Virtumonde and Virtumonde.generic Help Needed

Status
Not open for further replies.
W

WaltL

New member
Keeps reinstalling. I have run SpyBot, VundoFix, ComboFix and Kapersky On Line. Following is the latest Kapersky and HighJackThis logs. Any help is appreciated.

KASPERSKY ONLINE SCANNER REPORT
Saturday, November 17, 2007 6:14:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/11/2007
Kaspersky Anti-Virus database records: 461015


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINNT
C:\DOCUME~1\Owner\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 20228
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 00:25:27

Infected Object Name Virus Name Last Action
C:\WINNT\$NtServicePackUninstall$\wmplayer.exe.000/data0002 Infected: Trojan.Win32.Scapur.b skipped

C:\WINNT\$NtServicePackUninstall$\wmplayer.exe.000/data0003 Infected: Trojan.Win32.Scapur.b skipped

C:\WINNT\$NtServicePackUninstall$\wmplayer.exe.000 NSIS: infected - 2 skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped

C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\DEFAULT Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\Internet.evt Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\SOFTWARE Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SYSTEM Object is locked skipped

C:\WINNT\system32\config\system.LOG Object is locked skipped

C:\WINNT\system32\h323log.txt Object is locked skipped

C:\WINNT\system32\haoxqphx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\WINNT\system32\jsvxyisy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped

C:\WINNT\system32\leqvhpgt.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINNT\system32\xwxoisyx.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped

C:\WINNT\Temp\mcafee_HNajVjZdrQkpCb0 Object is locked skipped

C:\WINNT\Temp\mcmsc_qQdxSyxnNr5Csux Object is locked skipped

C:\WINNT\Temp\mcmsc_smfElmbvej8Xfxa Object is locked skipped

C:\WINNT\Temp\mcmsc_uW9lIvAHIfWf2eX Object is locked skipped

C:\WINNT\Temp\mcmsc_xZi878X266je8WG Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:04 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {344BCACA-5079-5DD2-7EB4-7395C9F2DD9A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: {229b8afb-3958-992b-31f4-d8134dfaf059} - {950fafd4-318d-4f13-b299-8593bfa8b922} - (no file)
O2 - BHO: (no name) - {C805E94A-DF95-4588-A1F5-00B6F880DC76} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [drmclien] C:\WINNT\System32\drmclien.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101515601940
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185853778328
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FC01E8B2-B5A6-4660-BD9A-C01B59330DD9} (ViPlayerHtml Control) - http://www.vdrv.com/demo/vidrev.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/plus/csp/el/bg_sm_bt_dna.gif

--
End of file - 10058 bytes
 
Hi

Please post the newest VundoFix & ComboFix logs as well ...
You'll find them here :-

C:\vundofix.txt
C:\ComboFix.txt

You say Virtumonde keeps reinstalling ... please post the logs which are telling you this, or tell me how you come to this conclusion ?

Something may be just finding a leftover, like a BHO CLSID of which you have a couple ...

steam
 
Thanks For Your Help

I thought I had everything cleaned once or twice and then when browsing the popups restarted. I then ran SpyBot and it found 9 instances. That's when I ran VundoFix, ComboFix and Kapersky. Here are the logs from Spybot and VundoFix. Walt


VundoFix V6.6.2

Checking Java version...

Scan started at 3:00:23 PM 11/17/2007

Listing files found while scanning....

C:\WINNT\system32\byxwvsp.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\byxwvsp.dll
C:\WINNT\system32\byxwvsp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\byxwvsp.dll
C:\WINNT\system32\byxwvsp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 3:08:14 PM 11/17/2007

Listing files found while scanning....

No infected files were found.


ComboFix 07-11-08.3 - Owner 2007-11-17 15:17:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Application Data\SKS~1
C:\Documents and Settings\Owner\Application Data\YMANTE~1
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\racle~1
C:\Program Files\ymbols~1
C:\WINNT\cookies.ini
C:\WINNT\hosts
C:\WINNT\invupd.exe
C:\WINNT\racle~1
C:\WINNT\stem~1
C:\WINNT\stem~1\??stem\
C:\WINNT\system32\awtqn.dll
C:\WINNT\system32\crosof~1.net
C:\WINNT\system32\icroso~1.net
C:\WINNT\system32\lnnmp.bak1
C:\WINNT\system32\nqtwa.ini
C:\WINNT\system32\nqtwa.ini2
C:\WINNT\system32\pac.txt
C:\WINNT\system32\wnsapisv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 15:14 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-17 15:00 <DIR> d-------- C:\VundoFix Backups
2007-11-17 12:45 145,984 --a------ C:\WINNT\system32\xwxoisyx.dll
2007-11-16 18:09 85,056 --a------ C:\WINNT\system32\jsvxyisy.dll
2007-11-16 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 17:54 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-15 16:06 85,056 --a------ C:\WINNT\system32\haoxqphx.dll
2007-11-15 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-15 12:40 <DIR> d--h----- C:\WINNT\PIF
2007-10-26 12:59 <DIR> d-------- C:\WINNT\system32\logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 18:29 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\PIE Service
2007-12-14 18:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdwareAlert
2007-12-14 18:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\PIE Service
2007-12-12 03:46 56,234 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-08 13:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-08 13:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-08 13:22 --------- d-----w C:\Program Files\Yahoo!
2007-12-08 00:29 --------- d-----w C:\Program Files\McAfee
2007-12-08 00:24 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-06 13:40 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-17 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-16 17:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-15 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-11-15 21:35 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-15 19:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-10-25 03:01 --------- d-----w C:\Program Files\SBC Yahoo!
2007-10-22 02:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\yoclient
2007-07-23 14:57 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-06-26 21:35 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-12-06 01:12 57,256 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-11-27 02:32 153,412,551 --sh--w C:\WINNT\Fonts\litumoc.bak2
2004-11-17 01:16 558,331 --sha-w C:\WINNT\Fonts\litumoc.bak1
2004-10-30 22:28 15,752,040 --sh--w C:\WINNT\Fonts\itnacvs.bak2
2004-10-25 19:56 144,948,008 --sh--w C:\WINNT\Fonts\ptflld.bak2
2004-10-25 07:54 20,699,755 --sha-w C:\WINNT\Fonts\ptflld.bak1
2004-06-14 00:19 449 ----a-w C:\Documents and Settings\Owner\UpdateReg.reg
2004-11-23 16:01:57 983,335 --sha-w C:\WINNT\addins\bvlru.bak1
2004-11-24 04:02:05 972,850 --sh--w C:\WINNT\addins\bvlru.bak2
2004-11-29 20:06:58 62,047,607 --sha-w C:\WINNT\Driver Cache\csm.bak1
2004-11-29 20:08:08 62,130,253 --sh--w C:\WINNT\Driver Cache\csm.bak2
2004-10-30 22:28:57 15,752,040 --sh--w C:\WINNT\Fonts\itnacvs.bak2
2004-11-17 01:16:26 558,331 --sha-w C:\WINNT\Fonts\litumoc.bak1
2004-11-27 02:32:53 153,412,551 --sh--w C:\WINNT\Fonts\litumoc.bak2
2004-10-25 07:54:48 20,699,755 --sha-w C:\WINNT\Fonts\ptflld.bak1
2004-10-25 19:56:55 144,948,008 --sh--w C:\WINNT\Fonts\ptflld.bak2
2004-10-12 19:47:36 1,685,575 --sh--w C:\WINNT\Help\SBSI\bacyalp.bak2
2004-11-16 01:15:38 558,062 --sh--w C:\WINNT\java\classes\cfmpi.bak2
2004-10-20 19:50:58 20,670,009 --sh--w C:\WINNT\repair\tenibil.bak2
2004-10-22 19:52:45 20,699,819 --sh--w C:\WINNT\security\Database\ipatalue.bak2
2004-11-06 12:08:26 602,495 --sh--w C:\WINNT\system\itnada.bak2
2004-11-17 03:27:58 15,649,916 --sh--w C:\WINNT\system\sabger.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{344BCACA-5079-5DD2-7EB4-7395C9F2DD9A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{950fafd4-318d-4f13-b299-8593bfa8b922}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C805E94A-DF95-4588-A1F5-00B6F880DC76}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 04:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 09:42]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" []
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 07:03]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-06 23:56]
"Gateway Ink Monitor"="C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 12:23]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-12-13 09:16]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]
"drmclien"="C:\WINNT\System32\drmclien.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\awtqn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINNT\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINNT\System32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCvS1A]
C:\documents and settings\owner\local settings\temp\QCvS1A.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vGb0B]
C:\documents and settings\owner\local settings\temp\vGb0B.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

S3 2WIREPCP;2Wire USB;C:\WINNT\system32\DRIVERS\2WirePCP.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINNT\system32\DRIVERS\vnet558x.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 18:29:34 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job"
"2007-10-31 19:54:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-25 23:20:12 C:\WINNT\Tasks\HP DArC Task #Hewlett-Packard#7900#CN38G220D3EI.job"
"2008-01-15 07:18:41 C:\WINNT\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-17 21:08:53 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 15:30:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 15:32:07 - machine was rebooted
.
--- E O F ---
 
Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code: 
File::
C:\WINNT\system32\xwxoisyx.dll
C:\WINNT\system32\jsvxyisy.dll
C:\WINNT\system32\haoxqphx.dll
C:\WINNT\Fonts\litumoc.bak2
C:\WINNT\Fonts\litumoc.bak1
C:\WINNT\Fonts\itnacvs.bak2
C:\WINNT\Fonts\ptflld.bak2
C:\WINNT\Fonts\ptflld.bak1
C:\WINNT\addins\bvlru.bak1
C:\WINNT\addins\bvlru.bak2
C:\WINNT\Driver Cache\csm.bak1
C:\WINNT\Driver Cache\csm.bak2
C:\WINNT\Fonts\itnacvs.bak2
C:\WINNT\Fonts\litumoc.bak1
C:\WINNT\Fonts\litumoc.bak2
C:\WINNT\Fonts\ptflld.bak1
C:\WINNT\Fonts\ptflld.bak2
C:\WINNT\Help\SBSI\bacyalp.bak2
C:\WINNT\java\classes\cfmpi.bak2
C:\WINNT\repair\tenibil.bak2
C:\WINNT\security\Database\ipatalue.bak2
C:\WINNT\system\itnada.bak2
C:\WINNT\system\sabger.bak2

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{344BCACA-5079-5DD2-7EB4-7395C9F2DD9A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{950fafd4-318d-4f13-b299-8593bfa8b922}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C805E94A-DF95-4588-A1F5-00B6F880DC76}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCvS1A]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vGb0B]

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
 
ComboFix Log

Here are the two logs after running CFScript. Walt

ComboFix 07-11-08.3 - Owner 2007-11-18 13:14:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.184 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINNT\addins\bvlru.bak1
C:\WINNT\addins\bvlru.bak2
C:\WINNT\Driver Cache\csm.bak1
C:\WINNT\Driver Cache\csm.bak2
C:\WINNT\Fonts\itnacvs.bak2
C:\WINNT\Fonts\litumoc.bak1
C:\WINNT\Fonts\litumoc.bak2
C:\WINNT\Fonts\ptflld.bak1
C:\WINNT\Fonts\ptflld.bak2
C:\WINNT\Help\SBSI\bacyalp.bak2
C:\WINNT\java\classes\cfmpi.bak2
C:\WINNT\repair\tenibil.bak2
C:\WINNT\security\Database\ipatalue.bak2
C:\WINNT\system\itnada.bak2
C:\WINNT\system\sabger.bak2
C:\WINNT\system32\haoxqphx.dll
C:\WINNT\system32\jsvxyisy.dll
C:\WINNT\system32\xwxoisyx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINNT\addins\bvlru.bak1
C:\WINNT\addins\bvlru.bak2
C:\WINNT\Driver Cache\csm.bak1
C:\WINNT\Driver Cache\csm.bak2
C:\WINNT\Fonts\itnacvs.bak2
C:\WINNT\Fonts\litumoc.bak1
C:\WINNT\Fonts\litumoc.bak2
C:\WINNT\Fonts\ptflld.bak1
C:\WINNT\Fonts\ptflld.bak2
C:\WINNT\Help\SBSI\bacyalp.bak2
C:\WINNT\java\classes\cfmpi.bak2
C:\WINNT\repair\tenibil.bak2
C:\WINNT\security\Database\ipatalue.bak2
C:\WINNT\system\itnada.bak2
C:\WINNT\system\sabger.bak2
C:\WINNT\system32\haoxqphx.dll
C:\WINNT\system32\jsvxyisy.dll
C:\WINNT\system32\xwxoisyx.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-17 16:41 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-11-17 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 15:14 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-16 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-15 17:54 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-15 14:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-15 12:40 <DIR> d--h----- C:\WINNT\PIF
2007-10-26 12:59 <DIR> d-------- C:\WINNT\system32\logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 18:29 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\PIE Service
2007-12-14 18:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdwareAlert
2007-12-14 18:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\PIE Service
2007-12-12 03:46 56,234 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-08 13:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-08 13:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-08 13:22 --------- d-----w C:\Program Files\Yahoo!
2007-12-08 00:29 --------- d-----w C:\Program Files\McAfee
2007-12-08 00:24 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-06 13:40 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-17 04:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-16 17:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-11-15 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-11-15 21:35 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-15 19:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-10-25 03:01 --------- d-----w C:\Program Files\SBC Yahoo!
2007-10-22 02:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\yoclient
2007-07-23 14:57 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-06-26 21:35 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-12-06 01:12 57,256 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-06-14 00:19 449 ----a-w C:\Documents and Settings\Owner\UpdateReg.reg
.

((((((((((((((((((((((((((((( snapshot@2007-11-17_15.30.50.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-17 17:27:26 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-18 16:44:45 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
- 2007-11-17 17:27:26 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-18 16:44:45 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-18 16:44:45 32,768 --sha-w C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 04:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 09:42]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" []
"IPInSightMonitor 01"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" []
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 07:03]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-06 23:56]
"Gateway Ink Monitor"="C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 12:23]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-12-13 09:16]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56]
"drmclien"="C:\WINNT\System32\drmclien.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINNT\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"C:\WINNT\System32\PRISMSVR.EXE" /APPLY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

S3 2WIREPCP;2Wire USB;C:\WINNT\system32\DRIVERS\2WirePCP.sys
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINNT\system32\DRIVERS\vnet558x.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 18:29:34 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job"
"2007-10-31 19:54:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-10-25 23:20:12 C:\WINNT\Tasks\HP DArC Task #Hewlett-Packard#7900#CN38G220D3EI.job"
"2008-01-15 07:18:41 C:\WINNT\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-11-18 08:28:07 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 13:21:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 13:23:58 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 15:32
.
--- E O F ---
 
HighJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:05 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [drmclien] C:\WINNT\System32\drmclien.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111fd.bay111.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101515601940
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185853778328
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.24.10/ttinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FC01E8B2-B5A6-4660-BD9A-C01B59330DD9} (ViPlayerHtml Control) - http://www.vdrv.com/demo/vidrev.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/plus/csp/el/bg_sm_bt_dna.gif

--
End of file - 9758 bytes
 
Hi

Looks good

The logs are clean now... but just one file to delete :-

C:\WINNT\system32\leqvhpgt.dll

Are your problems resolved ?

steam
 
Thank You!

Removed the final dll. All seems to be well so far. I ran Spybot and got the all clear. I rebooted several times and no sign of the problems.

Thanks very, very much for your assistance. Walt
 
Status
Not open for further replies.
Back
Top