Virtumonde again

[Connery]

Well I'm working on a fix.
Please read the instructions on how to install the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post back here when done or before you follow my next post.

When finished it said to post this log and not reboot until given the okay. I hope I can go ahead and run your new fix without rebooting. We'll see.

Here's the log from the recovery console install:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

[Connery]

I would like to see a copy of the file/folder in bold.

Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.
This makes a copy it does not delete it.
Please zip the file and upload it here
Or email it here

Please include a link to this thread.



C:\WINNT\system32\jk8
C:\WINNT\system32\hc4
C:\WINNT\system32\fs7
C:\WINNT\system32\ax3

Did that. The ax3 folder was empty so it didn't get included in the zip.

 

[Connery]

Okay, here's the combofix log from your fix:

ComboFix 08-03-10.1 - x 2008-03-13 20:05:45.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.56 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

FILE ::
C:\Program Files\Windows Media Player\rybiv.dll
C:\WINNT\17PHolmes572.exe
C:\WINNT\e01.exe
C:\WINNT\mrofinu572.exe
C:\WINNT\mrofinu572.exe.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\17PHolmes572.exe
C:\WINNT\e01.exe
C:\WINNT\mrofinu572.exe.tmp
C:\WINNT\pskt.ini
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\gvqpxmir.dll
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\ndckeped.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\rimxpqvg.ini
C:\WINNT\system32\ykxygpko.dll
C:\WINNT\system32\ypnedfdp.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-13 05:51 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-13 20:14 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\jk8
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\hc4
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\fs7
2008-02-26 20:41 . 2008-02-26 20:41 <DIR> d-------- C:\WINNT\system32\ax3
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 04:05 --------- d-----w C:\Program Files\iTunes
2008-03-14 04:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-13 05:50 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [ ]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-13 05:50 151597]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2008-03-13 05:50 32881]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2008-03-13 05:50 40960]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-03-13 05:50 77824]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-03-13 05:50 188416]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-13 05:50 267048]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-03-13 05:50 753664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-13 05:50 52840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-14 04:05:01 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 20:14:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-13 20:19:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 04:19:09
ComboFix2.txt 2008-03-13 14:32:49
ComboFix3.txt 2008-03-12 14:22:00
ComboFix4.txt 2008-03-12 03:26:02
ComboFix5.txt 2008-02-06 15:31:22
.
2008-03-13 08:44:50 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:43 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10419 bytes

 

[little eagle]

Open notepad and copy/paste the text in the codebox below into it:

Folder::
C:\WINNT\system32\jk8
C:\WINNT\system32\hc4
C:\WINNT\system32\fs7
C:\WINNT\system32\ax3

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

 

[Connery]

ComboFix 08-03-10.1 - x 2008-03-14 5:46:47.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.43 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\pskt.ini
C:\WINNT\system32\ax3
C:\WINNT\system32\eabilfjl.dll
C:\WINNT\system32\fs7
C:\WINNT\system32\fs7\cilcstat01.exe
C:\WINNT\system32\hc4
C:\WINNT\system32\hc4\pon89104.exe
C:\WINNT\system32\jk8
C:\WINNT\system32\jk8\propbar68.exe
C:\WINNT\system32\jqesexal.ini
C:\WINNT\system32\laxeseqj.dll
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\rhtkmidq.dll
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-12 19:09 . 2008-03-14 06:00 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-14 05:29 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-14 05:59 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 14:00 338,944 ----a-w C:\WINNT\system32\pmnlm.exe
2008-03-14 14:00 335,360 ----a-w C:\WINNT\system32\pmnlm.dll
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-14 13:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           420,352 2008-03-14 14:04:41  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8625AB0F-FB15-4404-A4EA-7AAB1BEFDC6A}]
2008-03-14 06:00 335360 --a------ C:\WINNT\system32\pmnlm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-13 05:50 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-14 06:04 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\pmnlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-14 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 06:00:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe [6.00.2900.2180]
-> C:\WINNT\system32\pmnlm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-14 6:09:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 14:09:19
ComboFix2.txt 2008-03-14 04:19:14
ComboFix3.txt 2008-03-13 14:32:49
ComboFix4.txt 2008-03-12 14:22:00
ComboFix5.txt 2008-03-12 03:26:02
.
2008-03-14 09:03:37 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:23 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {8625AB0F-FB15-4404-A4EA-7AAB1BEFDC6A} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10817 bytes

 

[little eagle]

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\pmnlm.dll
RenV::
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Close all programs leaving only HijackThis running. Place a check against each of the following,

F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: (no name) - {8625AB0F-FB15-4404-A4EA-7AAB1BEFDC6A} - C:\WINNT\system32\pmnlm.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball...GameLoader.dll
O20 - Winlogon Notify: awtqnmn - awtqnmn.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.



Then post the results log and a new HijackThis log.

 

[Connery]

ComboFix 08-03-10.1 - x 2008-03-14 6:41:37.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.65 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

FILE ::
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\RCX7.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.

2008-03-14 06:34 . 2008-03-14 06:34 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-12 19:09 . 2008-03-13 05:50 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-14 05:29 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-14 07:09 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 15:10 335,360 ----a-w C:\WINNT\system32\pmnlm.dll
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-14 13:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           420,352 2008-03-14 15:14:51  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w            15,360 2008-03-14 14:34:50  C:\WINNT\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5871A7E9-661E-4175-93B7-FCABAC2900A1}]
2008-03-14 07:10 335360 --a------ C:\WINNT\system32\pmnlm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-13 05:50 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-14 07:14 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnmn]
awtqnmn.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\pmnlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-14 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 07:10:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\mlnmp.ini2 318 bytes
C:\WINNT\system32\pmnlm.exe 338944 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe [6.00.2900.2180]
-> C:\WINNT\system32\pmnlm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-14 7:20:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-14 15:19:55
ComboFix2.txt 2008-03-14 14:09:29
ComboFix3.txt 2008-03-14 04:19:14
ComboFix4.txt 2008-03-13 14:32:49
ComboFix5.txt 2008-03-12 14:22:00
.
2008-03-14 09:03:37 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:59 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5871A7E9-661E-4175-93B7-FCABAC2900A1} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10668 bytes

 

[little eagle]

What a ruff little bugger :lip:

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINNT\system32\mlnmp.ini 
C:\WINNT\system32\mlnmp.ini2  
C:\WINNT\system32\pmnlm.exe  

RenV::
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\WINNT\system32\ctfmon .exe

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

 

[Connery]

It sure is. I'm starting to think I should ask pmnlm.exe for rent money

ComboFix 08-03-10.1 - x 2008-03-14 20:12:25.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

FILE ::
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\pmnlm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\jkfvnbtp.ini
C:\WINNT\system32\jwqandkx.dll
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\plytrcof.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\ptbnvfkj.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-14 19:56 . 2008-03-14 19:56 338,944 --a------ C:\WINNT\system32\RCX8.tmp
2008-03-14 08:49 . 2008-03-14 08:49 338,944 --a------ C:\WINNT\system32\RCX7.tmp
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-03-09 21:26 . 2008-03-14 05:29 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-09 21:26 . 2008-03-09 21:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-14 20:27 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 04:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2008-01-15 02:12 --------- d-----w C:\Program Files\RcvSystem
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           420,352 2008-03-15 04:31:07  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{958DA74F-8EF5-4F84-AEDD-C5E98C6D3E3E}]
2008-03-14 20:29 335360 --a------ C:\WINNT\system32\pmnlm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-14 19:56 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [2008-03-14 20:31 420352]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\pmnlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\pmnlm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-15 04:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2008-03-15 04:00:00 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 20:28:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\mlnmp.ini2 318 bytes
C:\WINNT\system32\pmnlm.dll 335360 bytes executable
C:\WINNT\system32\pmnlm.exe 338944 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe [6.00.2900.2180]
-> C:\WINNT\system32\pmnlm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-14 20:38:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 04:37:51
ComboFix2.txt 2008-03-14 15:20:04
ComboFix3.txt 2008-03-14 14:09:29
ComboFix4.txt 2008-03-14 04:19:14
ComboFix5.txt 2008-03-13 14:32:49
.
2008-03-14 09:03:37 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:30 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\imapi.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\pmnlm.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {958DA74F-8EF5-4F84-AEDD-C5E98C6D3E3E} - C:\WINNT\system32\pmnlm.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINNT\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10603 bytes

 

[little eagle]

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...but you can kill these

C:\WINNT\system32\mlnmp.ini 318 bytes
C:\WINNT\system32\mlnmp.ini2 318 bytes
C:\WINNT\system32\pmnlm.dll 335360 bytes executable
C:\WINNT\system32\pmnlm.exe 338944 bytes executable

There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

 

[Connery]

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next

That page doesn't seem to work anymore. I did find a link to blacklight on the page http://www.f-secure.com/security_center/ at the bottom. Doesn't have the name blbeta.exe though, it's fsbl.exe. Is it the wrong version, or have they gone beyond beta now?

 

[Connery]

I did run that fsbl.exe scan, and it didn't find anything. Here's the log file it generated.

03/15/08 09:56:18 [Info]: BlackLight Engine 1.0.67 initialized
03/15/08 09:56:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/15/08 09:56:18 [Note]: 7019 4
03/15/08 09:56:18 [Note]: 7005 0
03/15/08 09:56:29 [Note]: 7006 0
03/15/08 09:56:29 [Note]: 7011 3596
03/15/08 09:56:29 [Note]: 7026 0
03/15/08 09:56:30 [Note]: 7026 0
03/15/08 09:56:37 [Note]: FSRAW library version 1.7.1024
03/15/08 10:10:24 [Note]: 7007 0

 

[little eagle]

Do you have the CD for C:\Program Files\OLYMPUS?

Think we will have to kill the program the start up is infected and reinfecting the PC. I think.

 

[Connery]

That's no problem. I'm sure I still have the CD.

This time when I started up the machine it told me it couldn't find the pmnlm file being called out in the registry. :scratch:

 

[little eagle]

Well that is a good thing............

Open notepad and copy/paste the text in the codebox below into it:

Folder::
C:\Program Files\OLYMPUS

Save this as Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

 

[Connery]

ComboFix 08-03-10.1 - x 2008-03-16 10:13:44.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.56 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OLYMPUS
C:\Program Files\OLYMPUS\OLYMPUS Master\Artworks\Background\0001\back_color_00.obg
.
.
.
a whole bunch of files that make this 85714 characters long - do I need to post them all?
.
.
.
C:\Program Files\OLYMPUS\OLYMPUS Master\VPrintOnlineHelper40.dll
C:\WINNT\BM7f8fb1d3.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\jhcmuhhy.ini
C:\WINNT\system32\lbctvrfr.dll
C:\WINNT\system32\mjrvvotb.dll
C:\WINNT\system32\mlnmp.ini
C:\WINNT\system32\mlnmp.ini2
C:\WINNT\system32\njduokij.dll
C:\WINNT\system32\phswtnnx.dll
C:\WINNT\system32\pmnlm.dll
C:\WINNT\system32\pmnlm.exe
C:\WINNT\system32\yhhumchj.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-15 09:22 . 2008-03-15 09:22 338,944 --a------ C:\WINNT\system32\RCXC.tmp
2008-03-14 21:58 . 2008-03-15 21:43 594 ---hs---- C:\WINNT\system32\lblhsuck.ini
2008-03-14 21:55 . 2008-03-14 21:55 338,944 --a------ C:\WINNT\system32\RCXB.tmp
2008-03-14 21:31 . 2008-03-14 21:31 338,944 --a------ C:\WINNT\system32\RCXA.tmp
2008-03-14 20:57 . 2008-03-14 20:57 338,944 --a------ C:\WINNT\system32\RCX9.tmp
2008-03-14 20:57 . 2008-03-16 10:04 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-03-14 19:56 . 2008-03-14 19:56 338,944 --a------ C:\WINNT\system32\RCX8.tmp
2008-03-14 08:49 . 2008-03-14 08:49 338,944 --a------ C:\WINNT\system32\RCX7.tmp
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-03-14 06:34 . 2008-03-14 19:56 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-03-10 20:25 . 2008-03-10 20:25 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2008-03-09 23:59 . 2008-03-10 20:48 <DIR> d-------- C:\VundoFix Backups
2008-02-27 20:27 . 2008-02-27 20:27 7,168 --------- C:\WINNT\system32\windows_tobedeleted_old
2008-02-27 00:34 . 2008-03-16 10:30 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-02-26 20:40 . 2008-03-11 18:53 <DIR> d-------- C:\Temp
2008-02-20 20:22 . 2008-02-20 20:22 745 --a------ C:\WINNT\COD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 04:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-14 13:55 --------- d-----w C:\Program Files\iTunes
2008-03-12 03:08 --------- d-----w C:\Program Files\Accessories
2008-02-21 04:26 --------- d-----w C:\Program Files\Call of Duty
2008-02-07 15:46 --------- d-----w C:\Program Files\QuickTime
2008-02-07 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 15:19 7,536 ----a-w C:\WINNT\loadqm.exe
2008-01-27 01:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-18 00:52 126 ----a-w C:\tempdel.bat
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w            15,360 2008-03-16 18:04:17  C:\WINNT\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-03-14 19:56 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe" [ ]
"SVCHOST.EXE"="C:\WINNT\system32\drivers\svchost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 05:56:00 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-16 08:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2008-03-15 04:00:00 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 10:31:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-16 10:38:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 18:38:46
ComboFix2.txt 2008-03-15 04:38:01
ComboFix3.txt 2008-03-14 15:20:04
ComboFix4.txt 2008-03-14 14:09:29
ComboFix5.txt 2008-03-14 04:19:14
.
2008-03-16 18:22:20 --- E O F ---