23:34 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-22 23:08 . 2009-02-22 23:08 301,056 --a------ c:\windows\SYSTEM32\vtUnlmnN.dll.vir
2009-02-22 22:17 . 2009-02-22 02:23 104,960 --a------ c:\windows\SYSTEM32\stu2.exe
2009-02-22 11:10 . 2009-02-22 11:10 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-20 23:27 . 2009-02-20 23:27 301,056 --a------ c:\windows\SYSTEM32\opnonnOH.dll
2009-02-20 23:27 . 2009-02-23 00:07 3,024 --a------ c:\windows\bmdkbepc
2009-02-07 16:41 . 2009-02-07 16:41 61 ---hs---- c:\windows\cnerolf.dat
2009-02-07 16:38 . 2009-02-14 18:09 <DIR> d-------- c:\program files\FSFlyingSchool
2009-02-01 14:00 . 2009-02-01 14:00 82 --a------ c:\windows\SimViewJr.ini
2009-02-01 13:52 . 2009-02-01 13:52 <DIR> d-------- C:\Jeppesen
2009-02-01 13:52 . 2003-04-04 09:46 180,224 --a------ c:\windows\SYSTEM32\mrvtcl.dll
2009-02-01 13:52 . 2003-04-09 18:11 69,632 --a------ c:\windows\SYSTEM32\mrvdrv.dll
2009-02-01 13:52 . 2001-03-06 18:27 6,676 -ra------ c:\windows\SYSTEM32\jeppesen.tls
2009-02-01 13:52 . 2001-03-06 18:27 1,932 -ra------ c:\windows\SYSTEM32\lssdef.tcl
2009-02-01 13:52 . 2009-02-06 17:52 1,206 --a------ c:\windows\SimView.ini
2009-02-01 13:52 . 2001-03-06 18:27 195 -ra------ c:\windows\SYSTEM32\jeppesen.tfl
2009-02-01 13:52 . 2009-02-01 13:52 57 --a------ c:\windows\Jeppesen.ini
2009-01-30 19:16 . 2005-10-14 22:42 46,592 --a------ c:\windows\SYSTEM32\hpzll43a.dll
2009-01-30 19:09 . 2005-03-14 12:03 278,584 --a------ c:\windows\SYSTEM32\HPZidr12.dll
2009-01-30 19:09 . 2005-03-14 12:05 204,800 --a------ c:\windows\SYSTEM32\HPZipr12.dll
2009-01-30 19:09 . 2005-03-08 11:55 94,208 --a------ c:\windows\SYSTEM32\HPZipt12.dll
2009-01-30 19:09 . 2005-03-14 12:05 69,632 --a------ c:\windows\SYSTEM32\HPZipm12.exe
2009-01-30 19:09 . 2005-03-14 13:39 65,536 --a------ c:\windows\SYSTEM32\HPZinw12.exe
2009-01-30 19:09 . 2005-03-08 11:55 57,344 --a------ c:\windows\SYSTEM32\HPZisn12.dll
2009-01-30 19:08 . 2009-01-30 19:09 <DIR> d-------- c:\program files\HP
2009-01-30 19:04 . 2005-10-28 15:11 614,400 --a------ c:\windows\SYSTEM32\hpotscl2.dll
2009-01-30 19:04 . 2005-10-28 15:11 602,112 --a------ c:\windows\SYSTEM32\hpowiax2.dll
2009-01-30 19:04 . 2005-10-27 17:23 282,624 --a------ c:\windows\SYSTEM32\HPZc3212.dll
2009-01-30 19:04 . 2005-10-28 15:11 254,026 --a------ c:\windows\SYSTEM32\hpovst09.dll
2009-01-30 19:04 . 2009-01-30 19:09 103,167 --a------ c:\windows\hpoins08.dat
2009-01-30 19:04 . 2005-09-09 15:28 98,304 --a------ c:\windows\SYSTEM32\hpzjsn01.dll
2009-01-30 19:04 . 2005-10-27 17:23 77,824 --a------ c:\windows\SYSTEM32\hpzids01.dll
2009-01-30 19:04 . 2005-10-27 17:24 49,664 --a------ c:\windows\SYSTEM32\DRIVERS\HPZid412.sys
2009-01-30 19:04 . 2005-10-27 17:24 21,568 --a------ c:\windows\SYSTEM32\DRIVERS\HPZius12.sys
2009-01-30 19:04 . 2005-10-27 17:24 16,496 --a------ c:\windows\SYSTEM32\DRIVERS\HPZipr12.sys
2009-01-30 19:04 . 2006-01-24 13:03 4,445 --------- c:\windows\hpomdl08.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 21:03 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-28 20:59 --------- d-----w c:\documents and settings\All Users\Application Data\DIGStream
2009-02-28 20:44 18,571 ----a-w c:\program files\hijackthis.log
2009-02-27 07:43 --------- d-----w c:\documents and settings\Ryan Townsend\Application Data\Azureus
2009-02-13 04:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-07 03:43 --------- d-----w c:\program files\Microsoft Games
2009-02-01 21:52 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-17 21:26 --------- d-----w c:\program files\Elaborate Bytes
2006-02-26 06:05 24,192 ----a-w c:\documents and settings\Ryan Townsend\usbsermptxp.sys
2006-02-26 06:05 22,768 ----a-w c:\documents and settings\Ryan Townsend\usbsermpt.sys
2005-02-16 15:06 218,112 ----a-w c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-22_23.17.34.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-23 06:00:51 16,384 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-02-28 20:58:09 16,384 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-02-23 06:00:51 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-02-28 20:58:09 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2009-02-23 06:00:51 49,152 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2009-02-28 20:58:09 49,152 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-12-10 14:17:14 7,808 ----a-w c:\windows\SYSTEM32\DRIVERS\psi_mf.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-08-08 691656]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-08-08 691656]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"isnooze"="c:\program files\iSnooze\iSnooze.exe" [2004-10-18 581632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Esebozewujon"="c:\windows\Xyijoha.dll" [2009-02-28 39936]
"Clitihagonaman"="c:\windows\ehiwogijanilerih.dll" [2009-02-28 134144]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"MPlayer2_FixUp"="c:\windows\inf\unregmp2.exe" [2007-06-26 317440]
"WMC_WMPDBExport"="c:\program files\Windows Media Player\wmdbexport.exe" [2006-10-18 493568]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eyvpnu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.UYVY"= c:\windows\System32\msyuv.DLL
"VIDC.YUY2"= ATIVYUY.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VTAgentReboot.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
backup=c:\windows\pss\VTAgentReboot.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan Townsend^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Ryan Townsend\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan Townsend^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\Ryan Townsend\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-13 22:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2003-08-01 07:31 61440 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-05-10 07:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-04-13 09:20 59040 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Clitihagonaman]
--a------ 2009-02-28 11:25 134144 c:\windows\ehiwogijanilerih.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
--a------ 2002-09-29 22:00 45056 c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 04:42 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctsysvol]
--a------ 2002-10-29 06:18 49152 c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2003-02-24 12:11 266313 c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
--a------ 2005-05-18 10:49 282624 c:\program files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-14 22:04 122933 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 07:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Esebozewujon]
--a------ 2009-02-28 11:12 39936 c:\windows\Xyijoha.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 17:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2003-10-06 07:05 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2006-01-24 07:37 7094272 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 07:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 16:47 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-07-31 16:27 208941 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-07-31 16:27 208941 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-08-21 08:38 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-07-31 16:26 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 09:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-18 22:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 04:18 307200 c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-10 22:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cthelper]
--a------ 2003-10-06 10:57 24576 c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54889:TCP"= 54889:TCP:Az
"54889:UDP"= 54889:UDP:Az1
"55001:TCP"= 55001:TCP:Az3
"55001:UDP"= 55001:UDP:Az4

R0 HFXP2;HFXP2;c:\windows\SYSTEM32\DRIVERS\hfxp2.sys [2004-12-30 11648]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [2004-03-19 14336]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\SYSTEM32\DRIVERS\atinttxx.sys [2005-02-07 13824]
S0 mzvtwjtt;mzvtwjtt;c:\windows\SYSTEM32\DRIVERS\dmucjvny.sys []
S1 e4821216;e4821216;c:\windows\SYSTEM32\DRIVERS\e4821216.sys [2009-02-28 0]
S2 ATIXBAR;ATI TV Wonder WDM Audio Crossbar;c:\windows\SYSTEM32\DRIVERS\ativxstw.sys [2005-02-07 33712]
S2 BT848;ATI TV Wonder BtCap, WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\BT848.sys [2005-02-07 208720]
S2 BTTUNER;ATI TV Wonder TVTuner, WDM TvTuner;c:\windows\SYSTEM32\DRIVERS\ativtutw.sys [2005-02-07 28624]
S2 BTXBAR;ATI TV Wonder WDM Video Crossbar;c:\windows\SYSTEM32\DRIVERS\btxbar.sys [2005-02-07 10512]
S2 gupdate;Google Update Service;c:\program files\Google\Update\GoogleUpdate.exe [2008-08-01 133104]
S2 IBServ;Imap Burn Control;c:\windows\system32\IBCServ.exe --> c:\windows\system32\IBCServ.exe [?]
S2 Remote Control;Remote Control;c:\program files\firefly-remote\firefly.exe --> c:\program files\firefly-remote\firefly.exe [?]
S3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\SYSTEM32\DRIVERS\m4301A.sys [2006-05-11 83552]
S3 PSI;PSI;c:\windows\SYSTEM32\DRIVERS\psi_mf.sys [2008-12-10 7808]
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-29 11:37]

2004-06-30 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-14 04:42]

2009-02-28 c:\windows\Tasks\McAfee.com Update Check (RYAN-Ryan Townsend).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe []

2009-02-28 c:\windows\Tasks\McAfee.com Update Check (RYAN-Ryan Townsend).job
- c:\progra~1\mcafee.com\agent []

2009-02-28 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Ryan Townsend.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-10-19 08:54]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hhs3ijndfd.dll
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hhs3ijndfd.dll
MSConfigStartUp-8474f5ff - c:\windows\system32\dvtuhgae.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ryan Townsend\Application Data\Mozilla\Firefox\Profiles\ya028bam.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npietab.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 13:31:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\explorer.exe [1368] 0x86C1A358

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\dmucjvny.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1613631055-631720830-4084893437-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A411E60C-E85A-983B-2964-FDF35B8E826C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaibcnbhfknadfifolocibigmehbjc"=hex:64,61,69,6c,61,70,6c,61,00,00
"oaediomccbbpaanepalgnkhjfffgfm"=hex:6a,61,69,6c,6a,6d,6a,61,65,63,6a,6f,67,6c,
6c,66,62,6c,6e,6b,00,17
"naoclafomafiflkdgajfniigdjfg"=hex:6a,61,69,6c,6b,6d,61,62,61,66,62,6a,61,64,
64,63,61,6d,6d,6d,00,17
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-02-28 13:46:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-28 21:46:14
ComboFix2.txt 2009-02-23 07:21:56

Pre-Run: 3,344,859,136 bytes free
Post-Run: 3,314,221,056 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
417 --- E O F --- 2009-02-13 04:09:49

ryanjt
2009-03-01, 00:07
Post-combofix HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:59 PM, on 2/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iSnooze\iSnooze.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Esebozewujon] rundll32.exe "C:\WINDOWS\Xyijoha.dll",e
O4 - HKLM\..\Run: [Clitihagonaman] rundll32.exe "C:\WINDOWS\ehiwogijanilerih.dll",e
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [isnooze] C:\Program Files\iSnooze\iSnooze.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126057634845
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175529866322
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: eyvpnu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\system32\svchost.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Imap Burn Control (IBServ) - Unknown owner - C:\WINDOWS\system32\IBCServ.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Control - Unknown owner - C:\Program Files\firefly-remote\firefly.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ryanjt
2009-03-01, 03:23
Lastly, a MalwareBytes log, run after ComboFix.

Malwarebytes' Anti-Malware 1.34
Database version: 1795
Windows 5.1.2600 Service Pack 3

2/28/2009 5:12:33 PM
mbam-log-2009-02-28 (17-12-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 252411
Time elapsed: 1 hour(s), 31 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Xyijoha.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\esebozewujon (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clitihagonaman (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Xyijoha.dll (Trojan.BHO) -> No action taken.
C:\mseljj.exe (Trojan.TinyDownloader705) -> No action taken.
C:\vlcj.exe (Trojan.Downloader) -> No action taken.
C:\wjfrks.exe (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\crypts.dll.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfnbxonro.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqophkvkn.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtkdckafg.dll.vir (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP0\A0000001.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP0\A0000002.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP0\A0000003.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP0\A0000021.dll (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP0\A0000072.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\ehiwogijanilerih.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\uacinit.dll (Trojan.Agent) -> No action taken.