Virtumonde and a big mess

[Connery]

Upgraded my home pc from 2000 to XP (with SP2) a few months ago (better late than never... maybe), and since then the automatic updates haven't been working at all. I assume this has left some big serurity holes that have now caused me big trouble. Before the upgrade the system was clean according to spybot and Norton. Started having virtumonde problems a couple weeks back, and things have gotten pretty bad now. Can't get internet access with it at all, so I can't run Kaspersky. Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:25 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\LVComS.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\vtsqo.exe
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5487] command /c del "C:\WINNT\system32\vtsqo.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6658] cmd /c del "C:\WINNT\system32\vtsqo.dll_tobedeleted"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029YYUS_ZNxdm41447CA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mike Gustafson\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft I2I Service - Unknown owner - C:\WINNT\system32\_svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 15793 bytes

 

[Shaba]

Hi Connery

Rename HijackThis.exe to Connery.exe and post back a fresh HijackThis log, please

 

[Connery]

Thanks Shaba. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:42 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI .exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\vtsqo.exe
O2 - BHO: {8ef39c80-b68e-f638-a104-7242525e0120} - {0210e525-2427-401a-836f-e86b08c93fe8} - C:\WINNT\system32\erkwjeqq.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B78B14D-C8BD-420C-95C0-54A1709D54BD} - C:\WINNT\system32\comre.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINNT\system32\awtrron.dll
O2 - BHO: (no name) - {F0249C39-D22E-4C86-9DE8-8AE9A7E0CFC7} - C:\WINNT\system32\vtsqo.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029YYUS_ZNxdm41447CA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mike Gustafson\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft I2I Service - Unknown owner - C:\WINNT\system32\_svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 17378 bytes

 

[Shaba]

Hi

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

• Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
- fixwareout report

 

[Connery]

Here's the fixwareout log:

Username "x" - 02/02/2008 20:03:33 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdapf.exe"


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINNT\Temp\kdapf.ren 73216 02/28/2006

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"SSRunScript"="\"C:\\Program Files\\Support.com\\Charter\\bin\\SSRunScript.exe\" /script \"C:\\Program Files\\Support.com\\Charter\\vbs\\verifyconnection.vbs\" /args //b startupdelay"
"LoadQM"="loadqm.exe"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\FirstStart.exe"
"Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"EKIJ5000StatusMonitor"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\EKIJ5000MUI.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask .exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"OM_Monitor"="C:\\Program Files\\OLYMPUS\\OLYMPUS Master\\Monitor.exe -NoStart"
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

It said when it finished that if I did not have internet access I should double click dnsbak.reg and mention it here. I did, but later I wondered if I was only meant to do it if I had access before running it and not after.

Here's the new hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:46 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI .exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\Program Files\Trend Micro\HijackThis\connery.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\vtsqo.exe
O2 - BHO: {8ef39c80-b68e-f638-a104-7242525e0120} - {0210e525-2427-401a-836f-e86b08c93fe8} - C:\WINNT\system32\erkwjeqq.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B78B14D-C8BD-420C-95C0-54A1709D54BD} - C:\WINNT\system32\comre.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {950F3051-BF6D-4512-A10A-91BF2B0940B3} - C:\WINNT\system32\vtsqo.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINNT\system32\awtrron.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029YYUS_ZNxdm41447CA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mike Gustafson\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft I2I Service - Unknown owner - C:\WINNT\system32\_svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 17497 bytes


Running combofix now. I'll post that log and a new hjt log after that finishes.

 

[Connery]

Combofix and new hjt log:

ComboFix 08-02.03.1 - x 2008-02-03 12:09:48.1 - NTFSx86
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 1

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\awtrron.dll
C:\WINNT\system32\setcnt.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\n.ini
C:\Documents and Settings\x\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\x\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\x\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\ISStart.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\Support.com\Charter\bin\SSRunScript.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\setup.exe
C:\WINNT\system32\awtrron.dll
C:\WINNT\system32\ceuexvti.dll
C:\WINNT\system32\comre.dll
C:\WINNT\system32\drivers\ip6fw.sys
C:\WINNT\system32\drivers\NdisWon.sys
C:\WINNT\system32\drivers\ymhiwjhc.dat
C:\WINNT\system32\erkwjeqq.dll
C:\WINNT\system32\ljepnapc.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\oqstv.ini
C:\WINNT\system32\oqstv.ini2
C:\WINNT\system32\setcnt.dll
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINNT\system32\vqrhuurc.dll
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.dll . . . . failed to delete
C:\WINNT\system32\vtsqo.exe
C:\WINNT\system32\vtutr.exe
C:\WINNT\Temp\1563625.exe
C:\WINNT\Web\default.htt
C:\wsusupd.exe

----- BITS: Possible infected sites -----

hxxp://80.93.59.108
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NDISWON
-------\LEGACY_RUNTIME
-------\LEGACY_UPYFPEIT
-------\upyfpeit


((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 20:02 . 2008-02-03 02:25 <DIR> d-------- C:\fixwareout
2008-01-26 17:42 . 2008-01-26 17:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 20:03 . 2008-02-03 11:19 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-23 20:03 . 2008-01-23 20:03 1,409 --a------ C:\WINNT\QTFont.for
2008-01-20 20:43 . 2008-02-03 11:17 7,536 --a------ C:\WINNT\loadqm .exe
2008-01-20 20:39 . 2008-01-20 20:39 13,646 --a------ C:\WINNT\system32\wpa.bak
2008-01-20 19:40 . 2008-02-03 12:38 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-01-20 17:54 . 2008-01-22 07:16 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-01-17 22:09 . 2008-01-18 22:43 377,856 --a------ C:\wsusupd .exe
2008-01-17 16:52 . 2008-01-17 16:52 126 --a------ C:\tempdel.bat
2008-01-17 16:49 . 2008-01-17 16:49 6,144 --a------ C:\Documents and Settings\x\ie_updates3r.exe
2008-01-14 18:12 . 2008-01-14 18:12 <DIR> d-------- C:\Program Files\RcvSystem
2008-01-13 12:17 . 2008-01-13 12:17 6,144 --a------ C:\wincsrv.exe
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINNT\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINNT\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 20:26 --------- d-----w C:\Program Files\iTunes
2008-02-03 20:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-03 19:18 --------- d-----w C:\Program Files\QuickTime
2008-01-19 07:07 350,720 ----a-w C:\WINNT\loadqm.exe
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2007-12-19 06:31 --------- d-----w C:\Documents and Settings\x\Application Data\AdobeUM
2007-12-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\kds_kodak
2007-12-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
2007-12-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-09 06:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SDSD
2007-12-09 06:10 --------- d-----w C:\Program Files\Kodak
2007-12-09 06:09 --------- d-----w C:\Program Files\Common Files\Kodak
2007-12-09 05:10 --------- d-----w C:\Program Files\Hewlett-Packard
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
2005-11-08 09:19 6,990 --sha-w C:\WINNT\system32\accdd.bak1
2005-11-16 02:28 378,526 --sha-w C:\WINNT\system32\accdd.bak2
2005-09-08 14:26 176,422 --sha-w C:\WINNT\system32\dfhkj.bak1
.

<pre>
----a-w           377,856 2008-01-19 06:43:17  C:\wsusupd .exe
----a-w           256,000 2008-02-03 20:43:30  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                                     .exe
----a-w           598,016 2008-02-03 20:10:44  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                                    .exe
----a-w           598,016 2008-02-03 20:10:44  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                                   .exe
----a-w           598,016 2008-02-03 20:10:44  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                                  .exe
----a-w           598,016 2008-02-03 20:10:45  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                                 .exe
----a-w           598,016 2008-02-03 20:10:46  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                                .exe
----a-w           598,016 2008-02-03 20:41:41  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                               .exe
----a-w           256,000 2008-02-03 20:42:48  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                              .exe
----a-w           598,016 2008-02-03 20:10:48  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                             .exe
----a-w           598,016 2008-02-03 20:10:48  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                            .exe
----a-w           256,000 2008-02-03 20:46:15  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                           .exe
----a-w           256,000 2008-02-03 20:51:12  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                          .exe
----a-w           598,016 2008-02-03 20:42:17  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                         .exe
----a-w           598,016 2008-02-03 20:42:22  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                        .exe
----a-w           598,016 2008-02-03 20:42:26  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                       .exe
----a-w           598,016 2008-02-03 20:42:29  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                      .exe
----a-w           598,016 2008-02-03 20:42:32  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                     .exe
----a-w           598,016 2008-02-03 20:42:35  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                    .exe
----a-w           598,016 2008-02-03 20:42:38  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                   .exe
----a-w           598,016 2008-02-03 20:42:40  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                  .exe
----a-w           598,016 2008-02-03 20:42:46  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                 .exe
----a-w           598,016 2008-02-03 20:42:48  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler                .exe
----a-w           598,016 2008-02-03 20:42:54  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler               .exe
----a-w           598,016 2008-02-03 20:42:57  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler              .exe
----a-w           598,016 2008-02-03 20:42:59  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler             .exe
----a-w           598,016 2008-02-03 20:43:02  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler            .exe
----a-w           598,016 2008-02-03 20:43:08  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler           .exe
----a-w           598,016 2008-02-03 20:43:09  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler          .exe
----a-w           598,016 2008-02-03 20:43:11  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler         .exe
----a-w           256,000 2008-02-03 20:50:15  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler        .exe
----a-w           598,016 2008-02-03 20:43:15  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler       .exe
----a-w           598,016 2008-02-03 20:43:17  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler      .exe
----a-w           598,016 2008-02-03 20:43:19  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler     .exe
----a-w           598,016 2008-02-03 20:43:24  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler    .exe
----a-w           598,016 2008-02-03 20:43:26  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler   .exe
----a-w           598,016 2008-02-03 20:43:28  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler  .exe
----a-w           598,016 2008-02-03 20:43:34  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w           225,280 2008-02-03 20:51:17  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                                     .exe
----a-w           567,296 2008-02-03 20:43:35  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                                    .exe
----a-w           567,296 2008-02-03 20:43:37  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                                   .exe
----a-w           567,296 2008-02-03 20:43:38  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                                  .exe
----a-w           567,296 2008-02-03 20:43:40  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                                 .exe
----a-w           567,296 2008-02-03 20:43:42  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                                .exe
----a-w           567,296 2008-02-03 20:43:44  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                               .exe
----a-w           567,296 2008-02-03 20:43:45  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                              .exe
----a-w           567,296 2008-02-03 20:43:46  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                             .exe
----a-w           567,296 2008-02-03 20:43:48  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                            .exe
----a-w           567,296 2008-02-03 20:43:52  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                           .exe
----a-w           567,296 2008-02-03 20:43:53  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                          .exe
----a-w           567,296 2008-02-03 20:43:56  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                         .exe
----a-w           567,296 2008-02-03 20:44:01  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                        .exe
----a-w           567,296 2008-02-03 20:44:03  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                       .exe
----a-w           567,296 2008-02-03 20:44:06  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                      .exe
----a-w           567,296 2008-02-03 20:44:09  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                     .exe
----a-w           567,296 2008-02-03 20:44:10  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                    .exe
----a-w           567,296 2008-02-03 20:44:12  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                   .exe
----a-w           567,296 2008-02-03 20:44:13  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                  .exe
----a-w           567,296 2008-02-03 20:44:18  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                 .exe
----a-w           567,296 2008-02-03 20:44:21  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3                .exe
----a-w           567,296 2008-02-03 20:44:25  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3               .exe
----a-w           567,296 2008-02-03 20:44:28  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3              .exe
----a-w           567,296 2008-02-03 20:44:31  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3             .exe
----a-w           567,296 2008-02-03 20:44:34  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3            .exe
----a-w           567,296 2008-02-03 20:44:37  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3           .exe
----a-w           567,296 2008-02-03 20:44:38  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3          .exe
----a-w           567,296 2008-02-03 20:44:40  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3         .exe
----a-w           567,296 2008-02-03 20:44:41  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3        .exe
----a-w           567,296 2008-02-03 20:44:43  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3       .exe
----a-w           567,296 2008-02-03 20:44:44  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3      .exe
----a-w           567,296 2008-02-03 20:44:57  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3     .exe
----a-w           567,296 2008-02-03 20:45:00  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3    .exe
----a-w           567,296 2008-02-03 20:45:02  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3   .exe
----a-w           567,296 2008-02-03 20:45:04  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3  .exe
----a-w           567,296 2008-02-03 20:45:07  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w           313,472 2008-01-17 03:52:53  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w           151,597 2008-02-03 19:17:42  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            52,840 2008-02-03 19:17:49  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           517,768 2008-02-03 20:38:46  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w            69,632 2008-01-17 03:52:04  C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w            49,152 2008-01-17 03:52:06  C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05 .exe
----a-w           267,048 2008-02-03 19:18:19  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            32,881 2008-02-03 19:17:39  C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
----a-w           188,416 2008-02-03 19:17:32  C:\Program Files\Logitech\Video\ISStart .exe
----a-w            77,824 2008-02-03 19:17:35  C:\Program Files\Logitech\Video\LogiTray .exe
----a-w            40,960 2008-02-03 19:17:54  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w            57,344 2008-02-03 19:18:34  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe

 

[Connery]

----a-w 752,128 2008-02-03 20:45:47 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-02-03 19:14:54 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-02-03 10:02:50 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-30 15:12:19 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-28 05:40:44 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-27 18:06:07 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-26 23:57:22 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-25 14:42:45 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-24 14:03:15 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-24 04:00:58 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-24 01:58:16 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-23 15:11:54 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-23 05:21:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 15:29:35 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 14:00:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 06:30:12 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 05:55:50 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 04:36:54 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-21 19:39:22 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-21 16:51:38 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-21 04:43:41 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-19 06:04:09 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-19 04:23:12 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-18 14:12:38 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-18 05:52:40 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-18 00:55:40 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-18 00:28:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 40,960 2008-02-03 19:17:24 C:\Program Files\Support.com\Charter\bin\SSRunScript .exe
----a-w 4,670,968 2008-02-03 19:18:39 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 7,536 2008-02-03 20:40:17 C:\WINNT\loadqm .exe
----a-w 15,360 2008-01-22 15:16:34 C:\WINNT\system32\ctfmon .exe
----a-w 753,664 2008-02-03 19:18:08 C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe
----a-w 176,128 2008-01-17 03:52:03 C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>[/code]


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{953C16EC-C13A-427B-B7AD-623CBE20FA44}]
2008-02-03 12:40 336384 --a------ C:\WINNT\system32\vtsqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2006-02-28 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"LoadQM"="loadqm.exe" [2008-01-18 23:07 350720 C:\WINNT\loadqm.exe]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-02-03 02:02 1214976]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [2008-02-03 12:45 752128]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\x\Start Menu\Programs\Startup\
PowerReg Scheduler .exe [2008-02-03 12:43:30 256000]
PowerReg Scheduler .exe [2008-02-03 12:10:44 598016]
PowerReg Scheduler .exe [2008-02-03 12:10:44 598016]
PowerReg Scheduler .exe [2008-02-03 12:10:44 598016]
PowerReg Scheduler .exe [2008-02-03 12:10:45 598016]
PowerReg Scheduler .exe [2008-02-03 12:10:46 598016]
PowerReg Scheduler .exe [2008-02-03 12:41:41 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:48 256000]
PowerReg Scheduler .exe [2008-02-03 12:10:48 598016]
PowerReg Scheduler .exe [2008-02-03 12:10:48 598016]
PowerReg Scheduler .exe [2008-02-03 12:46:15 256000]
PowerReg Scheduler .exe [2008-02-03 13:07:51 256000]
PowerReg Scheduler .exe [2008-02-03 12:42:17 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:22 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:26 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:29 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:32 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:35 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:38 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:40 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:46 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:48 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:54 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:57 598016]
PowerReg Scheduler .exe [2008-02-03 12:42:59 598016]
PowerReg Scheduler .exe [2008-02-03 12:43:02 598016]
PowerReg Scheduler .exe [2008-02-03 12:43:08 598016]
PowerReg Scheduler .exe [2008-02-03 12:43:09 598016]
PowerReg Scheduler .exe [2008-02-03 12:43:11 598016]
PowerReg Scheduler .exe [2008-02-03 12:55:01 256000]
PowerReg Scheduler .exe [2008-02-03 12:43:15 598016]
PowerReg Scheduler .exe [2008-02-03 12:43:17 598016]
PowerReg Scheduler .exe [2008-02-03 12:43:19 598016]
PowerReg Scheduler .exe [2008-02-03 12:43:24 598016]
PowerReg Scheduler .exe [2008-02-03 12:43:26 598016]
PowerReg Scheduler .exe [2008-02-03 12:58:36 256000]
PowerReg Scheduler .exe [2008-02-03 12:43:34 598016]
PowerReg Scheduler V3 .exe [2008-02-03 13:12:56 225280]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:35 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:37 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:38 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:40 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:42 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:44 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:45 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:46 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:48 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:52 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:53 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:43:56 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:01 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:03 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:06 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:09 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:10 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:12 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:13 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:18 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:21 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:25 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:28 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:31 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:34 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:37 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:38 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:40 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:41 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:43 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:44 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:44:57 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:45:00 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:45:02 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:45:04 567296]
PowerReg Scheduler V3 .exe [2008-02-03 12:45:07 567296]
PowerReg Scheduler V3.exe [2008-02-03 12:45:08 567296]
PowerReg Scheduler.exe [2008-02-03 12:45:14 598016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\alukard]
C:\WINNT\system32\setcnt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrron]
awtrron.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\vtsqo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\vtsqo

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"ReflexiveArcade"=C:\WINNT\vmmreg32.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"nwiz"=nwiz.exe /install


.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-02-03 20:05:01 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 12:39:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\oqstv.ini 318 bytes
C:\WINNT\system32\oqstv.ini2 318 bytes
C:\WINNT\system32\vtsqo.exe 339968 bytes executable
C:\WINNT\system32\drivers\ndisaluo.sys 7040 bytes executable
C:\WINNT\system32\drivers\ntio922.sys 37632 bytes executable

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ndisaluo]
"ImagePath"="\??\C:\WINNT\system32\Drivers\ndisaluo.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ntio922]
"ImagePath"="system32\Drivers\ntio922.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\Explorer.EXE [6.00.2900.2180]
-> C:\WINNT\system32\vtsqo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe

 

[Connery]

C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
.
**************************************************************************
.
Completion time: 2008-02-03 13:52:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 21:15:35
.
2008-02-03 11:01:34 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:16 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\QTTask .exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\vtsqo.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {953C16EC-C13A-427B-B7AD-623CBE20FA44} - C:\WINNT\system32\vtsqo.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029YYUS_ZNxdm41447CA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mike Gustafson\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: alukard - C:\WINNT\system32\setcnt.dll (file missing)
O20 - Winlogon Notify: awtrron - awtrron.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft I2I Service - Unknown owner - C:\WINNT\system32\_svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 16200 bytes

 

[Shaba]

Hi

You have vundo file infector which might result in reinstalling certain startup programs later.

Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::
C:\WINNT\system32\oqstv.ini 
C:\WINNT\system32\oqstv.ini2 
C:\WINNT\system32\vtsqo.exe 
C:\WINNT\system32\drivers\ndisaluo.sys 
C:\WINNT\system32\drivers\ntio922.sys 

RenV::
----a-w 256,000 2008-02-03 20:43:30 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:10:44 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:10:44 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:10:44 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:10:45 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:10:46 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:41:41 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 256,000 2008-02-03 20:42:48 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:10:48 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:10:48 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 256,000 2008-02-03 20:46:15 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 256,000 2008-02-03 20:51:12 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:17 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:22 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:26 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:29 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:32 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:35 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:38 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:40 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:46 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:48 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:54 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:57 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:42:59 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:02 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:08 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:09 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:11 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 256,000 2008-02-03 20:50:15 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:15 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:17 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:19 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:24 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:26 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:28 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 598,016 2008-02-03 20:43:34 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w 225,280 2008-02-03 20:51:17 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:35 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:37 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:38 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:40 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:42 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:44 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:45 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:46 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:48 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:52 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:53 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:43:56 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:01 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:03 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:06 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:09 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:10 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:12 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:13 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:18 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:21 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:25 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:28 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:31 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:34 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:37 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:38 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:40 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:41 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:43 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:44 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:44:57 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:45:00 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:45:02 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:45:04 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 567,296 2008-02-03 20:45:07 C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
----a-w 313,472 2008-01-17 03:52:53 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 151,597 2008-02-03 19:17:42 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 52,840 2008-02-03 19:17:49 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 517,768 2008-02-03 20:38:46 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w 69,632 2008-01-17 03:52:04 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 49,152 2008-01-17 03:52:06 C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05 .exe
----a-w 267,048 2008-02-03 19:18:19 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 32,881 2008-02-03 19:17:39 C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
----a-w 188,416 2008-02-03 19:17:32 C:\Program Files\Logitech\Video\ISStart .exe
----a-w 77,824 2008-02-03 19:17:35 C:\Program Files\Logitech\Video\LogiTray .exe
----a-w 40,960 2008-02-03 19:17:54 C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w 57,344 2008-02-03 19:18:34 C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w 752,128 2008-02-03 20:45:47 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-02-03 19:14:54 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-02-03 10:02:50 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-30 15:12:19 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-28 05:40:44 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-27 18:06:07 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-26 23:57:22 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-25 14:42:45 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-24 14:03:15 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-24 04:00:58 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-24 01:58:16 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-23 15:11:54 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-23 05:21:04 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 15:29:35 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 14:00:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 06:30:12 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 05:55:50 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-22 04:36:54 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-21 19:39:22 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-21 16:51:38 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-21 04:43:41 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-19 06:04:09 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-19 04:23:12 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-18 14:12:38 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-18 05:52:40 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-18 00:55:40 C:\Program Files\QuickTime\QTTask .exe
----a-w 752,128 2008-01-18 00:28:05 C:\Program Files\QuickTime\QTTask .exe
----a-w 40,960 2008-02-03 19:17:24 C:\Program Files\Support.com\Charter\bin\SSRunScript .exe
----a-w 4,670,968 2008-02-03 19:18:39 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 7,536 2008-02-03 20:40:17 C:\WINNT\loadqm .exe
----a-w 15,360 2008-01-22 15:16:34 C:\WINNT\system32\ctfmon .exe
----a-w 753,664 2008-02-03 19:18:08 C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe
----a-w 176,128 2008-01-17 03:52:03 C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09 .exe

File::
C:\Documents and Settings\x\ie_updates3r.exe
C:\wincsrv.exe
C:\WINNT\system32\accdd.bak1
C:\WINNT\system32\accdd.bak2
C:\WINNT\system32\dfhkj.bak1
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{953C16EC-C13A-427B-B7AD-623CBE20FA44}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\alukard]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrron]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[Connery]

ComboFix 08-02.03.1 - x 2008-02-04 20:17:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.50 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\x\ie_updates3r.exe
C:\wincsrv.exe
C:\WINNT\system32\accdd.bak1
C:\WINNT\system32\accdd.bak2
C:\WINNT\system32\dfhkj.bak1
C:\WINNT\system32\vtsqo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\x\ie_updates3r.exe
C:\wincsrv.exe
C:\WINNT\system32\accdd.bak1
C:\WINNT\system32\accdd.bak2
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\dfhkj.bak1
C:\WINNT\system32\drivers\ndisaluo.sys
C:\WINNT\system32\drivers\ntio922.sys
C:\WINNT\system32\oqstv.ini
C:\WINNT\system32\oqstv.ini2
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-02 20:02 . 2008-02-03 02:25 <DIR> d-------- C:\fixwareout
2008-01-26 17:42 . 2008-01-26 17:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 20:03 . 2008-02-04 20:28 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-23 20:03 . 2008-01-23 20:03 1,409 --a------ C:\WINNT\QTFont.for
2008-01-20 20:43 . 2008-02-04 07:19 7,536 --a------ C:\WINNT\loadqm.exe
2008-01-20 20:39 . 2008-01-20 20:39 13,646 --a------ C:\WINNT\system32\wpa.bak
2008-01-20 19:40 . 2008-02-04 20:27 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-01-20 17:54 . 2008-02-04 07:19 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-01-20 17:54 . 2008-02-04 07:19 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-01-17 22:09 . 2008-01-18 22:43 377,856 --a------ C:\wsusupd .exe
2008-01-17 16:52 . 2008-01-17 16:52 126 --a------ C:\tempdel.bat
2008-01-17 16:50 . 2008-01-17 16:50 62,976 --a------ C:\nethlpr.exe
2008-01-14 18:12 . 2008-01-14 18:12 <DIR> d-------- C:\Program Files\RcvSystem
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINNT\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINNT\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 04:17 --------- d-----w C:\Program Files\iTunes
2008-02-05 04:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-03 22:53 --------- d-----w C:\Program Files\QuickTime
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2007-12-19 06:31 --------- d-----w C:\Documents and Settings\x\Application Data\AdobeUM
2007-12-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\kds_kodak
2007-12-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
2007-12-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-09 06:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SDSD
2007-12-09 06:10 --------- d-----w C:\Program Files\Kodak
2007-12-09 06:09 --------- d-----w C:\Program Files\Common Files\Kodak
2007-12-09 05:10 --------- d-----w C:\Program Files\Hewlett-Packard
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           377,856 2008-01-19 06:43:17  C:\wsusupd .exe
----a-w           598,016 2008-02-05 04:28:42  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w           567,296 2008-02-05 04:28:54  C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C4AA878-8FE7-4C13-ABBA-FA72EC36ECE9}]
2008-02-04 20:28 336384 --a------ C:\WINNT\system32\vtsqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2008-02-04 20:29 421376]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-02-04 07:19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [2008-02-04 20:29 380928]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-02-04 20:29 553472]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-02-04 20:29 419328]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2008-02-04 20:29 372736]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-04 20:29 492544]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-04 20:29 398848]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2008-02-04 20:29 381952]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-02-04 20:29 1214976]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-04 20:30 1250304]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 20:30 698368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\x\Start Menu\Programs\Startup\
PowerReg Scheduler .exe [2008-02-04 20:28:42 598016]
PowerReg Scheduler V3 .exe [2008-02-04 20:28:54 567296]
PowerReg Scheduler V3.exe [2008-02-04 20:29:01 567296]
PowerReg Scheduler.exe [2008-02-04 20:29:13 598016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\vtsqo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\vtsqo

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"ReflexiveArcade"=C:\WINNT\vmmreg32.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"nwiz"=nwiz.exe /install

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S0 ntio922;ntio922;C:\WINNT\system32\Drivers\ntio922.sys []
S1 ndisaluo;ndisaluo;C:\WINNT\system32\Drivers\ndisaluo.sys []
S2 Microsoft I2I Service;Microsoft I2I Service;C:\WINNT\system32\_svchost.exe []
S3 iMSPCLOj;iMSPCLOj;C:\DOCUME~1\MIKEGU~1\LOCALS~1\Temp\iMSPCLOj.sys []
S3 jefs;jefs;C:\DOCUME~1\MIKEGU~1\LOCALS~1\Temp\jefs.sys []
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-02-05 04:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 20:27:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\oqstv.ini2 318 bytes
C:\WINNT\system32\vtsqo.exe 339968 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LVComS.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-04 20:38:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 04:38:18
ComboFix2.txt 2008-02-03 21:52:40
.
2008-02-04 06:25:04 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:53 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\UAService7.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\vtsqo.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C4AA878-8FE7-4C13-ABBA-FA72EC36ECE9} - C:\WINNT\system32\vtsqo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029YYUS_ZNxdm41447CA
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft I2I Service - Unknown owner - C:\WINNT\system32\_svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 12126 bytes

 

[Shaba]

Hi

Open HijackThis, click do a system scan only and checkmark these (and also all other entries with PowerReg Scheduler or PowerReg Scheduler V3):

O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler V3 .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZNxdm41447CA
O17 - HKLM\System\CCS\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD9E6973-BA53-4C84-9A03-2E0A39B1C79D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{092DDBAC-E12C-404E-9FC7-1EA492CB4008}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Microsoft I2I Service - Unknown owner - C:\WINNT\system32\_svchost.exe (file missing)

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\wsusupd .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.exe

Driver::
ntio922
ndisaluo
iMSPCLOj 
jefs

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C4AA878-8FE7-4C13-ABBA-FA72EC36ECE9}]

[-HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[Connery]

0ComboFix 08-02.03.1 - 2008-02-05 7:46:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.45 [GMT -8:00]
Running from: C:\Documents and Settings\\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler .exe
C:\Documents and Settings\x\Start Menu\Programs\Startup\PowerReg Scheduler V3 .exe
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.exe
C:\wsusupd .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\vtsqo.dll
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\Video\ISStart.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
C:\Program Files\Support.com\Charter\bin\SSRunScript.exe
C:\WINNT\system32\ctfmon.exe.tmp
C:\WINNT\system32\oqstv.ini
C:\WINNT\system32\oqstv.ini2
C:\WINNT\system32\RCX25.tmp
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.exe
C:\wsusupd .exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NDISALUO
-------\LEGACY_NTIO922
-------\iMSPCLOj
-------\jefs
-------\ndisaluo
-------\ntio922


((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 07:36 . 2008-02-05 07:36 15,360 --a------ C:\WINNT\system32\ctfmon .exe
2008-02-02 20:02 . 2008-02-03 02:25 <DIR> d-------- C:\fixwareout
2008-01-26 17:42 . 2008-01-26 17:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 20:03 . 2008-02-05 07:36 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-23 20:03 . 2008-01-23 20:03 1,409 --a------ C:\WINNT\QTFont.for
2008-01-20 20:43 . 2008-02-04 07:19 7,536 --a------ C:\WINNT\loadqm.exe
2008-01-20 20:39 . 2008-01-20 20:39 13,646 --a------ C:\WINNT\system32\wpa.bak
2008-01-20 19:40 . 2008-02-05 09:14 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-01-20 17:54 . 2008-02-04 07:19 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-01-20 17:54 . 2008-02-04 07:19 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-01-17 16:52 . 2008-01-17 16:52 126 --a------ C:\tempdel.bat
2008-01-17 16:50 . 2008-01-17 16:50 62,976 --a------ C:\nethlpr.exe
2008-01-14 18:12 . 2008-01-14 18:12 <DIR> d-------- C:\Program Files\RcvSystem
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINNT\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINNT\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 15:54 --------- d-----w C:\Program Files\iTunes
2008-02-05 15:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-03 22:53 --------- d-----w C:\Program Files\QuickTime
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2007-12-19 06:31 --------- d-----w C:\Documents and Settings\\Application Data\AdobeUM
2007-12-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\kds_kodak
2007-12-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
2007-12-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-09 06:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SDSD
2007-12-09 06:10 --------- d-----w C:\Program Files\Kodak
2007-12-09 06:09 --------- d-----w C:\Program Files\Common Files\Kodak
2007-12-09 05:10 --------- d-----w C:\Program Files\Hewlett-Packard
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           151,597 2008-02-05 15:35:59  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            52,840 2008-02-05 15:35:58  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           517,768 2008-02-05 17:14:24  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w           267,048 2008-02-05 15:36:13  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            32,881 2008-02-05 15:35:59  C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
----a-w           188,416 2008-02-05 15:35:59  C:\Program Files\Logitech\Video\ISStart .exe
----a-w            77,824 2008-02-05 15:35:58  C:\Program Files\Logitech\Video\LogiTray .exe
----a-w            40,960 2008-02-05 15:36:00  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w            57,344 2008-02-05 15:36:11  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w            40,960 2008-02-05 15:35:55  C:\Program Files\Support.com\Charter\bin\SSRunScript .exe
----a-w           598,016 2008-02-05 15:30:43  C:\Program Files\Trend Micro\HijackThis\backups\backup-20080205-073235-200-PowerReg Scheduler .exe
----a-w           567,296 2008-02-05 15:30:46  C:\Program Files\Trend Micro\HijackThis\backups\backup-20080205-073235-352-PowerReg Scheduler V3 .exe
----a-w            15,360 2008-02-05 15:36:10  C:\WINNT\system32\ctfmon .exe
----a-w           753,664 2008-02-05 15:36:20  C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E42D96AE-F140-4291-A830-50FFAD3F9151}]
2008-02-05 09:15 336384 --a------ C:\WINNT\system32\vtsqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-02-04 07:19 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [ ]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [ ]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-02-05 07:35 1214976]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\vtsqo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\vtsqo

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"ReflexiveArcade"=C:\WINNT\vmmreg32.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"nwiz"=nwiz.exe /install

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]
S4 Microsoft I2I Service;Microsoft I2I Service;C:\WINNT\system32\_svchost.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-02-05 16:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - .job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - .job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 09:14:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\oqstv.ini 318 bytes
C:\WINNT\system32\oqstv.ini2 318 bytes
C:\WINNT\system32\vtsqo.exe 339968 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\Explorer.EXE [6.00.2900.2180]
-> C:\WINNT\system32\vtsqo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-05 9:23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 17:23:25
ComboFix2.txt 2008-02-05 04:38:31
ComboFix3.txt 2008-02-03 21:52:40
.
2008-02-05 14:55:12 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:54 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINNT\system32\vtsqo.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {E42D96AE-F140-4291-A830-50FFAD3F9151} - C:\WINNT\system32\vtsqo.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10591 bytes

 

[Shaba]

Hi

Open notepad and copy/paste the text in the quotebox below into it:

RenV::
----a-w           151,597 2008-02-05 15:35:59  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            52,840 2008-02-05 15:35:58  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           517,768 2008-02-05 17:14:24  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w           267,048 2008-02-05 15:36:13  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            32,881 2008-02-05 15:35:59  C:\Program Files\Java\j2re1.4.2_04\bin\jusched .exe
----a-w           188,416 2008-02-05 15:35:59  C:\Program Files\Logitech\Video\ISStart .exe
----a-w            77,824 2008-02-05 15:35:58  C:\Program Files\Logitech\Video\LogiTray .exe
----a-w            40,960 2008-02-05 15:36:00  C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart .exe
----a-w            57,344 2008-02-05 15:36:11  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w            40,960 2008-02-05 15:35:55  C:\Program Files\Support.com\Charter\bin\SSRunScript .exe
----a-w            15,360 2008-02-05 15:36:10  C:\WINNT\system32\ctfmon .exe
----a-w           753,664 2008-02-05 15:36:20  C:\WINNT\system32\spool\drivers\w32x86\3\EKIJ5000MUI .exe

File::
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.exe

Driver::
Microsoft I2I Service

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E42D96AE-F140-4291-A830-50FFAD3F9151}]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[Connery]

ComboFix 08-02.03.1 - x 2008-02-06 7:11:23.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.62 [GMT -8:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\oqstv.ini
C:\WINNT\system32\oqstv.ini2
C:\WINNT\system32\vtsqo.dll
C:\WINNT\system32\vtsqo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MICROSOFT_I2I_SERVICE
-------\Microsoft I2I Service


((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 07:36 . 2008-02-05 07:36 15,360 --a--c--- C:\WINNT\system32\dllcache\ctfmon.exe
2008-02-05 07:36 . 2008-02-05 07:36 15,360 --a------ C:\WINNT\system32\ctfmon.exe
2008-02-02 20:02 . 2008-02-03 02:25 <DIR> d-------- C:\fixwareout
2008-01-26 17:42 . 2008-01-26 17:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 20:03 . 2008-02-06 07:22 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-23 20:03 . 2008-01-23 20:03 1,409 --a------ C:\WINNT\QTFont.for
2008-01-20 20:43 . 2008-02-04 07:19 7,536 --a------ C:\WINNT\loadqm.exe
2008-01-20 20:39 . 2008-01-20 20:39 13,646 --a------ C:\WINNT\system32\wpa.bak
2008-01-20 19:40 . 2008-02-06 07:21 13,646 --a------ C:\WINNT\system32\wpa.dbl
2008-01-17 16:52 . 2008-01-17 16:52 126 --a------ C:\tempdel.bat
2008-01-17 16:50 . 2008-01-17 16:50 62,976 --a------ C:\nethlpr.exe
2008-01-14 18:12 . 2008-01-14 18:12 <DIR> d-------- C:\Program Files\RcvSystem
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINNT\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINNT\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 15:10 --------- d-----w C:\Program Files\iTunes
2008-02-06 15:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-03 22:53 --------- d-----w C:\Program Files\QuickTime
2008-01-17 10:34 --------- d-----w C:\Program Files\iPod
2007-12-19 06:31 --------- d-----w C:\Documents and Settings\x\Application Data\AdobeUM
2007-12-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\kds_kodak
2007-12-09 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
2007-12-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-09 06:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SDSD
2007-12-09 06:10 --------- d-----w C:\Program Files\Kodak
2007-12-09 06:09 --------- d-----w C:\Program Files\Common Files\Kodak
2007-12-09 05:10 --------- d-----w C:\Program Files\Hewlett-Packard
2002-11-06 23:45 57,344 ----a-w C:\WINNT\Fonts\omnithread_rt.dll
2002-11-06 23:45 32,768 ----a-w C:\WINNT\Fonts\VNCHooks.dll
2002-06-09 23:40 271 --sh--w C:\Program Files\desktop.ini
2002-06-09 23:40 21,952 ---ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           598,016 2008-02-05 15:30:43  C:\Program Files\Trend Micro\HijackThis\backups\backup-20080205-073235-200-PowerReg Scheduler .exe
----a-w           567,296 2008-02-05 15:30:46  C:\Program Files\Trend Micro\HijackThis\backups\backup-20080205-073235-352-PowerReg Scheduler V3 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2008-02-05 07:36 57344]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-02-05 07:36 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2006-02-28 04:00 143360 C:\WINNT\system32\mobsync.exe]
"SSRunScript"="C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" [2008-02-05 07:35 40960]
"LoadQM"="loadqm.exe" [2008-02-04 07:19 7536 C:\WINNT\loadqm.exe]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-02-05 07:35 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-02-05 07:35 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2008-02-05 07:35 32881]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-05 07:35 151597]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-05 07:35 52840]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2008-02-05 07:36 40960]
"EKIJ5000StatusMonitor"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-05 07:36 753664]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-05 07:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 09:05 6856704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2006-02-28 04:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 04:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CamMonitor"=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
"ReflexiveArcade"=C:\WINNT\vmmreg32.exe
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"nwiz"=nwiz.exe /install

R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [2001-09-04 14:38]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-03-22 18:04]
R3 tbcspud;Santa Cruz Driver;C:\WINNT\system32\drivers\tbcspud.sys [2001-08-29 12:19]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINNT\system32\drivers\tbcwdm.sys [2001-08-29 12:19]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 11:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 07:47:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-09 05:57:03 C:\WINNT\Tasks\EasyShare Registration Task.job"
- C:\WINNT\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-02-06 04:05:00 C:\WINNT\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-12-15 07:40:31 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - x.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2006-08-10 05:49:11 C:\WINNT\Tasks\Norton AntiVirus - Run Norton QuickScan - x.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEg/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 07:21:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-06 7:31:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 15:31:12
ComboFix2.txt 2008-02-05 17:23:33
ComboFix3.txt 2008-02-05 04:38:31
ComboFix4.txt 2008-02-03 21:52:40
.
2008-02-06 15:00:50 --- E O F ---

 

[Connery]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:28 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\connery.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINNT\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\x\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/rssoft.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - SDSD - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - http://www.theappliance.com/airavata/Lila62631.jpg

--
End of file - 10499 bytes

 

[Shaba]

Hi

Looks much better

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

 

[Connery]

I still can't connect to the internet with it, and I don't know why!

Some setting must have gotten lost or changed along the way. I'm not sure what to look for. I have a cable modem with a wifi router connected, and my laptops have no problem connecting through the wifi.
Any clues what to look for?