Help with virtumonde please

[-dcp-]

Hi and thanks in advance

Spybot 1.6 detects virtumonde each time I run a scan. Cant get rid of it.

I've read the 'before you post' thread and followed the instructions, HJT log follows -


---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:54 PM, on 20/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\Program Files\Adobe\acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.watoday.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [POL Agent] C:\DOCUME~1\patrick\LOCALS~1\Temp\IXP003.TMP\POL.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [9832354f] rundll32.exe "C:\WINDOWS\system32\npmqnjkk.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MotionSD STUDIO - SD Browser auto start -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1DB3~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161610804375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1886883B-BA4F-4434-A658-8EB95625072C}: NameServer = 10.1.1.1,134.115.253.11
O20 - AppInit_DLLs: pkywyc.dll avidmw.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 8436 bytes

Thanks

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

 

[-dcp-]

Thanks for your help pskelley. Here are the logs -

combofix log -
--------------------------
ComboFix 08-09-20.05 - patrick 2008-09-22 18:15:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1536 [GMT 8:00]
Running from: C:\Documents and Settings\patrick\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\patrick\Cookies\patrick@112.2o7[1].txt
C:\Documents and Settings\patrick\Cookies\patrick@112.2o7[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@2o7[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@ads.pointroll[1].txt
C:\Documents and Settings\patrick\Cookies\patrick@adsfac[1].txt
C:\Documents and Settings\patrick\Cookies\patrick@clicktorrent[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@com.prospero.murdoch.edu[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@ffxcam.theage.com[3].txt
C:\Documents and Settings\patrick\Cookies\patrick@insightexpressai[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@questionmarket[1].txt
C:\Documents and Settings\patrick\Cookies\patrick@revsci[1].txt
C:\Documents and Settings\patrick\Cookies\patrick@serving-sys[1].txt
C:\Documents and Settings\patrick\Cookies\patrick@specificclick[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@ths.australianidol.com[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@ths.news.com[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@ths.ten.com[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@www.ac.vic.gov[1].txt
C:\Documents and Settings\patrick\Cookies\patrick@www.google.com[2].txt
C:\Documents and Settings\patrick\Cookies\patrick@www.theage.com[2].txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bkyansok.ini
C:\WINDOWS\system32\GgPsBJjl.ini
C:\WINDOWS\system32\GgPsBJjl.ini2
C:\WINDOWS\system32\kkjnqmpn.ini
C:\WINDOWS\system32\kmjapbkm.ini
C:\WINDOWS\system32\ljJBsPgG.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oxxqvrbi.ini
C:\WINDOWS\system32\tpnthcjr.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-22 07:00 . 2008-09-22 07:00 104,064 --a------ C:\WINDOWS\system32\mkbpajmk.dll
2008-09-22 06:57 . 2008-09-22 06:57 136,832 --a------ C:\WINDOWS\system32\xfhrahgl.dll
2008-09-22 06:57 . 2008-09-22 06:57 136,832 --a------ C:\WINDOWS\system32\rknmfn.dll
2008-09-21 05:14 . 2008-09-21 05:14 137,344 --a------ C:\WINDOWS\system32\noqydf.dll
2008-09-21 05:14 . 2008-09-21 05:14 137,344 --a------ C:\WINDOWS\system32\bmsrdeaw.dll
2008-09-20 16:41 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-09-20 16:27 . 2008-09-20 16:27 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-20 16:25 . 2008-09-20 16:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-20 16:22 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003065_.tmp
2008-09-20 11:34 . 2008-09-20 11:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 10:51 . 2008-09-20 10:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-20 05:13 . 2008-09-20 05:13 137,344 --a------ C:\WINDOWS\system32\lwanrkgc.dll
2008-09-20 05:13 . 2008-09-20 05:13 137,344 --a------ C:\WINDOWS\system32\avidmw.dll
2008-09-19 17:49 . 2008-09-19 17:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-19 17:49 . 2008-09-19 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 05:13 . 2008-09-19 05:13 137,344 --a------ C:\WINDOWS\system32\pkywyc.dll
2008-09-19 05:13 . 2008-09-19 05:13 137,344 --a------ C:\WINDOWS\system32\hxfhsevl.dll
2008-09-19 00:06 . 2008-09-19 00:06 39,040 --a------ C:\WINDOWS\system32\awttrSLf.dll
2008-09-19 00:01 . 2008-09-19 00:01 39,040 --a------ C:\WINDOWS\system32\hgGwVMFX.dll
2008-09-18 23:53 . 2008-09-18 23:53 39,040 --a------ C:\WINDOWS\system32\mlJDwVOg.dll
2008-09-18 23:45 . 2008-09-18 23:45 39,040 --a------ C:\WINDOWS\system32\mlJDuUMG.dll
2008-09-18 23:36 . 2008-09-18 23:36 39,040 --a------ C:\WINDOWS\system32\wvUlLbCv.dll
2008-09-18 23:28 . 2008-09-18 23:28 39,040 --a------ C:\WINDOWS\system32\tuvTlmLf.dll
2008-09-18 23:12 . 2008-09-18 23:12 137,344 --a------ C:\WINDOWS\system32\yqyobc.dll
2008-09-18 23:12 . 2008-09-18 23:12 137,344 --a------ C:\WINDOWS\system32\isksyvic.dll
2008-09-18 23:06 . 2008-09-18 23:06 39,040 --a------ C:\WINDOWS\system32\ssqRiiGV.dll
2008-09-07 21:29 . 2008-09-07 21:29 0 --a------ C:\WINDOWS\Title.INI
2008-08-24 13:30 . 2008-08-24 13:30 <DIR> d-------- C:\Program Files\NCH Software
2008-08-23 16:06 . 2008-08-24 14:35 <DIR> d-------- C:\Program Files\Songbird
2008-08-23 16:06 . 2008-08-23 16:06 <DIR> d-------- C:\Documents and Settings\patrick\Application Data\Songbird2
2008-08-23 16:06 . 2008-08-23 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SongbirdVLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 10:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 10:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-22 09:59 --------- d-----w C:\Program Files\Symantec
2008-09-21 05:15 --------- d-----w C:\Program Files\PeerGuardian2
2008-09-21 05:01 --------- d-----w C:\Documents and Settings\patrick\Application Data\uTorrent
2008-09-20 09:50 --------- d-----w C:\Program Files\MSN Messenger
2008-09-20 07:04 --------- d-----w C:\Program Files\Java
2008-09-18 14:15 --------- d-----w C:\Program Files\Symantec Client Security
2008-08-23 07:43 --------- d-----w C:\Program Files\Common Files\mediafour
2008-08-13 14:12 --------- d-----w C:\Program Files\Altiris
2008-08-13 13:41 --------- d-----w C:\Program Files\uTorrent
2008-08-12 16:21 --------- d-----w C:\Program Files\TightVNC
2008-08-03 07:48 --------- d-----w C:\Program Files\TVersity Codec Pack
2008-08-03 07:48 --------- d-----w C:\Program Files\ffdshow
2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 14:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 14:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 14:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 10:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75d629b2-207b-4870-a7e6-daba06644567}]
2008-09-19 05:13 137344 --a------ C:\WINDOWS\system32\pkywyc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4E06FDC-BAF4-4960-AF20-0EE6539B516A}]
2008-09-18 23:06 39040 --a------ C:\WINDOWS\system32\ssqRiiGV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9bb6172-3260-4cae-b690-95fd403a1d2a}]
2008-09-22 06:57 136832 --a------ C:\WINDOWS\system32\rknmfn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-09-10 1964840]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 86016]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-12 286720]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [2007-05-07 589824]
"9832354f"="C:\WINDOWS\system32\mkbpajmk.dll" [2008-09-22 104064]
"nwiz"="nwiz.exe" [2006-08-11 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MotionSD STUDIO - SD Browser auto start -.lnk - C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [7/19/2008 9:42:41 PM 66952]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C4E06FDC-BAF4-4960-AF20-0EE6539B516A}"= "C:\WINDOWS\system32\ssqRiiGV.dll" [2008-09-18 39040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRiiGV]
2008-09-18 23:06 39040 C:\WINDOWS\system32\ssqRiiGV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= avidmw.dll rknmfn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 FSLX;FSLX;C:\WINDOWS\system32\drivers\fslx.sys [2007-08-10 191360]
S0 stwlfbus;stwlfbus;C:\WINDOWS\system32\DRIVERS\stwlfbus.sys [ ]
S3 EraserUtilDrv10730;EraserUtilDrv10730;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10730.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a0ff6dc-d227-11db-ae7f-00173136b2d9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - OSE
.
- - - - ORPHANS REMOVED - - - -

BHO-{1A1C262A-920C-4864-B58E-6AAE9187AB4D} - C:\WINDOWS\system32\ljJBsPgG.dll
BHO-{D35D7D5F-0395-4B34-9A0D-F67CA7AD5431} - (no file)
BHO-{E88855BC-EFDD-452E-9F74-AD89C59950DA} - (no file)
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\patrick\Application Data\Mozilla\Firefox\Profiles\5dpftysf.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 18:24:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\kmjapbkm.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqRiiGV.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\mkbpajmk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
.
**************************************************************************
.
Completion time: 2008-09-22 18:31:18 - machine was rebooted [patrick]
ComboFix-quarantined-files.txt 2008-09-22 10:30:59

Pre-Run: 341,327,872 bytes free
Post-Run: 733,679,616 bytes free

216 --- E O F --- 2008-09-17 19:01:47

------------


hijackthis log -
--------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:30 PM, on 22/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.watoday.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [9832354f] rundll32.exe "C:\WINDOWS\system32\kawfrypf.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MotionSD STUDIO - SD Browser auto start -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1DB3~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161610804375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1886883B-BA4F-4434-A658-8EB95625072C}: NameServer = 10.1.1.1,134.115.253.11
O20 - AppInit_DLLs: avidmw.dll rknmfn.dll tqtxup.dll
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 8541 bytes

 

[pskelley]

G'Day, please read and follow the directions carefully and in the numbered order.

File Sharing, otherwise known as Peer To Peer. (P2P)
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal

uTorrent <<< uninstall all p2p programs

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\003065_.tmp
C:\WINDOWS\system32\kawfrypf.dll
C:\WINDOWS\system32\mkbpajmk.dll
C:\WINDOWS\system32\xfhrahgl.dll
C:\WINDOWS\system32\rknmfn.dll
C:\WINDOWS\system32\noqydf.dll
C:\WINDOWS\system32\bmsrdeaw.dll
C:\WINDOWS\system32\lwanrkgc.dll
C:\WINDOWS\system32\avidmw.dll
C:\WINDOWS\system32\pkywyc.dll
C:\WINDOWS\system32\hxfhsevl.dll
C:\WINDOWS\system32\awttrSLf.dll
C:\WINDOWS\system32\hgGwVMFX.dll
C:\WINDOWS\system32\mlJDwVOg.dll
C:\WINDOWS\system32\mlJDuUMG.dll
C:\WINDOWS\system32\wvUlLbCv.dll
C:\WINDOWS\system32\tuvTlmLf.dll
C:\WINDOWS\system32\yqyobc.dll
C:\WINDOWS\system32\isksyvic.dll
C:\WINDOWS\system32\ssqRiiGV.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C4E06FDC-BAF4-4960-AF20-0EE6539B516A}"=- 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75d629b2-207b-4870-a7e6-daba06644567}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4E06FDC-BAF4-4960-AF20-0EE6539B516A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9bb6172-3260-4cae-b690-95fd403a1d2a}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRiiGV]

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [9832354f] rundll32.exe "C:\WINDOWS\system32\kawfrypf.dll",b
O20 - AppInit_DLLs: avidmw.dll rknmfn.dll tqtxup.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running?

Cheers...Phil

 

[-dcp-]

Hi Phil,

Seems to be running well now.

combofix log -
------------


ComboFix 08-09-20.05 - patrick 2008-09-22 21:43:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1485 [GMT 8:00]
Running from: C:\Documents and Settings\patrick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\patrick\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\003065_.tmp
C:\WINDOWS\system32\avidmw.dll
C:\WINDOWS\system32\awttrSLf.dll
C:\WINDOWS\system32\bmsrdeaw.dll
C:\WINDOWS\system32\hgGwVMFX.dll
C:\WINDOWS\system32\hxfhsevl.dll
C:\WINDOWS\system32\isksyvic.dll
C:\WINDOWS\system32\kawfrypf.dll
C:\WINDOWS\system32\lwanrkgc.dll
C:\WINDOWS\system32\mkbpajmk.dll
C:\WINDOWS\system32\mlJDuUMG.dll
C:\WINDOWS\system32\mlJDwVOg.dll
C:\WINDOWS\system32\noqydf.dll
C:\WINDOWS\system32\pkywyc.dll
C:\WINDOWS\system32\rknmfn.dll
C:\WINDOWS\system32\ssqRiiGV.dll
C:\WINDOWS\system32\tuvTlmLf.dll
C:\WINDOWS\system32\wvUlLbCv.dll
C:\WINDOWS\system32\xfhrahgl.dll
C:\WINDOWS\system32\yqyobc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\003065_.tmp
C:\WINDOWS\system32\avidmw.dll
C:\WINDOWS\system32\awttrSLf.dll
C:\WINDOWS\system32\bmsrdeaw.dll
C:\WINDOWS\system32\fCroPHYq.dll
C:\WINDOWS\system32\fpyrfwak.ini
C:\WINDOWS\system32\hgGwVMFX.dll
C:\WINDOWS\system32\hxfhsevl.dll
C:\WINDOWS\system32\isksyvic.dll
C:\WINDOWS\system32\kawfrypf.dll
C:\WINDOWS\system32\lwanrkgc.dll
C:\WINDOWS\system32\mkbpajmk.dll
C:\WINDOWS\system32\mlJDuUMG.dll
C:\WINDOWS\system32\mlJDwVOg.dll
C:\WINDOWS\system32\noqydf.dll
C:\WINDOWS\system32\pkywyc.dll
C:\WINDOWS\system32\qYHPorCf.ini
C:\WINDOWS\system32\qYHPorCf.ini2
C:\WINDOWS\system32\rknmfn.dll
C:\WINDOWS\system32\ssqRiiGV.dll
C:\WINDOWS\system32\tuvTlmLf.dll
C:\WINDOWS\system32\wvUlLbCv.dll
C:\WINDOWS\system32\xfhrahgl.dll
C:\WINDOWS\system32\yqyobc.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-22 18:50 . 2008-09-22 18:50 136,832 --a------ C:\WINDOWS\system32\tqtxup.dll
2008-09-22 18:50 . 2008-09-22 18:50 136,832 --a------ C:\WINDOWS\system32\fdrvqmgq.dll
2008-09-22 18:43 . 2008-09-22 21:51 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-09-22 18:43 . 2008-09-22 18:44 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-22 18:43 . 2008-09-22 18:44 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-22 18:43 . 2008-09-22 18:44 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-09-22 18:43 . 2008-09-22 18:44 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-09-22 18:25 . 2008-09-22 18:32 354 --ahs---- C:\WINDOWS\system32\kmjapbkm.ini
2008-09-20 16:27 . 2008-09-20 16:27 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-20 16:25 . 2008-09-20 16:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-20 11:34 . 2008-09-20 11:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 10:51 . 2008-09-20 10:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-19 17:49 . 2008-09-19 17:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-19 17:49 . 2008-09-19 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 21:29 . 2008-09-07 21:29 0 --a------ C:\WINDOWS\Title.INI
2008-08-24 13:30 . 2008-08-24 13:30 <DIR> d-------- C:\Program Files\NCH Software
2008-08-23 16:06 . 2008-08-24 14:35 <DIR> d-------- C:\Program Files\Songbird
2008-08-23 16:06 . 2008-08-23 16:06 <DIR> d-------- C:\Documents and Settings\patrick\Application Data\Songbird2
2008-08-23 16:06 . 2008-08-23 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SongbirdVLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 10:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 10:44 --------- d-----w C:\Program Files\Symantec
2008-09-22 10:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-22 10:30 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-21 05:15 --------- d-----w C:\Program Files\PeerGuardian2
2008-09-21 05:01 --------- d-----w C:\Documents and Settings\patrick\Application Data\uTorrent
2008-09-20 09:50 --------- d-----w C:\Program Files\MSN Messenger
2008-09-20 07:04 --------- d-----w C:\Program Files\Java
2008-09-18 14:15 --------- d-----w C:\Program Files\Symantec Client Security
2008-08-23 07:43 --------- d-----w C:\Program Files\Common Files\mediafour
2008-08-13 14:12 --------- d-----w C:\Program Files\Altiris
2008-08-13 13:41 --------- d-----w C:\Program Files\uTorrent
2008-08-12 16:21 --------- d-----w C:\Program Files\TightVNC
2008-08-03 07:48 --------- d-----w C:\Program Files\TVersity Codec Pack
2008-08-03 07:48 --------- d-----w C:\Program Files\ffdshow
2008-07-18 14:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 14:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 14:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 14:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 14:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 14:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 10:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-22_18.28.36.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-07-14 19:13:58 166,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\ACCWIZ.DLL
+ 2003-07-14 14:43:20 87,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\ADDRPARS.DLL
+ 2003-07-14 19:14:28 350,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\CDLMSO.DLL
+ 2003-07-14 19:18:12 47,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DFUICOM.EXE
+ 2003-07-25 10:57:20 75,832 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DLGSETP.DLL
+ 2003-07-31 07:19:52 131,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\ENVELOPE.DLL
+ 2003-08-12 18:34:38 10,073,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\EXCEL.EXE
+ 2003-08-03 02:56:16 1,146,184 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FM20.DLL
+ 2003-07-23 15:01:40 1,949,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPCUTL.DLL
+ 2003-07-14 15:36:14 186,424 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPDTC.DLL
+ 2003-07-25 11:00:16 1,157,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPSRVUTL.DLL
+ 2003-07-25 11:14:50 799,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPWEC.DLL
+ 2003-07-14 15:11:42 2,139,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\GRAPH.EXE
+ 2003-07-14 14:57:44 87,096 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\IEAWSDC.DLL
+ 2003-07-14 14:53:50 161,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\IETAG.DLL
+ 2003-07-23 14:32:32 121,400 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\IMPMAIL.DLL
+ 2003-06-18 09:31:34 443,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIVWCTL.DLL
+ 2003-08-14 16:54:08 6,627,392 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSACCESS.EXE
+ 2003-07-14 19:13:58 130,112 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSAEXP30.DLL
+ 2003-07-14 14:58:04 230,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSCDM.DLL
+ 2002-12-17 11:08:50 359,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSDMENG.DLL
+ 2002-12-17 11:08:54 1,383,592 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSDMINE.DLL
+ 2003-07-14 19:14:00 139,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSJSPP40.DLL
+ 2002-04-09 12:14:36 187,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSMDUN80.DLL
+ 2003-08-07 16:23:16 12,172,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSO.DLL
+ 2003-07-14 19:14:18 106,552 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOCF.DLL
+ 2003-07-23 14:35:26 127,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOCFU.DLL
+ 2002-12-17 11:09:24 2,071,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOLAP80.DLL
+ 2003-06-18 09:31:24 1,033,216 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPCORE.DLL
+ 2003-07-14 15:02:14 627,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSTORDB.EXE
+ 2003-07-14 14:56:24 124,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSTORE.EXE
+ 2003-07-23 14:40:00 482,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSTORES.DLL
+ 2003-07-14 19:14:26 283,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OIS.EXE
+ 2003-07-14 19:14:26 828,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OISAPP.DLL
+ 2003-07-14 19:14:26 27,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OISCTRL.DLL
+ 2003-07-14 14:41:56 24,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLACCT.DLL
+ 2003-08-09 15:06:42 7,522,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLLIB.DLL
+ 2003-07-14 14:44:32 88,128 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLMIME.DLL
+ 2003-07-14 14:45:18 196,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLOOK.EXE
+ 2003-07-14 14:43:48 139,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLPH.DLL
+ 2003-07-14 14:43:18 64,056 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLRPC.DLL
+ 2003-08-04 05:19:34 7,330,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OWC10.DLL
+ 2003-08-01 07:09:04 8,086,072 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OWC11.DLL
+ 2003-07-30 04:40:40 6,133,312 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\POWERPNT.EXE
+ 2003-07-14 19:18:54 430,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PP4X322.DLL
+ 2003-07-31 07:21:08 1,782,840 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PPTVIEW.EXE
+ 2003-07-14 14:43:30 74,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\RM.DLL
+ 2003-08-06 05:26:18 445,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SOA.DLL
+ 2003-08-03 02:52:32 2,808,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\STSLIST.DLL
+ 2003-07-14 15:00:22 99,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TRANSMGR.DLL
+ 2003-07-03 07:19:36 2,502,656 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\VBE6.DLL
+ 2003-08-06 05:24:20 12,037,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\WINWORD.EXE
+ 2008-09-22 10:45:07 25,214 ----a-r C:\WINDOWS\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\ARPPRODUCTICON.exe
- 2008-09-18 16:29:37 40,960 ----a-r C:\WINDOWS\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-22 10:45:07 40,960 ----a-r C:\WINDOWS\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-22 10:45:07 40,960 ----a-r C:\WINDOWS\Installer\{50E125D1-88E5-48CE-80AE-98EC9698E639}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-09-10 19:01:15 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-09-22 10:32:10 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-09-10 19:01:15 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-09-22 10:32:10 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-09-10 19:01:15 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-09-22 10:32:10 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-09-10 19:01:15 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-09-22 10:32:10 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-09-10 19:01:15 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-09-22 10:32:10 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-09-10 19:01:15 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-09-22 10:32:10 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-09-10 19:01:15 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-09-22 10:32:10 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-09-10 19:01:15 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-09-22 10:32:10 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-09-10 19:01:15 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-09-22 10:32:10 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-09-10 19:01:15 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-09-22 10:32:10 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-09-10 19:01:15 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-09-22 10:32:10 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-09-10 19:01:15 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-09-22 10:32:10 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-09-10 19:01:14 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-09-22 10:32:10 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-03-14 11:50:54 34,552 ----a-w C:\WINDOWS\system32\cba.dll
+ 2007-02-12 09:22:16 12,944 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
+ 2007-02-12 09:22:20 110,736 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
+ 2007-02-12 09:22:30 31,888 ----a-w C:\WINDOWS\system32\drivers\symids.sys
+ 2007-02-12 09:22:26 28,304 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
+ 2007-02-12 09:22:36 24,720 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
+ 2007-02-12 09:22:40 196,752 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
- 2003-08-03 02:56:16 1,146,184 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2005-03-17 06:39:58 1,146,320 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2008-09-20 09:09:43 91,888 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-09-22 13:50:07 92,680 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-03-14 11:50:56 83,648 ----a-w C:\WINDOWS\system32\loc32vc0.dll
+ 2003-03-18 14:20:00 1,060,864 ----a-w C:\WINDOWS\system32\mfc71.dll
+ 2003-03-18 13:44:36 40,960 ----a-w C:\WINDOWS\system32\MFC71CHS.DLL
+ 2003-03-18 13:44:36 45,056 ----a-w C:\WINDOWS\system32\MFC71CHT.DLL
+ 2003-03-18 13:44:34 65,536 ----a-w C:\WINDOWS\system32\MFC71DEU.DLL
+ 2003-03-18 13:44:38 57,344 ----a-w C:\WINDOWS\system32\MFC71ENU.DLL
+ 2003-03-18 13:44:36 61,440 ----a-w C:\WINDOWS\system32\MFC71ESP.DLL
+ 2003-03-18 13:44:34 61,440 ----a-w C:\WINDOWS\system32\MFC71FRA.DLL
+ 2003-03-18 13:44:36 61,440 ----a-w C:\WINDOWS\system32\MFC71ITA.DLL
+ 2003-03-18 13:44:34 49,152 ----a-w C:\WINDOWS\system32\MFC71JPN.DLL
+ 2003-03-18 13:44:38 49,152 ----a-w C:\WINDOWS\system32\MFC71KOR.DLL
+ 2003-03-18 14:12:12 1,047,552 ----a-w C:\WINDOWS\system32\mfc71u.dll
+ 2007-03-14 11:50:56 46,848 ----a-w C:\WINDOWS\system32\msgsys.dll
+ 2007-03-14 11:49:14 43,712 ----a-w C:\WINDOWS\system32\NavLogon.dll
+ 2007-03-14 11:50:58 91,896 ----a-w C:\WINDOWS\system32\nts.dll
+ 2007-03-14 11:51:00 83,704 ----a-w C:\WINDOWS\system32\pds.dll
+ 2007-02-12 09:22:48 538,256 ----a-w C:\WINDOWS\system32\SymNeti.dll
+ 2007-02-12 09:22:46 161,424 ----a-w C:\WINDOWS\system32\SymRedir.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{488cf07e-d018-4b18-a4e6-46be781f98c2}]
2008-09-22 18:50 136832 --a------ C:\WINDOWS\system32\tqtxup.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-09-10 1964840]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 86016]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-12 286720]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [2007-05-07 589824]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2007-03-14 125632]
"nwiz"="nwiz.exe" [2006-08-11 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MotionSD STUDIO - SD Browser auto start -.lnk - C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [7/19/2008 9:42:41 PM 66952]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 FSLX;FSLX;C:\WINDOWS\system32\drivers\fslx.sys [2007-08-10 191360]
S0 stwlfbus;stwlfbus;C:\WINDOWS\system32\DRIVERS\stwlfbus.sys [ ]
S3 EraserUtilDrv10730;EraserUtilDrv10730;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10730.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a0ff6dc-d227-11db-ae7f-00173136b2d9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{005387EA-A07B-4D72-B745-B01D9F056670} - C:\WINDOWS\system32\fCroPHYq.dll
HKLM-Run-9832354f - C:\WINDOWS\system32\kawfrypf.dll



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 21:51:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Program Files\Common Files\Symantec Shared\SPBBC\2008-09-22-4826.kc 84680 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-09-22 21:55:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 13:55:36
ComboFix2.txt 2008-09-22 10:31:24

Pre-Run: 628,129,792 bytes free
Post-Run: 606,289,920 bytes free

319 --- E O F --- 2008-09-22 10:32:42

------------------

MBAM log -
-------------------

Malwarebytes' Anti-Malware 1.28
Database version: 1191
Windows 5.1.2600 Service Pack 3

22/09/2008 11:15:17 PM
mbam-log-2008-09-22 (23-15-17).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 179997
Time elapsed: 1 hour(s), 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tqtxup.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{488cf07e-d018-4b18-a4e6-46be781f98c2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{488cf07e-d018-4b18-a4e6-46be781f98c2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tqtxup.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\QooBox\Quarantine\C\WINDOWS\system32\avidmw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\awttrSLf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bmsrdeaw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fCroPHYq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGwVMFX.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hxfhsevl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\isksyvic.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kawfrypf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBsPgG.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lwanrkgc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mkbpajmk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJDuUMG.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJDwVOg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\noqydf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pkywyc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rknmfn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqRiiGV.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvTlmLf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUlLbCv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xfhrahgl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yqyobc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fdrvqmgq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

-------------------
new HJT log -
--------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:31 PM, on 22/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.watoday.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MotionSD STUDIO - SD Browser auto start -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1DB3~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161610804375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1886883B-BA4F-4434-A658-8EB95625072C}: NameServer = 10.1.1.1,134.115.253.11
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 9144 bytes

 

[pskelley]

Thanks for returning your information and the feedback. This junk (Vundo) has the ability to morph and recreate itself. If all of it is not killed, this happens.

I see this in the combofix log:
C:\WINDOWS\system32\tqtxup.dll
C:\WINDOWS\system32\fdrvqmgq.dll
C:\WINDOWS\system32\kmjapbkm.ini

Would you delete those manually please, you may need to show all files and folders to see them.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

If you have any problems, let me know and we will use the CFScript.

Thanks

 

[-dcp-]

Hi again,

Only one of those files existed when I looked (C:\WINDOWS\system32\kmjapbkm.ini), deleted now.

Thank you for all the help. Is there anything else I should do?

Damien

 

[pskelley]

Thanks for that feedback...

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

To be sure, clean System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to make sure we missed none of the junk, no need to post a clean scan result.

Update AVG and scan the system to make sure it is scanning clean.

If all is well at this point, let me know and I will close your topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

 

[-dcp-]

All is good. Thank you for the great service!