Virtumonde fix request (logs are ready) - please help!!!

[peter100]

Kaspersky report (doesn't fit) re: New Victim: Virtumonde - et. al. fix request

RE: http://forums.spybot.info/showthread.php?t=24289&highlight=virtumonde

I have the report per "md usa spybot fan" instructions but it doesn't fit here. I'm proceeding to the safe mode & HJT steps in the meantime. FYI here is the Kaspersky summary:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 7:27:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 565623
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 138355
Number of viruses found: 6
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 02:08:54

 

[peter100]

(HJT log incl) RE: New Victim: Virtumonde - et. al. fix request

My previous post: ttp://forums.spybot.info/showthread.php?t=24309

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:02 PM, on 2/14/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [f45555a6] rundll32.exe "C:\WINDOWS\system32\cavcuseo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7097a64aca106/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8493 bytes

 

[peter100]

Virtumonde fix request (logs are ready) - please help!!!

I have since run Kaspersky anti-virus trial and wonder if I can consider my PC problem-free?

Here are the Kaspersky On-line Scanner Report (summary only since the it's too big -many files reported "Object is locked-skipped") and HJT logs prior to running the KAV trial:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:02 PM, on 2/14/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [f45555a6] rundll32.exe "C:\WINDOWS\system32\cavcuseo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7097a64aca106/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 8493 bytes


NOTE
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 7:27:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 565623
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 138355
Number of viruses found: 6
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 02:08:54

---

Thank you!

 

[ken545]

Hello peter100

Welcome to Safer Networking.

Please read Before YouPost
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Please reply to this thread only by using the Submit reply and not start any new topics or we won't be able to keep track of you.

It looks like your infected with the Vundo Trojan, run these scans in order please.


Download VundoFix to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply along with a Hijackthis log.

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

• IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
• If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.


I need to see the Vundofix log, the Malwarebytes log , the Combofix log and a new HJT log please, if it all wont fit in one reply, take as many replies as you need to post them all

 

[peter100]

my 1st reply to ken545 with vundofix/hijackthis log

Hi Ken - thank you for your help!

VundoFix seems to have found 2 files (see log), but on reboot Kaspersky AV found a these - is VundoFix doing what it should?...

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\Vundofix Backups\qoagctpq.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\Vundofix Backups\xgtjdgcx.dll.bad



Here is the log:

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:21:14 PM 2/21/2008

Listing files found while scanning....

C:\WINDOWS\system32\qoagctpq.dll
C:\WINDOWS\system32\xgtjdgcx.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\qoagctpq.dll
C:\WINDOWS\system32\qoagctpq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xgtjdgcx.dll
C:\WINDOWS\system32\xgtjdgcx.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 9:01:16 PM 2/21/2008

Listing files found while scanning....



Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:59 PM, on 2/21/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Majsan\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BE195F9-F7C7-4334-B591-B9900BA24DB1} - (no file)
O2 - BHO: (no name) - {1E71ADDC-4451-43F1-A6E2-3B515E578E67} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8146B1B8-0078-4131-81FC-2A76C1FD6ECC} - (no file)
O2 - BHO: (no name) - {BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F} - (no file)
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: (no name) - {D1BA9F50-D95B-4B4E-9218-E796EC763161} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [f45555a6] rundll32.exe "C:\WINDOWS\system32\cavcuseo.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7097a64aca106/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: gebxyxy - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 10398 bytes



In the meantime it looks like I'm infected with: Email-Worm.Win32.Brontok.q - but maybe we should take one at a time or?

I will post the Malwarebytes log shortly...

 

[ken545]

Vundofix removed two files and Kaspersky found them in the backup folder
C:\Vundofix Backups\qoagctpq.dll.bad

Just run the scans as I posted them and post the logs

Forgot to mention that you need to disable the TeaTimer in Spybot, keep it disabled until we are done.


Disable the TeaTimer, you can re enable it when were done if you wish

• Run Spybot-S&D in Advanced Mode.
• If it is not already set to do this Go to the Mode menu select "Advanced Mode"
• On the left hand side, Click on Tools
• Then click on the Resident Icon in the List
• Uncheck "Resident TeaTimer" and OK any prompts.
• Restart your computer.<--You need to do this for it to take effect

 

[peter100]

2nd reply to ken545 with Malwarebytes/hijackthis log

Hi Ken,

Here are the Malwarebytes/Hijackthis logs: (Combofix log will follow shortly)

Malwarebytes' Anti-Malware 1.04
Database version: 385

Scan type: Quick Scan
Objects scanned: 29687
Time elapsed: 5 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bed7c2b4-3da5-4f4f-84f7-07cab3418e5f} (Trojan.Conhook) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bed7c2b4-3da5-4f4f-84f7-07cab3418e5f} (Trojan.Conhook) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bed7c2b4-3da5-4f4f-84f7-07cab3418e5f} (Trojan.Conhook) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Adware Away\AdAway.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.



... and the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:24 PM, on 2/21/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BE195F9-F7C7-4334-B591-B9900BA24DB1} - (no file)
O2 - BHO: (no name) - {1E71ADDC-4451-43F1-A6E2-3B515E578E67} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8146B1B8-0078-4131-81FC-2A76C1FD6ECC} - (no file)
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: (no name) - {D1BA9F50-D95B-4B4E-9218-E796EC763161} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [f45555a6] rundll32.exe "C:\WINDOWS\system32\cavcuseo.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7097a64aca106/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: gebxyxy - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 10315 bytes

 

[peter100]

3rd reply to ken545 with ComboFix log

Hi Ken, the first 1/2 of the ComboFix log is below. The 2nd 1/2 will follow, along with the last hijackthis log (too long).

ComboFix 08-02-22 - Majsan 2008-02-21 22:13:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.192 [GMT 1:00]
Running from: C:\Documents and Settings\Majsan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\khnrgndj.ini
C:\WINDOWS\system32\nGpxx16
C:\WINDOWS\system32\oesucvac.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\wmygjhxj.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\Malwarebytes
2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 21:27 . 2008-02-21 21:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-02-21 20:57 . 2008-02-21 20:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-21 20:21 . 2008-02-21 21:03 <DIR> d-------- C:\VundoFix Backups
2008-02-18 18:53 . 2008-02-18 18:53 <DIR> d-------- C:\Program Files\Bonjour
2008-02-18 18:47 . 2008-02-18 18:47 48,544 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-17 00:23 . 2008-02-17 00:23 <DIR> d-------- C:\Program Files\Safari
2008-02-16 21:53 . 2008-02-20 12:28 <DIR> d-------- C:\Program Files\Pettson2
2008-02-16 21:53 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-02-15 14:44 . 2008-02-15 14:44 <DIR> d-------- C:\Downloads
2008-02-15 14:44 . 2008-02-15 14:44 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\PCF-VLC
2008-02-15 13:41 . 2008-02-21 13:37 <DIR> d-------- C:\Program Files\FlashGet
2008-02-15 00:47 . 2008-02-15 01:01 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-15 00:47 . 2008-02-15 00:47 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-15 00:45 . 2008-02-15 00:45 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-15 00:45 . 2008-02-22 22:19 5,101,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-15 00:45 . 2008-02-22 22:18 72,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-15 00:45 . 2008-02-22 22:19 61,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-15 00:45 . 2008-02-22 22:18 6,788 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-14 20:21 . 2008-02-14 20:21 <DIR> d-------- C:\kav
2008-02-14 17:02 . 2008-02-14 17:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-14 17:02 . 2008-02-22 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-14 12:11 . 2008-02-14 12:16 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-14 11:49 . 2007-12-01 00:25 989,696 --a------ C:\WINDOWS\system32\AAK.dll
2008-02-14 11:49 . 2007-12-01 00:25 617,472 --a------ C:\WINDOWS\system32\AAD.DLL
2008-02-14 11:49 . 2007-12-01 00:25 23,040 --a------ C:\WINDOWS\system32\AAP.DLL
2008-02-14 11:48 . 2008-02-14 11:48 255 --a------ C:\WINDOWS\system32\ad_away.lic
2008-02-14 11:37 . 2008-02-14 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-14 02:07 . 2008-02-14 02:09 <DIR> d-------- C:\hidownload
2008-02-14 01:41 . 2008-02-14 01:40 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-14 01:41 . 2008-02-14 01:41 3,445 --a------ C:\WINDOWS\unins000.dat
2008-02-14 01:31 . 2008-02-14 01:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 01:29 . 2008-02-14 01:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\WINDOWS\system32\uw3
2008-02-14 01:11 . 2008-02-15 08:11 <DIR> d-------- C:\WINDOWS\system32\fe9
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\WINDOWS\system32\de1
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\Temp\gTiis19
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\Temp\cXzz9
2008-02-14 01:11 . 2008-02-22 22:13 <DIR> d-------- C:\Temp
2008-02-14 01:11 . 2008-02-14 01:11 0 --a------ C:\WINDOWS\system32\ope3D.tmp
2008-02-14 01:11 . 2008-02-14 01:11 0 --a------ C:\WINDOWS\system32\ope3C.tmp
2008-02-14 01:10 . 2008-02-14 01:10 352,410 --a------ C:\WINDOWS\ope31.exe
2008-02-14 01:10 . 2008-02-14 01:10 352,410 --a------ C:\WINDOWS\ope30.exe
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\system32\ope3B.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\system32\ope3A.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\ope31.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\ope30.tmp
2008-02-14 00:32 . 2008-02-14 00:32 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\Participatory Culture Foundation
2008-02-14 00:31 . 2008-02-14 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2008-02-14 00:13 . 2008-02-14 00:13 <DIR> d-------- C:\Documents and Settings\Majsan\dwhelper
2008-02-13 23:49 . 2008-02-13 23:49 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-13 23:23 . 2008-02-13 23:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-13 14:53 . 2008-02-13 14:53 <DIR> d-------- C:\Program Files\HCA
2008-02-12 12:57 . 2008-02-12 12:57 <DIR> d-------- C:\Program Files\THQ
2008-02-12 09:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 08:59 . 2008-02-12 08:59 <DIR> d-------- C:\Program Files\PDFCreator Toolbar
2008-02-12 08:59 . 2008-02-12 09:00 <DIR> d-------- C:\Program Files\PDFCreator
2008-02-12 08:59 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-02-12 08:59 . 2008-02-12 08:59 253,116 --a------ C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_1312.exe
2008-02-12 08:59 . 2005-10-15 12:32 196,608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll
2008-02-12 08:59 . 1998-06-24 00:00 137,000 --a------ C:\WINDOWS\system32\MSMAPI32.OCX
2008-02-12 08:59 . 1998-07-06 00:00 23,552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL
2008-02-12 08:59 . 2008-02-12 08:59 14,290 --a------ C:\Program Files\settings.dat
2008-02-09 14:25 . 2008-02-12 08:24 <DIR> d-------- C:\Program Files\Pettson1
2008-02-05 10:53 . 2008-02-05 10:53 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2008-02-05 10:53 . 2008-02-05 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2008-01-31 12:28 . 2008-01-31 12:28 75,776 --ah----- C:\Documents and Settings\Majsan\Application Data\rbqt450.DLL
2008-01-31 12:28 . 2008-01-31 12:28 64,512 --ah----- C:\Documents and Settings\Majsan\Application Data\rbap450.dll
2008-01-31 12:28 . 2008-01-31 12:28 54,272 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSQTImporterPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 53,760 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPicturePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 52,224 --ah----- C:\Documents and Settings\Majsan\Application Data\EHZComp.dll
2008-01-31 12:28 . 2008-01-31 12:28 51,712 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSWinPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 49,664 --ah----- C:\WINDOWS\system32\MBSQuickTimePlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 49,664 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSQuickTimePlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 48,128 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSResPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,984 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMainPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,472 --ah----- C:\WINDOWS\system32\RBShell400.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,472 --ah----- C:\Documents and Settings\Majsan\Application Data\RBShell400.dll
2008-01-31 12:28 . 2008-01-31 12:28 37,376 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPictureMacPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 36,352 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRegistryPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 36,352 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSFolderitemsCreatePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 33,280 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSEncryptPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\WINDOWS\system32\MBSIconPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSProcessPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSIconPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 29,184 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRectPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 29,184 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMemoryPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,624 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSUsernamePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,112 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSResStreamPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,112 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRegistrationPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 25,088 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPluginVersionPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 19,968 --ah----- C:\Documents and Settings\Majsan\Application Data\EHMD5.dll
2008-01-31 12:28 . 2008-01-31 12:28 18,432 --ah----- C:\Documents and Settings\Majsan\Application Data\EHEncrypt.dll
2008-01-31 12:27 . 2008-01-31 12:27 28,672 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMacOSXPlugin1635.dll
2008-01-24 16:08 . 2008-01-24 16:08 <DIR> d-------- C:\Program Files\Citrix
2008-01-23 12:23 . 2008-01-23 12:49 <DIR> d-------- C:\Program Files\RegCure
2008-01-23 11:40 . 2007-12-01 00:23 101,888 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-01-23 11:40 . 2007-12-01 00:25 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 23:23 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Apple Computer
2008-02-14 07:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 07:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-14 00:32 --------- d-----w C:\Program Files\Lavasoft
2008-02-14 00:32 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Lavasoft
2008-02-12 08:16 --------- d-----w C:\Program Files\Java
2008-02-12 07:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 16:28 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Skype
2008-01-21 09:49 --------- d-----w C:\Program Files\RegistrySmart
2008-01-21 01:03 --------- d-----w C:\Documents and Settings\Majsan\Application Data\RegistrySmart
2008-01-21 00:54 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-21 00:24 --------- d-----w C:\Program Files\MSBuild
2008-01-21 00:15 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-20 23:54 --------- d-----w C:\Program Files\ATI Technologies
2008-01-20 23:38 --------- d-----w C:\Program Files\iTunes
2008-01-20 23:38 --------- d-----w C:\Program Files\iPod
2008-01-20 23:36 --------- d-----w C:\Program Files\QuickTime
2008-01-20 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-20 23:32 --------- d-----w C:\Program Files\Apple Software Update
2008-01-20 23:31 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-20 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-20 23:29 --------- d-----w C:\Program Files\Roku Radio Snooper
2008-01-20 23:27 --------- d-----w C:\Program Files\WinPcap
2008-01-20 23:03 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-20 23:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-20 22:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-20 22:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-01-20 22:34 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-20 22:30 --------- d-----w C:\Program Files\Google
2008-01-20 22:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-30 23:25 450,048 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2007-11-30 23:25 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2007-11-30 23:25 38,400 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll
2007-11-30 23:25 376,832 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msinfo.dll
2007-11-30 23:25 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2007-11-30 23:25 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2007-11-30 23:25 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2007-11-30 23:25 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2007-11-30 23:25 102,912 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchshell.dll
2007-11-30 23:25 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2004-11-03 21:46 82,640 -c--a-w C:\Documents and Settings\Majsan\Application Data\GDIPFONTCACHEV1.DAT
.

 

[peter100]

4th reply to ken545 with 2nd 1/2 of ComboFix + Hijackthis

------- Sigcheck -------

"C:\WINDOWS\system32\wininet.dll"
----a-w 656,896 2004-09-29 18:27:41 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
----a-w 657,920 2005-01-27 17:08:42 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
----a-w 658,944 2005-05-02 20:57:24 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
----a-w 657,920 2005-03-10 07:43:23 C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
----a-w 660,480 2005-09-02 23:53:41 C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
----a-w 659,456 2005-07-03 02:09:33 C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
----a-w 661,504 2005-10-21 03:38:08 C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
----a-w 825,344 2007-10-10 23:47:29 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
-c----w 656,384 2004-08-04 07:56:46 C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
-c----w 656,384 2004-08-04 07:56:46 C:\WINDOWS\$NtUninstallKB834707$\wininet.dll
-c----w 593,920 2001-08-23 12:00:00 C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll
-c----w 656,896 2004-09-29 18:47:04 C:\WINDOWS\$NtUninstallKB867282$\wininet.dll
-c----w 656,896 2005-03-10 08:02:35 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
-c----w 656,896 2005-01-27 17:13:18 C:\WINDOWS\$NtUninstallKB890923$\wininet.dll
-c----w 658,432 2005-07-03 02:11:30 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
-c----w 657,920 2005-05-02 20:52:36 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
-c----w 658,432 2005-09-02 23:52:06 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
-c----w 662,016 2006-01-09 18:02:00 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
-c----w 658,432 2005-10-21 03:39:30 C:\WINDOWS\$NtUninstallKB912945$\wininet.dll
-c----w 663,552 2006-03-04 03:58:52 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
-c----w 663,552 2006-05-10 05:25:22 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
-c--a-w 664,576 2006-06-23 11:25:31 C:\WINDOWS\ie7\wininet.dll
-c----w 818,688 2007-08-13 17:54:10 C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
------w 666,112 2007-11-30 23:26:08 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
----a-w 666,112 2007-10-11 05:57:41 C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\sp2qfe\wininet.dll
----a-w 824,832 2007-10-10 23:56:00 C:\WINDOWS\system32\wininet.dll
-c----w 824,832 2007-10-10 23:56:00 C:\WINDOWS\system32\dllcache\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BE195F9-F7C7-4334-B591-B9900BA24DB1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E71ADDC-4451-43F1-A6E2-3B515E578E67}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8146B1B8-0078-4131-81FC-2A76C1FD6ECC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1BA9F50-D95B-4B4E-9218-E796EC763161}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="" []
"HGTXPEI"="C:\WINDOWS\system32\FirstReboot.exe" [2005-10-17 15:43 0]
"SoundFusion"="hercplgs.cpl" [2002-12-20 14:46 453120 C:\WINDOWS\system32\hercplgs.cpl]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2004-10-19 19:28 155648]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 09:22 155648]
"Opware14"="C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe" [2004-03-08 19:33 57344]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 10:21 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"f45555a6"="C:\WINDOWS\system32\cavcuseo.dll" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2007-12-01 00:26 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyxy]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll,

R0 trm3x5;trm3x5;C:\WINDOWS\system32\DRIVERS\trm3x5.sys [2000-05-04 23:51]
R1 jsmux;jsmux;C:\WINDOWS\system32\drivers\jsmux.sys [1999-09-22 10:48]
R1 jsscan;jsscan;C:\WINDOWS\system32\drivers\jsscan.sys [1999-09-22 10:48]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 15:45]
R2 jsfax;jsfax;C:\WINDOWS\system32\drivers\jsfax.sys [1999-09-22 10:48]
R3 hercspud;Hercules (R) WDM Audio Driver;C:\WINDOWS\system32\drivers\hercspud.sys [2003-01-10 08:21]
R3 hercwdm;Hercules (R) WDM Interface Driver;C:\WINDOWS\system32\drivers\hercwdm.sys [2003-01-10 08:21]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 14:28]
S2 Ca536av;4.1M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-07-09 10:49]
S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-02-01 00:39]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-02-01 00:39]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 USBCamera;4.1M MPEG4 DV Bulk Driver;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 16:27]
S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 16:27]
S4 jsdbg;jsdbg;C:\WINDOWS\system32\drivers\jsdbg.sys [1999-09-22 10:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 09:00:00 C:\WINDOWS\Tasks\Norton Ghost.job"
- C:\PROGRA~1\COMMON~1\SYMANT~1\NMain.exeB/dat:C:\Program Files\Norton SystemWorks\Norton Ghost\nswigho.nsi
"2008-02-22 21:20:03 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-14 02:01:09 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-15 02:30:02 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart.Majsan.Runs RegistrySmart to optimize your registry.
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 22:20:22
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ??????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-22 22:23:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 21:22:59
.
2008-02-13 13:52:40 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:05 PM, on 2/22/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BE195F9-F7C7-4334-B591-B9900BA24DB1} - (no file)
O2 - BHO: (no name) - {1E71ADDC-4451-43F1-A6E2-3B515E578E67} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8146B1B8-0078-4131-81FC-2A76C1FD6ECC} - (no file)
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: (no name) - {D1BA9F50-D95B-4B4E-9218-E796EC763161} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [f45555a6] rundll32.exe "C:\WINDOWS\system32\cavcuseo.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7097a64aca106/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: gebxyxy - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 10108 bytes

 

[peter100]

additional issues...

A.) in the process of trying to delete the virus this file was deleted and I'm still getting a dll error message at startup - unable to find c:\windows\system32\cavcuseo.dll

B.) I think I might still have the virus: Email-Worm.Win32.Brontok.q

C.) Also, after ComboFix did its thing and rebooted, the re-enabled Kaspersky AV gave me this warning: not found: virus Heur.Invader (modification) File: c:\documents and settings\majsan\desktop\combofix.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe//PE_Patch.UPX

 

[ken545]

Peter,

The vundo trojan has so many files and registry entries that are being updated by these slimeballs on a regular basis, so it takes running a few programs to get rid of it all.

What I would like you to do is drag Combofx to the trash and download a fresh copy to your desktop, you can use the same links I provided earlier.

Then do this.

Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\AAK.dll
C:\WINDOWS\system32\AAD.DLL
C:\WINDOWS\system32\AAP.DLL
C:\WINDOWS\system32\ad_away.lic

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BE195F9-F7C7-4334-B591-B9900BA24DB1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E71ADDC-4451-43F1-A6E2-3B515E578E67}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8146B1B8-0078-4131-81FC-2A76C1FD6ECC}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1BA9F50-D95B-4B4E-9218-E796EC763161}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f45555a6"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyxy]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

 

[peter100]

CFScript into ComboFix (log) part a

Hi Ken,

Here come the new logs per your instructions:

ComboFix 08-02-22 - Majsan 2008-02-23 0:43:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.186 [GMT 1:00]
Running from: C:\Documents and Settings\Majsan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Majsan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\AAD.DLL
C:\WINDOWS\system32\AAK.dll
C:\WINDOWS\system32\AAP.DLL
C:\WINDOWS\system32\ad_away.lic
C:\WINDOWS\system32\mlfcache.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\AAD.DLL
C:\WINDOWS\system32\AAK.dll
C:\WINDOWS\system32\AAP.DLL
C:\WINDOWS\system32\ad_away.lic
C:\WINDOWS\system32\mlfcache.dat

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\Malwarebytes
2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 21:27 . 2008-02-21 21:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-02-21 20:57 . 2008-02-21 20:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-18 18:53 . 2008-02-18 18:53 <DIR> d-------- C:\Program Files\Bonjour
2008-02-17 00:23 . 2008-02-17 00:23 <DIR> d-------- C:\Program Files\Safari
2008-02-16 21:53 . 2008-02-20 12:28 <DIR> d-------- C:\Program Files\Pettson2
2008-02-16 21:53 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-02-15 14:44 . 2008-02-15 14:44 <DIR> d-------- C:\Downloads
2008-02-15 14:44 . 2008-02-15 14:44 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\PCF-VLC
2008-02-15 13:41 . 2008-02-21 13:37 <DIR> d-------- C:\Program Files\FlashGet
2008-02-15 00:47 . 2008-02-15 01:01 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-15 00:47 . 2008-02-15 00:47 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-15 00:45 . 2008-02-15 00:45 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-15 00:45 . 2008-02-23 00:46 5,148,448 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-15 00:45 . 2008-02-22 22:18 72,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-15 00:45 . 2008-02-23 00:46 64,544 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-15 00:45 . 2008-02-22 22:18 6,788 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-14 20:21 . 2008-02-14 20:21 <DIR> d-------- C:\kav
2008-02-14 17:02 . 2008-02-14 17:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-14 17:02 . 2008-02-22 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-14 12:11 . 2008-02-14 12:16 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-14 11:37 . 2008-02-14 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-14 02:07 . 2008-02-14 02:09 <DIR> d-------- C:\hidownload
2008-02-14 01:41 . 2008-02-14 01:40 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-14 01:41 . 2008-02-14 01:41 3,445 --a------ C:\WINDOWS\unins000.dat
2008-02-14 01:31 . 2008-02-14 01:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 01:29 . 2008-02-14 01:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\WINDOWS\system32\uw3
2008-02-14 01:11 . 2008-02-15 08:11 <DIR> d-------- C:\WINDOWS\system32\fe9
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\WINDOWS\system32\de1
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\Temp\gTiis19
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\Temp\cXzz9
2008-02-14 01:11 . 2008-02-22 22:13 <DIR> d-------- C:\Temp
2008-02-14 01:11 . 2008-02-14 01:11 0 --a------ C:\WINDOWS\system32\ope3D.tmp
2008-02-14 01:11 . 2008-02-14 01:11 0 --a------ C:\WINDOWS\system32\ope3C.tmp
2008-02-14 01:10 . 2008-02-14 01:10 352,410 --a------ C:\WINDOWS\ope31.exe
2008-02-14 01:10 . 2008-02-14 01:10 352,410 --a------ C:\WINDOWS\ope30.exe
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\system32\ope3B.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\system32\ope3A.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\ope31.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\ope30.tmp
2008-02-14 00:32 . 2008-02-14 00:32 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\Participatory Culture Foundation
2008-02-14 00:31 . 2008-02-14 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2008-02-14 00:13 . 2008-02-14 00:13 <DIR> d-------- C:\Documents and Settings\Majsan\dwhelper
2008-02-13 23:49 . 2008-02-13 23:49 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-13 23:23 . 2008-02-13 23:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-13 14:53 . 2008-02-13 14:53 <DIR> d-------- C:\Program Files\HCA
2008-02-12 12:57 . 2008-02-12 12:57 <DIR> d-------- C:\Program Files\THQ
2008-02-12 09:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 08:59 . 2008-02-12 08:59 <DIR> d-------- C:\Program Files\PDFCreator Toolbar
2008-02-12 08:59 . 2008-02-12 09:00 <DIR> d-------- C:\Program Files\PDFCreator
2008-02-12 08:59 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-02-12 08:59 . 2008-02-12 08:59 253,116 --a------ C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_1312.exe
2008-02-12 08:59 . 2005-10-15 12:32 196,608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll
2008-02-12 08:59 . 1998-06-24 00:00 137,000 --a------ C:\WINDOWS\system32\MSMAPI32.OCX
2008-02-12 08:59 . 1998-07-06 00:00 23,552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL
2008-02-12 08:59 . 2008-02-12 08:59 14,290 --a------ C:\Program Files\settings.dat
2008-02-09 14:25 . 2008-02-12 08:24 <DIR> d-------- C:\Program Files\Pettson1
2008-02-05 10:53 . 2008-02-05 10:53 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2008-02-05 10:53 . 2008-02-05 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2008-01-31 12:28 . 2008-01-31 12:28 75,776 --ah----- C:\Documents and Settings\Majsan\Application Data\rbqt450.DLL
2008-01-31 12:28 . 2008-01-31 12:28 64,512 --ah----- C:\Documents and Settings\Majsan\Application Data\rbap450.dll
2008-01-31 12:28 . 2008-01-31 12:28 54,272 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSQTImporterPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 53,760 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPicturePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 52,224 --ah----- C:\Documents and Settings\Majsan\Application Data\EHZComp.dll
2008-01-31 12:28 . 2008-01-31 12:28 51,712 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSWinPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 49,664 --ah----- C:\WINDOWS\system32\MBSQuickTimePlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 49,664 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSQuickTimePlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 48,128 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSResPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,984 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMainPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,472 --ah----- C:\WINDOWS\system32\RBShell400.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,472 --ah----- C:\Documents and Settings\Majsan\Application Data\RBShell400.dll
2008-01-31 12:28 . 2008-01-31 12:28 37,376 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPictureMacPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 36,352 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRegistryPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 36,352 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSFolderitemsCreatePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 33,280 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSEncryptPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\WINDOWS\system32\MBSIconPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSProcessPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSIconPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 29,184 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRectPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 29,184 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMemoryPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,624 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSUsernamePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,112 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSResStreamPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,112 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRegistrationPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 25,088 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPluginVersionPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 19,968 --ah----- C:\Documents and Settings\Majsan\Application Data\EHMD5.dll
2008-01-31 12:28 . 2008-01-31 12:28 18,432 --ah----- C:\Documents and Settings\Majsan\Application Data\EHEncrypt.dll
2008-01-31 12:27 . 2008-01-31 12:27 28,672 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMacOSXPlugin1635.dll
2008-01-24 16:08 . 2008-01-24 16:08 <DIR> d-------- C:\Program Files\Citrix
2008-01-23 12:23 . 2008-01-23 12:49 <DIR> d-------- C:\Program Files\RegCure
2008-01-23 11:40 . 2007-12-01 00:23 101,888 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-01-23 11:40 . 2007-12-01 00:25 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2008-01-23 11:40 . 2007-12-01 00:25 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2008-01-23 11:34 . 2007-11-30 17:25 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-01-23 11:34 . 2007-11-30 17:24 9,472 --------- C:\WINDOWS\system32\drivers\dumpdrv.sys
2008-01-23 11:31 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\006256_.tmp
2008-01-22 15:24 . 2008-01-22 15:24 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\ICAClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 23:23 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Apple Computer
2008-02-14 07:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 07:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-14 00:32 --------- d-----w C:\Program Files\Lavasoft
2008-02-14 00:32 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Lavasoft
2008-02-12 08:16 --------- d-----w C:\Program Files\Java
2008-02-12 07:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 16:28 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Skype
2008-01-21 09:49 --------- d-----w C:\Program Files\RegistrySmart
2008-01-21 01:03 --------- d-----w C:\Documents and Settings\Majsan\Application Data\RegistrySmart
2008-01-21 00:54 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-21 00:24 --------- d-----w C:\Program Files\MSBuild
2008-01-21 00:15 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-20 23:54 --------- d-----w C:\Program Files\ATI Technologies
2008-01-20 23:38 --------- d-----w C:\Program Files\iTunes
2008-01-20 23:38 --------- d-----w C:\Program Files\iPod
2008-01-20 23:36 --------- d-----w C:\Program Files\QuickTime
2008-01-20 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-20 23:32 --------- d-----w C:\Program Files\Apple Software Update
2008-01-20 23:31 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-20 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-20 23:29 --------- d-----w C:\Program Files\Roku Radio Snooper
2008-01-20 23:27 --------- d-----w C:\Program Files\WinPcap
2008-01-20 23:03 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-20 23:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-20 22:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-20 22:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-01-20 22:34 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-20 22:30 --------- d-----w C:\Program Files\Google
2008-01-20 22:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-17 23:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-30 23:31 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2007-11-30 23:26 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-11-30 23:25 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2007-11-30 23:24 756,224 ----a-w C:\WINDOWS\system32\winntbbu.dll
2007-11-30 23:24 706,048 ----a-w C:\WINDOWS\system32\ntdll.dll
2007-11-30 23:24 5,632 ----a-w C:\WINDOWS\system32\wmi.dll
2007-11-30 23:23 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2007-11-30 23:23 101,888 ----a-w C:\WINDOWS\system32\dpcdll.dll
2007-11-30 23:21 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2007-11-30 23:21 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll
2007-11-30 17:25 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2007-11-30 17:24 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys
2007-11-30 16:30 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2007-11-30 16:27 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2007-11-30 16:27 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2007-11-30 16:25 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2007-11-30 16:25 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2007-11-30 16:24 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2007-11-30 15:38 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2007-11-30 15:37 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2007-11-30 15:37 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2007-11-30 15:37 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2007-11-30 15:35 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2007-11-30 15:25 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2007-11-30 15:25 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2007-11-30 15:25 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2007-11-30 15:23 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2007-11-30 15:23 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2007-11-30 15:06 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2007-11-30 14:54 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2007-11-30 14:53 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2007-11-30 14:45 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2007-11-30 14:37 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2007-11-30 14:36 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2007-11-30 14:35 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2007-11-30 14:32 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2007-11-30 14:10 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2007-11-30 13:31 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2004-11-03 21:46 82,640 -c--a-w C:\Documents and Settings\Majsan\Application Data\GDIPFONTCACHEV1.DAT
.

 

[peter100]

part b

------- Sigcheck -------

"C:\WINDOWS\system32\wininet.dll"
----a-w 656,896 2004-09-29 18:27:41 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
----a-w 657,920 2005-01-27 17:08:42 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
----a-w 658,944 2005-05-02 20:57:24 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
----a-w 657,920 2005-03-10 07:43:23 C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
----a-w 660,480 2005-09-02 23:53:41 C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
----a-w 659,456 2005-07-03 02:09:33 C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
----a-w 661,504 2005-10-21 03:38:08 C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
----a-w 825,344 2007-10-10 23:47:29 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
-c----w 656,384 2004-08-04 07:56:46 C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
-c----w 656,384 2004-08-04 07:56:46 C:\WINDOWS\$NtUninstallKB834707$\wininet.dll
-c----w 593,920 2001-08-23 12:00:00 C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll
-c----w 656,896 2004-09-29 18:47:04 C:\WINDOWS\$NtUninstallKB867282$\wininet.dll
-c----w 656,896 2005-03-10 08:02:35 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
-c----w 656,896 2005-01-27 17:13:18 C:\WINDOWS\$NtUninstallKB890923$\wininet.dll
-c----w 658,432 2005-07-03 02:11:30 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
-c----w 657,920 2005-05-02 20:52:36 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
-c----w 658,432 2005-09-02 23:52:06 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
-c----w 662,016 2006-01-09 18:02:00 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
-c----w 658,432 2005-10-21 03:39:30 C:\WINDOWS\$NtUninstallKB912945$\wininet.dll
-c----w 663,552 2006-03-04 03:58:52 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
-c----w 663,552 2006-05-10 05:25:22 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
-c--a-w 664,576 2006-06-23 11:25:31 C:\WINDOWS\ie7\wininet.dll
-c----w 818,688 2007-08-13 17:54:10 C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
------w 666,112 2007-11-30 23:26:08 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
----a-w 666,112 2007-10-11 05:57:41 C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\sp2qfe\wininet.dll
----a-w 824,832 2007-10-10 23:56:00 C:\WINDOWS\system32\wininet.dll
-c----w 824,832 2007-10-10 23:56:00 C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="" []
"HGTXPEI"="C:\WINDOWS\system32\FirstReboot.exe" [2005-10-17 15:43 0]
"SoundFusion"="hercplgs.cpl" [2002-12-20 14:46 453120 C:\WINDOWS\system32\hercplgs.cpl]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2004-10-19 19:28 155648]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 09:22 155648]
"Opware14"="C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe" [2004-03-08 19:33 57344]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 10:21 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2007-12-01 00:26 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll,

R0 trm3x5;trm3x5;C:\WINDOWS\system32\DRIVERS\trm3x5.sys [2000-05-04 23:51]
R1 jsmux;jsmux;C:\WINDOWS\system32\drivers\jsmux.sys [1999-09-22 10:48]
R1 jsscan;jsscan;C:\WINDOWS\system32\drivers\jsscan.sys [1999-09-22 10:48]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 15:45]
R2 jsfax;jsfax;C:\WINDOWS\system32\drivers\jsfax.sys [1999-09-22 10:48]
R3 hercspud;Hercules (R) WDM Audio Driver;C:\WINDOWS\system32\drivers\hercspud.sys [2003-01-10 08:21]
R3 hercwdm;Hercules (R) WDM Interface Driver;C:\WINDOWS\system32\drivers\hercwdm.sys [2003-01-10 08:21]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 14:28]
S2 Ca536av;4.1M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-07-09 10:49]
S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-02-01 00:39]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-02-01 00:39]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 USBCamera;4.1M MPEG4 DV Bulk Driver;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 16:27]
S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 16:27]
S4 jsdbg;jsdbg;C:\WINDOWS\system32\drivers\jsdbg.sys [1999-09-22 10:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 09:00:00 C:\WINDOWS\Tasks\Norton Ghost.job"
- C:\PROGRA~1\COMMON~1\SYMANT~1\NMain.exeB/dat:C:\Program Files\Norton SystemWorks\Norton Ghost\nswigho.nsi
"2008-02-22 21:20:03 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-14 02:01:09 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 00:47:10
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ??????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 0:48:23
ComboFix-quarantined-files.txt 2008-02-22 23:48:18
ComboFix2.txt 2008-02-22 21:23:08
.
2008-02-13 13:52:40 --- E O F ---

 

[peter100]

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:35 AM, on 2/23/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7097a64aca106/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9362 bytes

 

[ken545]

Peter,

The last fix should have fixed that error you where getting.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7...p/RdxIE601.cab


In relation to the email worm, I am not looking at it on your system.




Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Please download ATF Cleaner by Atribune to your desktop.

• This program is for XP and Windows 2000 only
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


How are things running now????

 

[peter100]

How are things running now????

Hi Ken,

Sorry I didn't reply yesterday. It was 2 am here local time by the end of your last post. I do think I'm in the clear thanks to you, but I just want to confirm a few things before we close this:

a) when I turned tea timer on after reboot it asked for 5-6 registry change allows, but I decided to accept them since I had just completed the processes you recommended. I have since run both Kaspersky AV scan and Spybot and rebooted without any warnings. However, Kaspersky did report the following at the end of the scan:
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\Majsan\Local Settings\Application Data\Mozilla\Firefox\Profiles\rgv44fkt.default\Cache\6D952C06d01//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe

After another reboot both this notice and the tea timeer notices disappeared. Also, the dll message and worm warnings are gone.

I'm pasting another HJT log for your final inspection:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:57 AM, on 2/22/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BE195F9-F7C7-4334-B591-B9900BA24DB1} - (no file)
O2 - BHO: (no name) - {1E71ADDC-4451-43F1-A6E2-3B515E578E67} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8146B1B8-0078-4131-81FC-2A76C1FD6ECC} - (no file)
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: (no name) - {D1BA9F50-D95B-4B4E-9218-E796EC763161} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: gebxyxy - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9944 bytes

My 5 yo son thought I should use this

Peter

 

[peter100]

addendum: tea timer log

I found the tea timer log that shows the registry changes that I mentioned from this morning - 2/22/2008 7:50:24 AM onward. I've left the earlier ones for your reference.

2/14/2008 9:19:57 AM Allowed (based on user decision) value "{267D49C1-CD3B-4C0C-A1CA-462E58A547D4}" (new data: "") deleted in Browser Helper Object!
2/14/2008 10:49:32 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:35 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:37 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:39 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:40 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:42 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:43 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:45 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:52 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:50:06 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:53:20 AM Denied (based on user decision) value "{607eb0f8-290e-4341-912d-cbfb48b36fc7}" (new data: "") added in Browser Helper Object!
2/14/2008 10:53:27 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 11:27:47 AM Denied (based on user decision) value "{1E71ADDC-4451-43F1-A6E2-3B515E578E67}" (new data: "") added in Browser Helper Object!
2/14/2008 11:44:41 AM Denied (based on user decision) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") deleted in Browser Helper Object!
2/14/2008 12:02:40 PM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
2/14/2008 12:12:43 PM Allowed (based on user decision) value "{5ED80217-570B-4DA9-BF44-BE107C0EC166}" (new data: "") added in ActiveX Distribution Unit!
2/14/2008 1:41:13 PM Allowed (based on user decision) value "SpybotDeletingB6638" (new data: "command /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup user entry!
2/14/2008 1:41:35 PM Allowed (based on user decision) value "SpybotDeletingD258" (new data: "cmd /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup user entry!
2/14/2008 1:41:37 PM Allowed (based on user decision) value "SpybotDeletingA1135" (new data: "command /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup global entry!
2/14/2008 1:41:42 PM Allowed (based on user decision) value "SpybotDeletingC3323" (new data: "cmd /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup global entry!
2/14/2008 3:02:46 PM Allowed (based on user decision) value "SpybotDeletingD1938" (new data: "cmd /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup user entry!
2/14/2008 3:02:51 PM Denied (based on user decision) value "SpybotDeletingA4345" (new data: "command /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup global entry!
2/14/2008 3:02:58 PM Denied (based on user decision) value "SpybotDeletingC884" (new data: "cmd /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup global entry!
2/14/2008 3:03:30 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
2/14/2008 4:03:11 PM Allowed (based on user decision) value "SpybotDeletingB6638" (new data: "") deleted in System Startup user entry!
2/14/2008 4:03:23 PM Allowed (based on user decision) value "SpybotDeletingD258" (new data: "") deleted in System Startup user entry!
2/14/2008 4:03:26 PM Allowed (based on user decision) value "SpybotDeletingB7145" (new data: "") deleted in System Startup user entry!
2/14/2008 4:03:26 PM Allowed (based on user decision) value "SpybotDeletingD1938" (new data: "") deleted in System Startup user entry!
2/14/2008 4:03:27 PM Allowed (based on user decision) value "SpybotDeletingA1135" (new data: "") deleted in System Startup global entry!
2/14/2008 4:03:28 PM Allowed (based on user decision) value "SpybotDeletingC3323" (new data: "") deleted in System Startup global entry!
2/14/2008 4:03:28 PM Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
2/14/2008 4:06:05 PM Denied (based on user decision) value "{6063030d-46c1-4792-952b-af77b2e7b5e4}" (new data: "") added in Browser Helper Object!
2/14/2008 4:07:19 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
2/14/2008 4:07:24 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
2/14/2008 4:07:38 PM Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
2/14/2008 4:12:24 PM Denied (based on user decision) value "f45555a6" (new data: "rundll32.exe "C:\WINDOWS\system32\jxhjgymw.dll",b") changed in System Startup global entry!
2/14/2008 5:00:16 PM Denied (based on user decision) value "f45555a6" (new data: "rundll32.exe "C:\WINDOWS\system32\jxhjgymw.dll",b") changed in System Startup global entry!
2/14/2008 5:02:49 PM Allowed (based on user decision) value "{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}" (new data: "") added in ActiveX Distribution Unit!
2/14/2008 7:30:31 PM Denied (based on user decision) value "f45555a6" (new data: "rundll32.exe "C:\WINDOWS\system32\jxhjgymw.dll",b") changed in System Startup global entry!
2/14/2008 8:24:30 PM Allowed (based on user decision) value "avast!" (new data: "") deleted in System Startup global entry!
2/15/2008 12:51:29 AM Allowed (based on user decision) value "klogon" (new data: "") added in Winlogon Notifiers!
2/15/2008 12:51:32 AM Allowed (based on user decision) value "AVP" (new data: ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"") added in System Startup global entry!
2/15/2008 1:05:43 AM Allowed (based on user decision) value "gebxyxy" (new data: "") deleted in Winlogon Notifiers!
2/15/2008 1:05:48 AM Allowed (based on user decision) value "gebxyxy" (new data: "") added in Winlogon Notifiers!
2/15/2008 1:41:33 PM Allowed (based on user decision) value "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}" (new data: "") added in Browser Helper Object!
2/15/2008 1:41:47 PM Allowed (based on user decision) value "Flashget" (new data: ""C:\Program Files\FlashGet\FlashGet.exe" /min") added in System Startup global entry!
2/15/2008 1:41:50 PM Allowed (based on user decision) value "{F156768E-81EF-470C-9057-481BA8380DBA}" (new data: "") added in Browser Helper Object!
2/15/2008 1:41:51 PM Allowed (based on user decision) value "&Download All with FlashGet" (new data: "") added in Browser menu extension!
2/15/2008 1:41:53 PM Allowed (based on user decision) value "&Download with FlashGet" (new data: "") added in Browser menu extension!
2/15/2008 1:48:46 PM Allowed (based on user decision) value "Flashget" (new data: "C:\Program Files\FlashGet\flashget.exe /min") changed in System Startup global entry!
2/15/2008 2:48:04 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"") changed in System Startup global entry!
2/15/2008 2:48:30 PM Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
2/15/2008 2:53:00 PM Allowed (based on user decision) value "Flashget" (new data: "") deleted in System Startup global entry!
2/18/2008 6:56:08 PM Allowed (based on user decision) value "Download All Files by HiDownload" (new data: "") deleted in Browser menu extension!
2/18/2008 6:56:10 PM Allowed (based on user decision) value "Download by HiDownload" (new data: "") deleted in Browser menu extension!
2/21/2008 9:47:39 PM Allowed (based on user decision) value "{BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F}" (new data: "") deleted in Browser Helper Object!
2/23/2008 12:16:42 AM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
2/23/2008 12:16:47 AM Denied (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
2/23/2008 12:16:53 AM Denied (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
2/23/2008 12:17:01 AM Denied (based on user decision) value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
2/23/2008 12:17:24 AM Denied (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
2/23/2008 12:17:38 AM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
2/23/2008 12:17:42 AM Denied (based on user decision) value "scrnsave.exe" (new data: "") deleted in Desktop settings!
2/23/2008 12:41:09 AM Denied (based on user decision) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
2/22/2008 7:50:24 AM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
2/22/2008 7:54:30 AM Allowed (based on user decision) value "f45555a6" (new data: "") deleted in System Startup global entry!
2/22/2008 7:54:54 AM Allowed (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
2/22/2008 7:55:01 AM Allowed (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
2/22/2008 7:55:06 AM Allowed (based on user decision) value "Local Page" (new data: "C:\WINDOWS\SYSTEM32\blank.htm") added in Browser page!
2/22/2008 7:55:09 AM Allowed (based on user decision) value "Local Page" (new data: "C:\WINDOWS\SYSTEM32\blank.htm") added in Browser page!
2/22/2008 7:55:23 AM Allowed (based on user decision) value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
2/22/2008 7:55:31 AM Allowed (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
2/22/2008 7:55:43 AM Allowed (based on user decision) value "load" (new data: "") deleted in NT startup!
2/22/2008 7:55:53 AM Allowed (based on user decision) value "scrnsave.exe" (new data: "") deleted in Desktop settings!
2/22/2008 8:40:45 AM Allowed (based on user decision) value "Local Page" (new data: "") deleted in Browser page!
2/22/2008 8:44:40 AM Allowed (based on user decision) value "Local Page" (new data: "") deleted in Browser page!

 

[ken545]

Peter,

The Teatimer has prevented some of the reg entries from being removed. Although Spybot Search and Destroy is a great program, I am going to link you to some free programs to install and with them you can keep and run Spybot but keep the TeaTimer disabled as Spyware Guard and Spyware Blaster will protect you from changes.

So, disable the TeaTimer , reboot for it to take effect and then remove these with HJT.

O2 - BHO: (no name) - {1BE195F9-F7C7-4334-B591-B9900BA24DB1} - (no file)
O2 - BHO: (no name) - {1E71ADDC-4451-43F1-A6E2-3B515E578E67} - (no file)
O2 - BHO: (no name) - {8146B1B8-0078-4131-81FC-2A76C1FD6ECC} - (no file)
O2 - BHO: (no name) - {D1BA9F50-D95B-4B4E-9218-E796EC763161} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

O20 - Winlogon Notify: gebxyxy - C:\WINDOWS\

Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.

• 
  How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• TonyKlein CastleCops
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

• Spybot Search and Destroy 1.5
  Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  
• Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  
• Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  
• IE-Spyad
  IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
• Firefox 2.0.0.12 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Glad we could help

Safe Surfn
Ken

 

[peter100]

last questions

Hi Ken,

Thanks for all the great help. I think we have them beat for now. I've pasted a final HJT log for you to confirm that I'm clean. A few final questions:

1) You suggest I use Spyware Blaster instead of TeaTimer, but since it doesn't run resident will I still be protected from the registry changes that the TeaTimer seems to shield in realtime?

2) Also, I only use the Windows XP firewall. Is that enough or should I go with a different free third party one? If so, will you please suggest one.

3) I was previously using Avast! but switched to the trial Kaspersky when these problems occurred. Can I feel safe to switch back to Avast! and trust that I'll be sufficiently protected?

Here is the HJT log after your suggested edits:



C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9382 bytes

 

[ken545]

Hello Pete,

Sorry for the delay getting back to you but the NE got hit with some snow and the roads are a mess.

These two need to go, but sometimes there hard to get rid of, not to worry if they don't.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Tell your little guy that I appreciate him helping :bigthumb: You have to keep and eye on small kids when they go online as these slimeballs target kids because they know there vulnerable.

To answer your questions.

Spyware Blaster just sits in the background and at the present time its blocking 9641 bad sites from from attempting to infect your computer, there is no scan to run but about once a week or so you need to open the program, check for updates and then enable all protection.


Spyware Guard is written by the same fine people that wrote Spyware Blaster , a one time download, no scan to run, just sits in the background blocking changes to your system, so you can use it or enable the Tea Timer, SG does not get in your face as much as the tea timer so its your call which one to use but you should not use them both.

As far as Anti Virus, this again is totally your call, there both good programs but with AV, just use one , they use a huge amount of system resources and sometimes get in each others way , can considerably slow down your system if you use two.

If your AV is a stand alone program then you need a firewall, most suites , like Symantec and such include a Firewall in there program. The windows firewall just blocks incoming attempts and not outgoing, so you should have a third party firewall, I am listing 4 for you, just like AV, you need just one firewall, if by chance you have a router that includes a firewall, then thats fine, you can have one software and one hardware firewall with no problems.

• Sygate Personal Firewall Free Edition
• Comodo Personal Firewall
• Outpost Firewall Free
• Zone Alarm

You have many software ports of entry on your computer, the only ones needed by a home user are for email and web surfing and maybe a program you have installed, a firewall helps block those other ports. You can run the Shields Up tests on your computer by Steve Gibson, one of the leading experts in computer security, no software to download and install, just some online tests and its free. Do this after you install a firewall, your test should show you in stealth mode.

http://www.grc.com/intro.htm

Stay well Steve, been a pleasure helping you, take care of the little guy, they grow up quick.

I am including this for him in return for his smile

Ken