Virtumonde.generic, Virtumonde, Smitfraud-C.CoreService, Smitfraud-C Removal

N

needhelppls12345

New member
I cannot remove the following from my computer:
Virtumonde.generic
Virtumonde
Smitfraud-C.CoreService
Smitfraud-C

I found the following using SpyBot.

Can anyone help? I'm desperate, I've had these on my computer for 6 days now and can't go online without crazy pop ups.

Here's what I've tried:
Smitfraud Fix

I've read forums where people have advised after seeing the person's ComboFix and HijackThis logs and really am hoping someone can do the same for me. Posted below are my ComboFix and HijackThis logs. I'll be so grateful for any help. Thanks in advance!

I've also posted for help here: http://forums.techguy.org/malware-r...neric-virtumonde-smitfraud-c.html#post6317686
 
HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:11:18, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\vtUnlLDv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: {b77b} - {e8338388-3a50-4aa9-a502-9aa159d07164} - C:\WINDOWS\system32\ejsduc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O20 - AppInit_DLLs: hxvhxf.dll
O20 - Winlogon Notify: vtUnlLDv - C:\WINDOWS\SYSTEM32\vtUnlLDv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7462 bytes
 
ComboFix Log

ComboFix 08-12-05.02 - TEST 2008-12-06 2:22:16.1 - NTFSx86
Running from: c:\documents and settings\TEST\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\TEST\Application Data\IUpd721
c:\documents and settings\TEST\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\TEST\Application Data\NI.GSCNS
c:\documents and settings\TEST\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\TEST\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\TEST\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\TEST\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\TEST\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\tn3
c:\windows\system32\0bnRh76B.exe.a_a
c:\windows\system32\1mK0v25X.exe.a_a
c:\windows\system32\digeste.dll
c:\windows\system32\fccyxwtT.dll
c:\windows\system32\gcsmdglx.dll
c:\windows\system32\gvmltkvc.dll
c:\windows\system32\hgGwUnME.dll
c:\windows\system32\hgGwWMfe.dll
c:\windows\system32\hxvhxf.dll
c:\windows\system32\jnwnw64m.exe
c:\windows\system32\mlJBQGAS.dll
c:\windows\system32\ncntokdm.exe
c:\windows\system32\oiujdqyj.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\rwqfkwab.dll
c:\windows\system32\SAGQBJlm.ini
c:\windows\system32\SAGQBJlm.ini2
c:\windows\system32\tcjpvk.dll
c:\windows\system32\wpv211228088479.cpx
c:\windows\system32\zxdnt3d.cfg
c:\windows\Tasks\qrvfxvln.job
c:\windows\wiaserviv.log
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 02:40 . 2008-12-06 02:40 <DIR> d-------- c:\temp\tn3
2008-12-05 23:31 . 2008-12-06 00:43 2,362 --a------ c:\windows\system32\tmp.reg
2008-12-05 23:29 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-12-05 23:29 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-12-05 23:29 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-12-05 23:29 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-12-05 23:29 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-12-05 23:29 . 2008-11-29 17:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-12-05 23:29 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-12-05 23:29 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-12-05 23:29 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-12-05 23:29 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-12-05 02:42 . 2008-12-05 02:42 120 --ahs---- c:\windows\system32\bawkfqwr.ini
2008-12-05 02:36 . 2008-12-05 02:36 114,688 --a------ c:\windows\system32\nawolaso.dll
2008-12-05 02:36 . 2008-12-05 02:36 114,688 --a------ c:\windows\system32\ejsduc.dll
2008-11-30 18:57 . 2008-11-30 18:57 192,466 --a------ c:\windows\system32\g6.exe
2008-11-30 18:54 . 2008-11-30 18:54 32,768 --a------ c:\windows\system32\efcATNEV.dll
2008-11-30 18:45 . 2008-11-30 18:45 86,272 --a------ c:\windows\system32\drivers\isapnpp.sys
2008-11-30 18:45 . 2008-12-06 02:39 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-30 18:44 . 2008-12-06 01:59 <DIR> d-------- c:\windows\system32\vi
2008-11-30 18:44 . 2008-12-06 01:59 <DIR> d-------- c:\windows\system32\op8
2008-11-30 18:44 . 2008-11-30 18:45 <DIR> d-------- c:\windows\system32\IN
2008-11-30 18:44 . 2008-11-30 18:44 <DIR> d-------- c:\windows\system32\giv
2008-11-30 18:44 . 2008-11-30 18:44 <DIR> d-------- c:\windows\system32\gi3
2008-11-30 18:44 . 2008-11-30 18:44 <DIR> d-------- c:\temp\DIV55
2008-11-30 18:43 . 2008-12-01 09:04 <DIR> d-------- c:\windows\system32\TEC
2008-11-30 18:43 . 2008-12-06 02:40 <DIR> d-------- C:\Temp
2008-11-30 18:43 . 2008-11-30 18:43 905,354 --a------ c:\temp\uVN23L.exe
2008-11-30 18:43 . 2008-11-30 18:43 32,768 --a------ c:\windows\system32\vtUnlLDv.dll
2008-11-27 00:59 . 2008-10-24 03:21 455,296 --a------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-27 00:58 . 2008-09-04 09:15 1,106,944 --a------ c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 09:59 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 21:08 --------- d-----w c:\program files\Java
2008-12-01 17:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 08:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 13:15 --------- d--h--w c:\documents and settings\TEST\Application Data\Move Networks
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\dllcache\srv.sys
2008-04-30 07:05 54,704 ----a-w c:\documents and settings\TEST\Application Data\GDIPFONTCACHEV1.DAT
2006-06-20 06:05 24,192 ----a-w c:\documents and settings\TEST\usbsermptxp.sys
2006-06-20 06:05 22,768 ----a-w c:\documents and settings\TEST\usbsermpt.sys
2008-09-05 10:09 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-11-30 18:43 32768 --a------ c:\windows\system32\vtUnlLDv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e8338388-3a50-4aa9-a502-9aa159d07164}]
2008-12-05 02:36 114688 --a------ c:\windows\system32\ejsduc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-10-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-30 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-02-25 100056]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]
Yahoo! Autosync.lnk - c:\program files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-08-21 391680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\vtUnlLDv.dll" [2008-11-30 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnlLDv]
2008-11-30 18:43 32768 c:\windows\system32\vtUnlLDv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hxvhxf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14941:UDP"= 14941:UDP:Limewire
"14941:TCP"= 14941:TCP:Limewire
"6346:TCP"= 6346:TCP:Shareaza
"6346:UDP"= 6346:UDP:Shareaza
"8630:TCP"= 8630:TCP:BitComet 8630 TCP
"8630:UDP"= 8630:UDP:BitComet 8630 UDP

R1 isapnpp;isapnpp;c:\windows\system32\drivers\isapnpp.sys [2008-11-30 86272]
R2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-05-16 2368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04012ce3-1042-11dd-b672-00c09f7fcf84}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a05aef0-1bba-11dc-b601-00c09f7fcf84}]
\Shell\AutoRun\command - cmd.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Norton AntiVirus - Scan my computer - TEST.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 15:46]

2008-12-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 17:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2047f108-a625-45da-99fd-acb8525dd246} - c:\windows\system32\hxvhxf.dll
BHO-{68596735-550E-45F4-AEB9-7DF99A672028} - (no file)
BHO-{88DF2256-8BE5-49C2-9A5D-A15BA64DC806} - c:\windows\system32\mlJBQGAS.dll
BHO-{9DFA0BC8-CC49-4066-AEC9-ABCC32121D72} - (no file)
BHO-{e38d5e0a-3d06-42d2-8bc0-9223f070fadf} - (no file)


.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

- c:\windows\Downloaded Program Files\RhapX.inf
FireFox -: Profile - c:\documents and settings\TEST\Application Data\Mozilla\Firefox\Profiles\h7r1eo9p.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://search.shareazaweb.com/
FF -: plugin - c:\documents and settings\TEST\Application Data\Mozilla\Firefox\Profiles\h7r1eo9p.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF -: plugin - c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 02:42:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?0?9?8??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\vtUnlLDv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Norton AntiVirus\SAVSCAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-12-06 2:59:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 10:59:25

Pre-Run: 15,197,118,464 bytes free
Post-Run: 15,164,887,040 bytes free

240 --- E O F --- 2008-11-27 11:07:44
-------------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources, so please don't. Our analysts assist people at several forums.
Click to expand...

The Waiting Room: Post here if waiting for help longer than four days

Do NOT run 'FIXES' before helpers have analyzed the HJT log
 
Last edited by a moderator:
Hi

First of all please post to your topic at TechGuy and let them know that they can close your topic there.


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitComet
Shareaza


I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\Shareaza Applications
C:\Program Files\BitComet

Empty Recycle Bin.

After that:

Delete your old ComboFix.exe file and download fresh version to your desktop from one of these links:
***Link 1****
***Link 2****
***Link 3****

Run ComboFix and post back its report & a fresh hjt log.
 
Sorry

Sorry, I haven't responded, I thought I'd get an email notification when I got a post. I just posted at TechGuy that they can close the post. I'm at work, but will get the P2P uninstalled and will post fresh logs tonight.

Thank you very much!
 
ComboFix Log 12-17-08

ComboFix 08-12-17.01 - TEST 2008-12-17 19:44:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.28 [GMT -8:00]
Running from: c:\documents and settings\TEST\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\tn3
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\efcATNEV.dll
c:\windows\system32\ejsduc.dll
c:\windows\system32\gi3
c:\windows\system32\gi3\VIES61X.exe
c:\windows\system32\giv
c:\windows\system32\giv\TNK53C0.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\IN
c:\windows\system32\nawolaso.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\op8
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\TEC
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vi
c:\windows\system32\vtUnlLDv.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-17 19:55 . 2008-12-17 19:55 <DIR> d-------- c:\temp\tn3
2008-12-06 04:08 . 2008-12-06 04:08 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 02:42 . 2008-12-05 02:42 120 --ahs---- c:\windows\system32\bawkfqwr.ini
2008-11-30 18:57 . 2008-11-30 18:57 192,466 --a------ c:\windows\system32\g6.exe
2008-11-30 18:45 . 2008-11-30 18:45 86,272 --a------ c:\windows\system32\drivers\isapnpp.sys
2008-11-30 18:45 . 2008-12-17 19:54 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-30 18:43 . 2008-12-17 19:55 <DIR> d-------- C:\Temp
2008-11-30 18:43 . 2008-11-30 18:43 905,354 --a------ c:\temp\uVN23L.exe
2008-11-27 00:59 . 2008-10-24 03:21 455,296 --a------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-27 00:58 . 2008-09-04 09:15 1,106,944 --a------ c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 03:29 --------- d-----w c:\documents and settings\TEST\Application Data\Shareaza
2008-12-18 03:28 --------- d-----w c:\program files\BitComet
2008-12-06 09:59 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 21:08 --------- d-----w c:\program files\Java
2008-12-01 17:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 08:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 13:15 --------- d--h--w c:\documents and settings\TEST\Application Data\Move Networks
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-04-30 07:05 54,704 ----a-w c:\documents and settings\TEST\Application Data\GDIPFONTCACHEV1.DAT
2006-06-20 06:05 24,192 ----a-w c:\documents and settings\TEST\usbsermptxp.sys
2006-06-20 06:05 22,768 ----a-w c:\documents and settings\TEST\usbsermpt.sys
2008-09-05 10:09 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-10-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-30 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-02-25 100056]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]
Yahoo! Autosync.lnk - c:\program files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-08-21 391680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hxvhxf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14941:UDP"= 14941:UDP:Limewire
"14941:TCP"= 14941:TCP:Limewire
"6346:TCP"= 6346:TCP:Shareaza
"6346:UDP"= 6346:UDP:Shareaza
"8630:TCP"= 8630:TCP:BitComet 8630 TCP
"8630:UDP"= 8630:UDP:BitComet 8630 UDP


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04012ce3-1042-11dd-b672-00c09f7fcf84}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a05aef0-1bba-11dc-b601-00c09f7fcf84}]
\Shell\AutoRun\command - cmd.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Norton AntiVirus - Scan my computer - TEST.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 15:46]

2008-12-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 17:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{e8338388-3a50-4aa9-a502-9aa159d07164} - c:\windows\system32\ejsduc.dll


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

- c:\windows\Downloaded Program Files\RhapX.inf
FF - ProfilePath - c:\documents and settings\TEST\Application Data\Mozilla\Firefox\Profiles\h7r1eo9p.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.shareazaweb.com/
FF - plugin: c:\documents and settings\TEST\Application Data\Mozilla\Firefox\Profiles\h7r1eo9p.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 19:56:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?0?9?8??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Norton AntiVirus\SAVSCAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-12-17 20:09:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 04:09:47
ComboFix2.txt 2008-12-06 10:59:52

Pre-Run: 15,235,153,920 bytes free
Post-Run: 15,220,871,168 bytes free

193 --- E O F --- 2008-11-27 11:07:44
 
HijackThis Log 12-17-08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:37, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O20 - AppInit_DLLs: hxvhxf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6763 bytes
 
Hi

It's not recommended have multiple antivirus programs running in same system. Decide between McAfee and Norton which one you want keep.


Looks like there's still signs of P2P, so...

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitComet
Shareaza


I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

c:\documents and settings\TEST\Application Data\Shareaza
c:\program files\BitComet

Empty Recycle Bin.

After that:



Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Driver::
isapnpp

File::
c:\windows\system32\bawkfqwr.ini
c:\windows\system32\g6.exe
c:\windows\system32\drivers\isapnpp.sys
c:\windows\system32\drivers\core.cache.dsk
c:\temp\uVN23L.exe

Folder::
c:\temp\tn3
c:\documents and settings\TEST\Application Data\Shareaza
c:\program files\BitComet

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14941:UDP"=-
"14941:TCP"=-
"6346:TCP"=-
"6346:UDP"=-
"8630:TCP"=-
"8630:UDP"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a05aef0-1bba-11dc-b601-00c09f7fcf84}]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version. Note: Uncheck MSN toolbar option if you don't want to install it.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
 
Kaspersky Online Scanner Won't Let Me Save Report

I got as far as getting Kaspersky Online Scanner to run. It was kind of slow so I went to bed and checked in the morning. When I tried to click "Save Report As" the button wouldn't highlight in order for me to click. I ended up closing it and running Kaspersky Online Scanner again, it was quicker the second time around but I ran into the same problem for saving the report.

I'll try again tonight when I get home from work to see if it will let me save it. Do you think I should just download the free trial?

Thanks!
 
Hi

Did Kaspersky report any bad findings? If not then it may not let to save the results.

If Kaspersky did find something but still don't let to save the report then you could try ESET Online Scanner:

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with other requested logs.
 
Here It Is

I deleted the files as you said, and removed them from the Recycle Bin. But couldn't find the programs under "Add/Remove Programs," so I think I got rid of them the first time around.

Attached is the ComboFix log from after I dragged the CFScript into ComboFix.

I removed the programs and files for Java and Adobe Reader and reinstalled the updated versions as you said.

Followed the ATF Cleaner

Then ran the Kaspersky Online Scanner again this morning and it worked this time.

Second attached is the KAS log.

Third attached is the HijackThis log.

Thanks for your time and patience!
 
ComboFixLog 12-19-08

ComboFix 08-12-17.01 - TEST 2008-12-19 1:54:09.3 - NTFSx86
Running from: c:\documents and settings\TEST\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TEST\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\temp\uVN23L.exe
c:\windows\system32\bawkfqwr.ini
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\isapnpp.sys
c:\windows\system32\g6.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\temp\uVN23L.exe
c:\windows\system32\bawkfqwr.ini
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\isapnpp.sys
c:\windows\system32\g6.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISAPNPP
-------\Service_isapnpp


((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-06 04:08 . 2008-12-06 04:08 <DIR> d-------- c:\program files\Trend Micro
2008-11-30 18:43 . 2008-12-19 01:55 <DIR> d-------- C:\Temp
2008-11-27 00:59 . 2008-10-24 03:21 455,296 --a------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-27 00:58 . 2008-09-04 09:15 1,106,944 --a------ c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 09:38 --------- d-----w c:\program files\MSN Encarta Plus
2008-12-06 09:59 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-05 21:08 --------- d-----w c:\program files\Java
2008-12-01 17:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 08:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 13:15 --------- d--h--w c:\documents and settings\TEST\Application Data\Move Networks
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-04-30 07:05 54,704 ----a-w c:\documents and settings\TEST\Application Data\GDIPFONTCACHEV1.DAT
2006-06-20 06:05 24,192 ----a-w c:\documents and settings\TEST\usbsermptxp.sys
2006-06-20 06:05 22,768 ----a-w c:\documents and settings\TEST\usbsermpt.sys
2008-09-05 10:09 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-10-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-30 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-02-25 100056]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-03-06 90182]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]
Yahoo! Autosync.lnk - c:\program files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-08-21 391680]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-05-16 2368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04012ce3-1042-11dd-b672-00c09f7fcf84}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 c:\windows\Tasks\Norton AntiVirus - Scan my computer - TEST.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 15:46]

2008-12-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 17:38]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

- c:\windows\Downloaded Program Files\RhapX.inf
FF - ProfilePath - c:\documents and settings\TEST\Application Data\Mozilla\Firefox\Profiles\h7r1eo9p.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.shareazaweb.com/
FF - plugin: c:\documents and settings\TEST\Application Data\Mozilla\Firefox\Profiles\h7r1eo9p.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 02:03:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?0?9?8??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Norton AntiVirus\SAVSCAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-12-19 2:14:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-19 10:14:39
ComboFix2.txt 2008-12-18 04:10:00
ComboFix3.txt 2008-12-06 10:59:52

Pre-Run: 15,216,463,872 bytes free
Post-Run: 15,205,908,480 bytes free

144 --- E O F --- 2008-11-27 11:07:44
 
Kas 12-20-08

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 20, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 20, 2008 14:53:47
Records in database: 1491863
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 63228
Threat name: 17
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 02:23:04


File name / Threat name / Threats count
C:\Program Files\Norton AntiVirus\Quarantine\46AA329B Infected: Trojan-Downloader.Win32.Small.buy 1
C:\Qoobox\Quarantine\C\Temp\uVN23L.exe.vir Infected: Trojan-Downloader.Win32.Small.buy 1
C:\Qoobox\Quarantine\C\Temp\uVN23L.exe.vir Infected: Trojan-Downloader.Win32.Agent.arwj 1
C:\Qoobox\Quarantine\C\Temp\uVN23L.exe.vir Infected: Trojan.Win32.Agent.asjz 1
C:\Qoobox\Quarantine\C\Temp\uVN23L.exe.vir Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\C\Temp\uVN23L.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\Temp\uVN23L.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.f 1
C:\Qoobox\Quarantine\C\Temp\uVN23L.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\digeste.dll.vir Infected: Trojan.Win32.Monder.abmc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcATNEV.dll.vir Infected: Trojan.Win32.Monder.acoy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fccyxwtT.dll.vir Infected: Trojan.Win32.Monder.aane 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\g6.exe.vir Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gcsmdglx.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gi3\VIES61X.exe.vir Infected: Trojan.Win32.Agent.asjz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\giv\TNK53C0.exe.vir Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gvmltkvc.dll.vir Infected: Trojan.Win32.Monder.acoz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGwUnME.dll.vir Infected: Trojan.Win32.Monderb.xio 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGwWMfe.dll.vir Infected: Trojan.Win32.Monderb.xio 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hxvhxf.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jnwnw64m.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJBQGAS.dll.vir Infected: Trojan.Win32.Monder.abvp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ncntokdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\oiujdqyj.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.VB.hfs 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tcjpvk.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUnlLDv.dll.vir Infected: Trojan.Win32.Monder.acoy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv211228088479.cpx.vir Infected: Trojan.Win32.Agent.avwh 1

The selected area was scanned.
 
HijackThis 12-20-08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:22, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\TEST\Local Settings\temp\jkos-TEST\binaries\ScanningProcess.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7357 bytes
 
Also About My AntiVirus

I know you said I should either pick between Norton and McAfee. I like my Norton but I can't find where the McAfee is installed. I checked "Add/Remove Programs" with no luck.

A couple months back I tried to install McAfee VirusScan7.0.0 and it's very odd it never scans or enables itself. I've tried to uninstall it when I couldn't figure out how to enable it but couldn't find it listed under "Add/Remove Programs." I can find the file under "Program Files" but when I try to delete it, it says it cannot be delted because it's being used by a person or program. Whenever I turn on my computer the icon always appears in the bottom right task bar (by the time). It always has a red cross across it indicating that it doesn't work. I've tried enabling it but it always goes back to that red cross. Anyway, I've given up trying to use it but at the same time haven't figured out how to remove it...so I've just left it there.
 
Hi

Delete C:\Program Files\Norton AntiVirus\Quarantine\46AA329B file. Other found items will be removed when ComboFix is uninstalled. We'll do that a bit later.

Please try this McAfee removal tool in order to get McAfee removed.
 
Update

I deleted the C:\Program Files\Norton AntiVirus\Quarantine\46AA329B and emptied my recycle bin.

I ran the McAfee removal tool and the icon that used to show up on the bottom right is gone. However, the "Network Associates" folder is still in my "Program Files." I tried deleting it but it says "Cannot delete shext.dll: Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use." No big deal if you can't figure out how to delete it, just wanted to let you know.

Thanks for your help! Let me know if there are any other steps I need to take.
 
Hi

Let's try removing problematic folder with a tool.


We need to execute an OTMoveIt3 script
  1. Please download OTMoveIt3 by OldTimer and save it to your desktop.
  2. Double click theOTMoveIt3 icon on your desktop.
  3. Paste the following code under the Paste Fix Here area. Do not include the word
    Code
    .
    Code: 
    :Files
C:\Program Files\Network Associates
  4. Push the large MoveIt button.
  5. OTMI3 may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log. How's the system running?
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
You must log in or register to reply here.
Back
Top