can't get rid of virtumonde

**imbrium** · 2007-12-31, 08:49

Help, please!! I've been trying to get rid of it for weeks, using Spybot and Avast. I also had another Anti-virus program (system suite), but after I used it for a few days, I seemed to be having more problems than I started with, so I don't know if it got infected too or what..... Anyways, in the process I managed to delete some essential things (like shell and other things that windows has a fit about every time I boot up. Yet everything seems to run ok. It just says shell.exe is missing)
I've done everything in the S&D "do this before posting" post, I think....
here is the HJT log.
HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:25 AM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmr...1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opendiary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = oilcity.BESS.USACHOICE.NET:8968
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [abejwdkp] rundll32.exe "C:\Program Files\vwvabwnw\javgbwxo.dll",Init
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [03bf9356] rundll32.exe "C:\WINDOWS\system32\pppbeiom.dll",b
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Sonic RecordNow!] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8822 bytes

**imbrium** · 2008-01-01, 08:23

too long for one post, so I cut off the last bit to limit to 2 initial posts. ty.

Monday, December 31, 2007 1:05:57 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/12/2007
Kaspersky Anti-Virus database records: 500603

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 93092
Number of viruses found: 20
Number of infected objects: 118
Number of suspicious objects: 0
Duration of the scan process: 01:39:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack4.zip/shell.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack5.zip/spoolvs.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip/findfast.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip/autorun.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack8.zip/printer.exe Infected: Trojan-Downloader.Win32.Agent.eus skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip/pldbddak.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc1.zip/ifycisbj.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc12.zip/seitgubc.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc12.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc17.zip/jypusdgj.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc17.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc20.zip/jypusdgj.exe_old Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc20.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc21.zip/jypusdgj.exe_old Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc21.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc24.zip/gootxwwx.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc24.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc25.zip/ewcvemxu.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc25.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc30.zip/blpaykco.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc30.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc6.zip/xvusmclq.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc7.zip/dydsyjho.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/uf193.exe Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1549OinUninstaller.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1549OinUninstaller.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Staples\Application Data\Fоnts\wοwexec.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\cert8.db Object is locked skipped
C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\history.dat Object is locked skipped
C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\key3.db Object is locked skipped
C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\parent.lock Object is locked skipped
C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Staples\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Staples\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-15859d06.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Staples\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-15859d06.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Staples\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-7e5f8e84.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Staples\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-7e5f8e84.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Staples\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Application Data\Mozilla\Firefox\Profiles\lkxxr0wf.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Temp\T0CHD001.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\0TE345EF\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\0XYV8927\in[1].htm Infected: Trojan-Clicker.Win32.Agent.lw skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\5OWN9PS5\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\F2ZVW8SP\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\O10ZWN8Z\in[1].htm Infected: Exploit.HTML.IESlice.aj skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\OXM3KD2R\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\W1QRWHAV\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\Staples\Local Settings\Temporary Internet Files\Content.IE5\Z67B3A56\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\Staples\ntuser.dat Object is locked skipped
C:\Documents and Settings\Staples\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\0AEB2BD0.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\167B67CF.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\21BC3DC4/UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\Program Files\Norton AntiVirus\Quarantine\21BC3DC4 CAB: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\21BC3DC4 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\24E9762F.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\2D9C5FCC.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\45234DD1.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\5C4345CE.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\61170A1B.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\611A3418.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\611E5E14.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\61210811.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\6124320D.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\61275C0A.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\612B0606.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\612E3002.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\613159FF.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\613503FB.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\67D401CD.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\Norton AntiVirus\Quarantine\6980554D.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP488\A0125952.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP488\A0125953.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP492\A0129971.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP493\A0132106.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP498\A0136265.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP500\A0136311.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP507\A0136679.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP507\A0136721.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP509\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\brlbyswe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cudrowaa.dll Infected: Trojan.Win32.Pakes.bwd skipped
C:\WINDOWS\system32\dmdvpeej.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\WINDOWS\system32\dqcgpdwr.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\dsldlake.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\dtdkywcf.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\epbyyfrt.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\flhtvcvx.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\fntampef.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\fuekmgml.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hfykxryy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\hgqqoiea.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\jiluhhvy.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\WINDOWS\system32\katzppd.exe Infected: Trojan.Win32.BHO.adb skipped
C:\WINDOWS\system32\lbbtuaha.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\ljqpajvf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\mrciipso.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\ochglpmg.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\osuyrvxp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\pkeqttip.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\qgekngaw.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\qjouujto.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\qojhkmpe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\rahsxmrb.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\WINDOWS\system32\sadoaqba.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\WINDOWS\system32\sgvqeukw.dll Infected: Trojan.Win32.Pakes.bwd skipped
C:\WINDOWS\system32\turqmqag.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped

**Shaba** · 2008-01-05, 18:17

Hi imbrium and welcome to Safer Networking Forums

Rename HijackThis.exe to imbrium.exe and post back a fresh HijackThis log, please.

**imbrium** · 2008-01-05, 19:14

Thank you, here is the fresh log

-----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:48 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\imbrium.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmr...1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opendiary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = oilcity.BESS.USACHOICE.NET:8968
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {16FE2C61-5D28-4341-97C2-6C0B44598CDA} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {20F05C23-C164-4187-A83A-C3EA0324A15D} - (no file)
O2 - BHO: (no name) - {2862309B-63D5-4676-BF03-DC21753AA610} - (no file)
O2 - BHO: (no name) - {2ab12d73-6394-4222-9c0b-c8a8f73c4c01} - C:\WINDOWS\system32\fpkyjhb.dll (file missing)
O2 - BHO: (no name) - {2B488F67-72E2-4E5B-8401-1E3336D32938} - (no file)
O2 - BHO: (no name) - {2D4D42BD-1819-4274-AAC5-C52EE9670916} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {37E9381B-BA3B-4D96-95C4-5E29276B2178} - (no file)
O2 - BHO: (no name) - {3D89CCC2-6284-41AF-91BD-DD0BFB93A4EE} - (no file)
O2 - BHO: (no name) - {496E7215-C15D-447B-92A0-CBB97E5E5DB9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {60E2746A-9C2E-45A2-85CE-7E1A8A890961} - C:\WINDOWS\system32\nnnnlkj.dll (file missing)
O2 - BHO: (no name) - {66E8E9C0-6F93-4C7A-A853-D4EDFCFE73DD} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6B56C040-BAB5-4231-B284-A20792FCFFD8} - (no file)
O2 - BHO: (no name) - {7020CE4B-33AA-470E-BDF2-081B20B460E5} - (no file)
O2 - BHO: (no name) - {745BF323-FF6B-4482-AAED-5D2CCE531400} - (no file)
O2 - BHO: (no name) - {7A19E350-F306-4A8B-ABC4-04DCBCC964A8} - (no file)
O2 - BHO: (no name) - {7BB9AABA-4E62-40D3-B847-CF4E4DA43546} - (no file)
O2 - BHO: (no name) - {8A7D7827-7DB8-4D9C-97E6-765134A6578F} - (no file)
O2 - BHO: (no name) - {8D21C199-4808-40C7-92C1-9C2E1010DA46} - (no file)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {A2E8C107-2C3C-4B7C-89E3-AF0CF6128281} - (no file)
O2 - BHO: (no name) - {A391CC61-B25C-47F3-858D-459AD027EB94} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {ACA7377C-7EBA-490C-954E-FD2FD7AB2D23} - (no file)
O2 - BHO: (no name) - {B3888D44-45AC-7A71-DC27-4AE674810BEB} - C:\WINDOWS\system32\tmgk.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BF89A6BA-1504-4EE3-80E8-DAC608A88497} - C:\WINDOWS\system32\ddayw.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C4D312AF-B4A9-4A5D-93EA-C993F911DF28} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {E19C7167-E02B-45BB-B19D-FE05D08F503D} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {E9B05884-6415-453D-A489-DB14D206C83A} - (no file)
O2 - BHO: (no name) - {EBB0290C-0F2B-4429-99A7-09F5A86ABBB8} - (no file)
O2 - BHO: (no name) - {FFAAD04C-41A7-447C-A69E-625993CE9D49} - C:\WINDOWS\system32\vtstu.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [abejwdkp] rundll32.exe "C:\Program Files\vwvabwnw\javgbwxo.dll",Init
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [03bf9356] rundll32.exe "C:\WINDOWS\system32\pppbeiom.dll",b
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Sonic RecordNow!] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: nnnnlkj - nnnnlkj.dll (file missing)
O20 - Winlogon Notify: pmnlkij - pmnlkij.dll (file missing)
O20 - Winlogon Notify: winmyy32 - winmyy32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ewxqpqob.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12782 bytes

**Shaba** · 2008-01-05, 19:16

Hi

Do you previously have had Norton and you have uninstalled it?

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

**imbrium** · 2008-01-05, 19:53

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:04 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\imbrium.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opendiary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = oilcity.BESS.USACHOICE.NET:8968
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2ab12d73-6394-4222-9c0b-c8a8f73c4c01} - C:\WINDOWS\system32\fpkyjhb.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {B3888D44-45AC-7A71-DC27-4AE674810BEB} - C:\WINDOWS\system32\tmgk.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FFAAD04C-41A7-447C-A69E-625993CE9D49} - C:\WINDOWS\system32\vtstu.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [03bf9356] rundll32.exe "C:\WINDOWS\system32\pppbeiom.dll",b
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Sonic RecordNow!] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O20 - Winlogon Notify: nnnnlkj - nnnnlkj.dll (file missing)
O20 - Winlogon Notify: pmnlkij - pmnlkij.dll (file missing)
O20 - Winlogon Notify: winmyy32 - winmyy32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8676 bytes

**imbrium** · 2008-01-05, 19:57

ComboFix 08-01-04.1 - Staples 2008-01-05 13:22:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.178 [GMT -5:00]
Running from: C:\Documents and Settings\Staples\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Staples\Application Data\FNTS~1
C:\Documents and Settings\Staples\Application Data\FNTS~1\w?wexec.exe
C:\Documents and Settings\Staples\Application Data\SpyGuardPro
C:\Documents and Settings\Staples\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Staples\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Staples\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Staples\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Staples\Application Data\SpyGuardPro\PGE.dat
C:\Documents and Settings\Staples\My Documents\ASKS~1
C:\Documents and Settings\Staples\My Documents\ASKS~1\?ecurity\
C:\Documents and Settings\Staples\ResErrors.log
C:\Documents and Settings\Staples\Start Menu\Programs\Startup\TA_Start.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\tn3
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.log
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\abqaodas.ini
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ahautbbl.ini
C:\WINDOWS\system32\alygkbaj.dll
C:\WINDOWS\system32\axqmkkfh.dll
C:\WINDOWS\system32\brlbyswe.dll
C:\WINDOWS\system32\brmxshar.ini
C:\WINDOWS\system32\cdjadedu.ini
C:\WINDOWS\system32\cudrowaa.dll
C:\WINDOWS\system32\d3
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dmdvpeej.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\dqcgpdwr.dll
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dsldlake.dll
C:\WINDOWS\system32\dtdkywcf.dll
C:\WINDOWS\system32\ekaldlsd.ini
C:\WINDOWS\system32\epbyyfrt.dll
C:\WINDOWS\system32\epmkhjoq.ini
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\ewsyblrb.ini
C:\WINDOWS\system32\f22
C:\WINDOWS\system32\flhtvcvx.dll
C:\WINDOWS\system32\fntampef.dll
C:\WINDOWS\system32\fuekmgml.dll
C:\WINDOWS\system32\fvjapqjl.ini
C:\WINDOWS\system32\gakxgkuf.ini
C:\WINDOWS\system32\gkrajcyg.ini
C:\WINDOWS\system32\gycjarkg.dll
C:\WINDOWS\system32\hfkkmqxa.ini
C:\WINDOWS\system32\hfykxryy.dll
C:\WINDOWS\system32\hgqqoiea.dll
C:\WINDOWS\system32\iwbrtrcp.dll
C:\WINDOWS\system32\jeepvdmd.ini
C:\WINDOWS\system32\jiluhhvy.exe
C:\WINDOWS\system32\katzppd.exe
C:\WINDOWS\system32\knxhgxjs.ini
C:\WINDOWS\system32\lbbtuaha.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\ljqpajvf.dll
C:\WINDOWS\system32\lybsfosv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\meifsppq.dll
C:\WINDOWS\system32\mkpdqjbu.ini
C:\WINDOWS\system32\moiebppp.ini
C:\WINDOWS\system32\mrciipso.dll
C:\WINDOWS\system32\njnohjqn.ini
C:\WINDOWS\system32\nqjhonjn.dll
C:\WINDOWS\system32\ochglpmg.dll
C:\WINDOWS\system32\oivdpnfl.dll
C:\WINDOWS\system32\osuyrvxp.dll
C:\WINDOWS\system32\oTt06e
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\p8
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pbexunuv.ini
C:\WINDOWS\system32\pkeqttip.dll
C:\WINDOWS\system32\pxvryuso.ini
C:\WINDOWS\system32\qgekngaw.dll
C:\WINDOWS\system32\qjouujto.dll
C:\WINDOWS\system32\qojhkmpe.dll
C:\WINDOWS\system32\rahsxmrb.dll
C:\WINDOWS\system32\rynfwlce.dll
C:\WINDOWS\system32\s2
C:\WINDOWS\system32\sadoaqba.dll
C:\WINDOWS\system32\sgvqeukw.dll
C:\WINDOWS\system32\sjxghxnk.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\tocymojp.ini
C:\WINDOWS\system32\turqmqag.dll
C:\WINDOWS\system32\u2
C:\WINDOWS\system32\u2\atz28fu.exe
C:\WINDOWS\system32\ubjqdpkm.dll
C:\WINDOWS\system32\udedajdc.dll
C:\WINDOWS\system32\ukbnmkjr.dll
C:\WINDOWS\system32\ursqono.dll
C:\WINDOWS\system32\usryxuyu.dll
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\uyuxyrsu.ini
C:\WINDOWS\system32\v1
C:\WINDOWS\system32\v1\bcb49ene.exe
C:\WINDOWS\system32\vdtiqbjv.ini
C:\WINDOWS\system32\vghobuwy.ini
C:\WINDOWS\system32\vhfgqylg.dll
C:\WINDOWS\system32\vjbqitdv.dll
C:\WINDOWS\system32\vsofsbyl.dll
C:\WINDOWS\system32\vunuxebp.dll
C:\WINDOWS\system32\vyfwpcsk.dll
C:\WINDOWS\system32\wcpsvsu32.exe
C:\WINDOWS\system32\wdhqabwf.dll
C:\WINDOWS\system32\wwgmqpto.dll
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\wyadd.ini2
C:\WINDOWS\system32\ytwldoxp.dll
C:\WINDOWS\system32\ywubohgv.dll
C:\WINDOWS\system32\yyrxkyfh.ini
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 13:19 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 21:16 . 2008-01-01 21:16 294 --ahs---- C:\WINDOWS\system32\bitmiqsp.ini
2007-12-31 02:26 . 2008-01-05 13:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 23:04 . 2007-12-30 23:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-30 23:04 . 2007-12-30 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-24 12:08 . 2007-10-10 18:55 6,065,664 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-24 12:08 . 2007-06-30 22:31 2,455,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-24 12:08 . 2007-06-30 22:36 991,232 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-24 12:08 . 2007-10-10 18:55 459,264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-24 12:08 . 2007-10-10 18:55 383,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-24 12:08 . 2007-10-10 18:55 267,776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-24 12:08 . 2007-10-10 18:55 63,488 --a------ C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-24 12:08 . 2007-10-10 18:55 52,224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-24 12:08 . 2007-10-10 05:59 13,824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-17 16:45 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-17 16:45 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-12-17 16:45 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-17 16:45 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-15 15:57 . 2007-12-15 15:57 <DIR> d-------- C:\spoolerlogs
2007-12-08 21:29 . 2003-05-04 03:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 21:29 . 2003-05-04 03:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 21:29 . 2003-05-04 03:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-08 01:56 . 2007-12-08 02:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-08 01:02 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-08 01:02 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-08 01:02 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-08 01:02 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-08 01:02 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-08 01:02 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-08 00:59 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-08 00:59 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-08 00:58 . 2007-12-08 00:58 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-08 00:06 . 2007-12-08 00:11 7,467,056 --a------ C:\Program Files\spybotsd15.exe
2007-12-07 23:57 . 2007-12-07 23:58 18,500,624 --a------ C:\Program Files\setupeng.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 18:03 --------- d-----w C:\Program Files\Trillian
2007-12-09 05:24 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-08 17:47 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-08 17:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-03 02:29 --------- d-----w C:\Documents and Settings\Staples\Application Data\VCOM
2007-12-02 00:51 --------- d-----w C:\Documents and Settings\Staples\Application Data\Microsoft Web Folders
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-07 22:32 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VCOM
2007-06-14 02:46 52,984 ---ha-w C:\Documents and Settings\Staples\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 20:24 472 --sha-r C:\WINDOWS\U3RhcGxlcw\oal1w3U5wT.vbs
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 28,738 2001-08-16 05:41:58 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

----a-w 110,592 2003-08-19 08:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 71,280 2004-12-22 22:45:16 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 90,112 2002-10-07 04:23:20 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe

----a-w 69,632 2002-04-17 14:42:56 C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe

----a-r 49,152 2002-12-17 18:40:22 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe
----a-r 49,152 2002-12-17 15:40:22 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

----a-w 49,152 2003-05-23 03:03:16 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 208,958 2004-04-30 17:32:46 C:\Program Files\HPQ\Default Settings\bak\cpqset.exe

----a-w 286,720 2004-07-30 15:33:44 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe

----a-w 286,720 2004-04-21 18:28:18 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 286,720 2004-04-21 16:28:18 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 32,881 2003-05-04 07:45:29 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 725,046 2002-07-10 23:10:32 C:\Program Files\Microsoft Works\bak\WksSb.exe

----a-w 98,304 2003-05-04 08:58:39 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 118,784 2004-06-17 20:43:58 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 483,328 2003-05-23 02:55:38 C:\WINDOWS\system32\bak\hphmon05.exe

----a-w 155,648 2004-06-17 20:48:08 C:\WINDOWS\system32\bak\igfxtray.exe

**imbrium** · 2008-01-05, 19:57

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16FE2C61-5D28-4341-97C2-6C0B44598CDA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20F05C23-C164-4187-A83A-C3EA0324A15D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2862309B-63D5-4676-BF03-DC21753AA610}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ab12d73-6394-4222-9c0b-c8a8f73c4c01}]
C:\WINDOWS\system32\fpkyjhb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B488F67-72E2-4E5B-8401-1E3336D32938}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D4D42BD-1819-4274-AAC5-C52EE9670916}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37E9381B-BA3B-4D96-95C4-5E29276B2178}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D89CCC2-6284-41AF-91BD-DD0BFB93A4EE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{496E7215-C15D-447B-92A0-CBB97E5E5DB9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E2746A-9C2E-45A2-85CE-7E1A8A890961}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66E8E9C0-6F93-4C7A-A853-D4EDFCFE73DD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B56C040-BAB5-4231-B284-A20792FCFFD8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7020CE4B-33AA-470E-BDF2-081B20B460E5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{745BF323-FF6B-4482-AAED-5D2CCE531400}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A19E350-F306-4A8B-ABC4-04DCBCC964A8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BB9AABA-4E62-40D3-B847-CF4E4DA43546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A7D7827-7DB8-4D9C-97E6-765134A6578F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D21C199-4808-40C7-92C1-9C2E1010DA46}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2E8C107-2C3C-4B7C-89E3-AF0CF6128281}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A391CC61-B25C-47F3-858D-459AD027EB94}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
C:\WINDOWS\system32\aivskurq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACA7377C-7EBA-490C-954E-FD2FD7AB2D23}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3888D44-45AC-7A71-DC27-4AE674810BEB}]
C:\WINDOWS\system32\tmgk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4D312AF-B4A9-4A5D-93EA-C993F911DF28}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E19C7167-E02B-45BB-B19D-FE05D08F503D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9B05884-6415-453D-A489-DB14D206C83A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBB0290C-0F2B-4429-99A7-09F5A86ABBB8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFAAD04C-41A7-447C-A69E-625993CE9D49}]
C:\WINDOWS\system32\vtstu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"Sonic RecordNow!"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plite731"="C:\WINDOWS\plite731.exe" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [ ]
"HP Software Update"="c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 10:40 49152]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [ ]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [ ]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"03bf9356"="C:\WINDOWS\system32\pppbeiom.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-24 11:17:08]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnlkj]
nnnnlkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlkij]
pmnlkij.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmyy32]
winmyy32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2004-04-21 11:28 286720 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SFP]
C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tbsa]
C:\DOCUME~1\Staples\MYDOCU~1\ASKS~1\wucrtupd.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uun]
C:\Documents and Settings\Staples\Application Data\F?nts\w?wexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"iPodService"=3 (0x3)

S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-01 22:37]
S3 KFilter;KFilter;C:\PROGRA~1\VCOM\SYSTEM~1\KFilter.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 03:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-05 01:00:06 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Staples.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-01-05 18:36:03 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 13:36:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 13:39:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 18:39:28
.
2007-12-26 08:01:40 --- E O F ---

**imbrium** · 2008-01-05, 20:00

Oh, and yes, I did previously have Norton installed and then deleted when my script ran out and I tried to install a new antivirus program.
I should still have the original norton software, if I can find it (I've moved since then)....

**Shaba** · 2008-01-05, 20:03

Hi

Thanks for the info.

Then follow these
instructions next.

Make sure after that that windows own firewall is on.

And then:

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

After that:

Please download FindAWF and save it to your desktop

* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**

Post:

- a fresh HijackThis log
- awf report

Thread: can't get rid of virtumonde

Thread Tools

Display

can't get rid of virtumonde

Kapersky log

fresh HJT log as requested

new HJT log

combofix pt 1

combofix pt 2

answer to AVS question- yes

Posting Permissions