Virtumonde, Virtumonde.generic, Smithfraud-C infections

[JDK100]

Hello. My PC is infected with Virtumonde, Virtumonde.generic, Smithfraud-C. I am running SPYBOT S&D 1.6.0.31 and AdAware...both of which declare that the problems have been cleaned but of course they keep resurfacing. I am also running Norton Internet Security 2009 which no longer works properly (the Norton "Sonar" Advance Protection will no longer load). In addition, I am getting multiple dialog boxes which indicate "Generic Host Process for Win32 Services encountered a problems and needed to close". After getting several of these dialogs in a row, the PC completely reboots itself with no warning. Yesterday, my user profile completely disappeared. Today, it seems to be back! I used "CCleaner" to clean my cache and get rid of all history and temp files but that didn't help.

HijackThis gave me a message before it generated the log file that warned that I had "...an unusually large number of hijacked domains".

Here is my HijackThis v2.0.2 log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:05 AM, on 2/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Magazine Utilities\RoboType\RoboType.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\Documents and Settings\Administrator\Desktop\Malware Removal\erunt-setup.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-FHEJD.tmp\is-MOTD5.tmp
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 207.209.117.9 ffmprod #Kronberg AS/400
O1 - Hosts: 207.209.117.15 Kronberg01 #Kronberg Notes Server Defunct
O1 - Hosts: 207.209.117.8 Kronberg02 #Kronberg Notes Server
O1 - Hosts: 207.209.115.1 cisco01
O1 - Hosts: 207.209.115.2 EMC-A #To become EMC SPA
O1 - Hosts: 207.209.115.3 EMC-B #To Become EMC SPB
O1 - Hosts: 207.209.115.4 Anaconda #NT Domain Controler Norton Server
O1 - Hosts: 207.209.115.5 dial2krouter
O1 - Hosts: 207.209.115.6 DellPowervault #Dell Power Vault Backup
O1 - Hosts: 207.209.115.7 TELESALES #TELESALES CISCO
O1 - Hosts: 207.209.115.8 #Possible a printer somwewhere
O1 - Hosts: 207.209.115.9 CNS
O1 - Hosts: 207.209.115.10 MCS02A #Lotus Domino MCS02A
O1 - Hosts: 207.209.115.11 NYJC #web server ( john cannon)
O1 - Hosts: 207.209.115.12 mcs09 #firewall admin box
O1 - Hosts: 207.209.115.13 Stealth #Compaq Server CRM test
O1 - Hosts: 207.209.115.14 116Router #Cisco for telesales/116 subnet
O1 - Hosts: 207.209.115.15 NYJC2 #John Cannon Laptop
O1 - Hosts: 207.209.115.16 IBM_NC17 #
O1 - Hosts: 207.209.115.17 inetgw2 #2nd firewall
O1 - Hosts: 207.209.115.18 encsgw #2nd gateway so we can spam
O1 - Hosts: 207.209.115.19 INETGW #Watchguard Firewall
O1 - Hosts: 207.209.115.20 old.center.switch #Switch
O1 - Hosts: 207.209.115.21 center.switch #Switch
O1 - Hosts: 207.209.115.22 west.switch #
O1 - Hosts: 207.209.115.23 east.switch #
O1 - Hosts: 207.209.115.24 MIS.Switch #
O1 - Hosts: 207.209.115.25 MIS.Switch2 #
O1 - Hosts: 207.209.115.26 encsdirect #new spam server
O1 - Hosts: 207.209.115.27 PBX #Phones
O1 - Hosts: 207.209.115.28 Voice Mail #Phones
O1 - Hosts: 207.209.115.29 definity g3i-a #
O1 - Hosts: 207.209.115.30 definity g3i-b
O1 - Hosts: 207.209.115.31 impala #HR Server
O1 - Hosts: 207.209.115.32 NYBHXP #Brian Henderson
O1 - Hosts: 207.209.115.33 cobra #File Server
O1 - Hosts: 207.209.115.34 MQserver #Milquote Server
O1 - Hosts: 207.209.115.35 #John Cannon
O1 - Hosts: 207.209.115.36 oldmcs05 #Webtrens
O1 - Hosts: 207.209.115.37 WEBSERV #WEBSERV AS/400
O1 - Hosts: 207.209.115.38 viper #Diplo File Server
O1 - Hosts: 207.209.115.39 linuxserverhls #Harry test 1
O1 - Hosts: 207.209.115.40 MCS_01 #Lotus Domino
O1 - Hosts: 207.209.115.41 hlsLinuxtest #Harry Test 2
O1 - Hosts: 207.209.115.42 Linuxnotes #Agent SMTP Gateway
O1 - Hosts: 207.209.115.43 ADP Server #ADP
O1 - Hosts: 207.209.115.44 MCS05 #Domino Mail Server
O1 - Hosts: 207.209.115.45 ADP Server2 #ADP 2
O1 - Hosts: 207.209.115.46 LXKF88568 #Lexmark T622 Printer by MIS
O1 - Hosts: 207.209.115.47 MCS_ESHARE #
O1 - Hosts: 207.209.115.48 Cisco test #cisco test
O1 - Hosts: 207.209.115.49 ACCTP2 #
O1 - Hosts: 207.209.115.50 encs #www.encs.com
O1 - Hosts: 207.209.115.51 navy #www.navyauto.com
O1 - Hosts: 207.209.115.52 preowned #PREOWNED/MCS-WEB (turned off)
O1 - Hosts: 207.209.115.53 ias #www.intlauto.com
O1 - Hosts: 207.209.115.54 diplo #www.diplosales.com
O1 - Hosts: 207.209.115.55 nybs #Bernadine Seeger
O1 - Hosts: 207.209.115.56 Primary #NY AS/400
O1 - Hosts: 207.209.115.57 DATAMIRR #NY AS/400
O1 - Hosts: 207.209.115.58 NYPROD #NY As/400
O1 - Hosts: 207.209.115.59 PRIAST #NY AS/400
O1 - Hosts: 207.209.115.60 LXK168FC9 #Lexmark Optra SE 3455 by Computer Room
O1 - Hosts: 207.209.115.61 #
O1 - Hosts: 207.209.115.62 MCSJCANNON #John Cannon Laptop
O1 - Hosts: 207.209.115.63 LEONLAPTOP #
O1 - Hosts: 207.209.115.64 NYrec #Rogers Campbell
O1 - Hosts: 207.209.115.65 CHEW #Susan Chew
O1 - Hosts: 207.209.115.66 GMILANA #Gina Milana
O1 - Hosts: 207.209.115.67 fsgp1 #was Sharon Reynolds
O1 - Hosts: 207.209.115.68 ??? #???
O1 - Hosts: 207.209.115.69 NYLGA #Larry Alaimo
O1 - Hosts: 207.209.115.70 JoanLew #temp
O1 - Hosts: 207.209.115.71 Hls Linux #test server
O1 - Hosts: 207.209.115.72 BOB #Bob
O1 - Hosts: 207.209.115.73 helpdesk #Donald Schwarz
O1 - Hosts: 207.209.115.74 KFITZGERALD #Katie Fitzgerald
O1 - Hosts: 207.209.115.75 NTELAGE #Nicole Telage
O1 - Hosts: 207.209.115.76 NY-PKIM #Peter Kim
O1 - Hosts: 207.209.115.77 NY-CSHELBOR #Christine Shelbor
O1 - Hosts: 207.209.115.78 DANNYCDR #Danny Vacchio CDR
O1 - Hosts: 207.209.115.79 pricingtemp #Kim Murray old desk
O1 - Hosts: 207.209.115.80 RCOWANS #Robyn Cowans
O1 - Hosts: 207.209.115.81 EMORALES #Edwin Morales
O1 - Hosts: 207.209.115.82 marketinglaptop #
O1 - Hosts: 207.209.115.83 Jaguar #UNICENTER server
O1 - Hosts: 207.209.115.84 RCONVERY #Renee Convery
O1 - Hosts: 207.209.115.85 seville seville.militarycars.com #new CRM server
O1 - Hosts: 207.209.115.86 NYTRP #Thomas Pisano
O1 - Hosts: 207.209.115.87 YMOLINA #Yoamir Molina
O1 - Hosts: 207.209.115.88 jallagher #mobile vpn
O1 - Hosts: 207.209.115.89 NYCG #Laura Amendolare
O1 - Hosts: 207.209.115.90 KVM #DSR 2161
O1 - Hosts: 207.209.115.91 NYNCB #William Kuzmiak
O1 - Hosts: 207.209.115.92 GoldMachine #
O1 - Hosts: 207.209.115.93 DES #Des Powell
O1 - Hosts: 207.209.115.94 JONK #Jon Kay
O1 - Hosts: 207.209.115.95 nyesf #Eve Fogel
O1 - Hosts: 207.209.115.96 EldoradoV2 eldoradov2.militarycars.com #CRM Virtual 2 - Portal
O1 - Hosts: 207.209.115.97 NYJMA #Joan Albright
O1 - Hosts: 207.209.115.98 brianlaptop #Brian H Laptop
O2 - BHO: (no name) - {116647CA-B48E-447D-B3D8-2ECAB307ECC1} - C:\WINNT\system32\byXQGvss.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: WebSpy Reports Browser Helper Object - {C68F45EB-A501-46AB-8165-BC042CD27136} - C:\PROGRA~1\COMMON~1\WebSpy\WSREPO~1.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: Charts for Marissa.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: MCS, Inc.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'SYSTEM')
O4 - S-1-5-18 Startup: Sweepstakes and Contests.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Charts for Marissa.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: MCS, Inc.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'Default user')
O4 - .DEFAULT Startup: Sweepstakes and Contests.lnk = ? (User 'Default user')
O4 - Startup: Charts for Marissa.lnk = ?
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: MCS, Inc.lnk = ?
O4 - Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl
O4 - Startup: Sweepstakes and Contests.lnk = ?
O4 - Global Startup: Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O20 - Winlogon Notify: fccdaxut - fccdaxut.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

--
End of file - 13574 bytes

 

[Blade81]

Hi

Is that your personal system or work related one?

 

[JDK100]

It is definitely my personal/home system although I do have a VPN to my office so I can work from home when I have to. But these days, I don't use the VPN very often on that machine as I now also have a business-provided laptop which I use for this purpose.

Bottom line? I could delete/uninstall the VPN if you thought that would make it easier to clear these infections.

 

[Blade81]

Hi

There's no need to uninstall VPN


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[JDK100]

Virtumonde, Virtumonde.generic, Smithfraud-C

Logs as requested.

ComboFix 09-02-28.01 - Administrator 2009-02-28 21:35:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.215 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\drivers\seneka.sys
c:\winnt\system32\drivers\senekagqpakyiw.sys
c:\winnt\system32\prunnet.exe
c:\winnt\system32\senekaltoiyqdw.dll
c:\winnt\system32\senekapjvrjxfm.dll
c:\winnt\system32\senekaprcfrtyw.dll
c:\winnt\system32\senekavimpsxmq.dat
c:\winnt\system32\senekawupkctlq.dat
c:\winnt\system32\ssvGQXyb.ini
c:\winnt\system32\ssvGQXyb.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-23 00:02 . 2009-02-23 00:02 <DIR> d-------- c:\program files\Trend Micro
2009-02-22 23:59 . 2009-02-22 23:59 <DIR> d-------- c:\program files\ERUNT
2009-02-08 01:46 . 2009-01-18 16:35 15,688 --a------ c:\winnt\system32\lsdelete.exe
2009-02-07 21:08 . 2009-02-07 21:08 552 --a------ c:\winnt\system32\d3d8caps.dat
2009-02-07 18:43 . 2009-02-07 18:43 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 18:43 . 2009-01-18 16:30 64,160 --a------ c:\winnt\system32\drivers\Lbd.sys
2009-02-07 18:42 . 2009-02-07 18:42 <DIR> d-------- c:\program files\Lavasoft
2009-02-07 18:42 . 2009-02-07 18:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-07 18:28 . 2009-02-07 18:28 146 --a------ c:\winnt\wininit.ini
2009-02-07 16:24 . 2009-02-07 16:24 <DIR> dr------- c:\program files\Norton Support
2009-02-07 15:58 . 2009-02-28 21:40 2,188 --a------ c:\winnt\ljsaqohw

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 04:53 51,160 ----a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2009-02-09 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-08 06:55 --------- d-----w c:\program files\ScreenPrint32 v3
2009-01-26 16:28 --------- d-----w c:\program files\Sony Handheld
2009-01-18 16:18 --------- d-----w c:\program files\Paint Shop Pro 5
2009-01-15 15:46 --------- d-----w c:\program files\Google
2008-12-12 17:33 3,060,224 ------w c:\winnt\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\winnt\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-11-18 118784]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-02 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-02 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-02 49152]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-02 20480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2004-06-26 53300]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\winnt\pss\Billminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\winnt\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\winnt\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 12:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 22:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung LBP SM]
--a------ 2007-11-17 14:36 266240 c:\winnt\Samsung\LaserSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-03 08:46 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\Vpn.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-02-07 64160]
R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-20 255536]
R1 ccHP;Symantec Hash Provider;c:\winnt\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-20 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090129.005\IDSxpx86.sys [2009-01-29 276344]
R2 Crypto;Crypto;c:\winnt\system32\drivers\Crypto.sys [2004-06-26 217088]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\winnt\system32\drivers\IpSecDrv.sys [2004-06-26 114232]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-20 115560]
R3 DniVap;SafeNet WAN Miniport (VA);c:\winnt\system32\drivers\vapnt.sys [2004-06-26 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-16 99376]
S0 ljsaqohw;ljsaqohw;c:\winnt\system32\drivers\eahiimks.sys []
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:34]

2008-10-31 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{081DBD0D-BC74-42ED-BB3E-9EE81BD97344} - c:\winnt\system32\byXQGvss.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
Notify-fccdaxut - fccdaxut.dll
MSConfigStartUp-Gateway Ink Monitor - c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.net
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 21:45:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\drivers\eahiimks.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1344)
c:\winnt\system32\byXQGvss.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WatchGuard\Mobile User VPN\IreIKE.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WatchGuard\Mobile User VPN\IPSecMon.exe
c:\program files\lotus\notes\ntmulti.exe
c:\winnt\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Sony Handheld\HOTSYNC.EXE
c:\program files\PC Magazine Utilities\RoboType\RoboType.exe
.
**************************************************************************
.
Completion time: 2009-02-28 21:52:10 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-03-01 02:52:04

Pre-Run: 98,502,803,456 bytes free
Post-Run: 98,457,964,544 bytes free

189 --- E O F --- 2009-01-15 18:05:07


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:41 PM, on 2/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\PC Magazine Utilities\RoboType\RoboType.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {15E307A3-C201-4608-97BD-ABE1E47E64C6} - C:\WINNT\system32\byXQGvss.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: WebSpy Reports Browser Helper Object - {C68F45EB-A501-46AB-8165-BC042CD27136} - C:\PROGRA~1\COMMON~1\WebSpy\WSREPO~1.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: Charts for Marissa.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: MCS, Inc.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'SYSTEM')
O4 - S-1-5-18 Startup: Sweepstakes and Contests.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Charts for Marissa.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: MCS, Inc.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'Default user')
O4 - .DEFAULT Startup: Sweepstakes and Contests.lnk = ? (User 'Default user')
O4 - Startup: Charts for Marissa.lnk = ?
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: MCS, Inc.lnk = ?
O4 - Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl
O4 - Startup: Sweepstakes and Contests.lnk = ?
O4 - Global Startup: Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

--
End of file - 8206 bytes

 

[Blade81]

Hi again,


Disable Ad-Watch


Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {15E307A3-C201-4608-97BD-ABE1E47E64C6} - C:\WINNT\system32\byXQGvss.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:

Driver::
ljsaqohw

File::
c:\winnt\ljsaqohw
c:\winnt\system32\drivers\eahiimks.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

 

[JDK100]

Okay. Understood. Just one quick question please. When I run the Kaspersky Online Scanner, do I leave my firewall, anti-virus and anti-spyware programs disabled?

 

[Blade81]

Hi

Not necessary to leave disabled but doing so makes scanning go faster

 

[JDK100]

Hello...

HJT did not find this file precisely:

O2 - BHO: (no name) - {15E307A3-C201-4608-97BD-ABE1E47E64C6} - C:\WINNT\system32\byXQGvss.dll

But it did find this:

O2 - BHO: (no name) - {2C7D367C-A4D5-4585-8907-5E67B63D0580} - C:\WINNT\system32\byXQGvss.dll

I assumed (probably shouldn't make ANY assumptions in this situation) that they are the same so I tried to get HJT to fix/remove it but it would not it.

I have not proceeded to the other steps in your instructions pending this.

Please advise.

Thanks.

 

[Blade81]

Hi

Yes, you may fix that one

 

[JDK100]

HJT would NOT remove this file. Should I proceed with your other instructions regardless? Thank-you.

 

[Blade81]

Yes, please.

 

[JDK100]

COMBOFIX LOG AS REQUESTED:
ComboFix 09-03-06.02 - Administrator 2009-03-09 20:10:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.203 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\ljsaqohw
c:\winnt\system32\drivers\eahiimks.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\ljsaqohw
c:\winnt\system32\ssvGQXyb.ini
c:\winnt\system32\ssvGQXyb.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LJSAQOHW
-------\Service_ljsaqohw


((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-02-23 01:02 . 2009-02-23 01:02 <DIR> d-------- c:\program files\Trend Micro
2009-02-23 00:59 . 2009-02-23 00:59 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 15:25 51,160 ----a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2009-02-09 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-08 06:55 --------- d-----w c:\program files\ScreenPrint32 v3
2009-02-07 23:43 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 23:42 --------- d-----w c:\program files\Lavasoft
2009-02-07 23:42 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-07 21:24 --------- d-----r c:\program files\Norton Support
2009-02-07 20:58 302,080 ----a-w c:\winnt\system32\byXQGvss.dll
2009-02-07 20:58 25,088 ----a-w c:\winnt\system32\drivers\eahiimks.sys
2009-01-26 16:28 --------- d-----w c:\program files\Sony Handheld
2009-01-18 21:35 15,688 ----a-w c:\winnt\system32\lsdelete.exe
2009-01-18 21:30 64,160 ----a-w c:\winnt\system32\drivers\Lbd.sys
2009-01-18 16:18 --------- d-----w c:\program files\Paint Shop Pro 5
2009-01-15 15:46 --------- d-----w c:\program files\Google
2008-12-12 17:33 3,060,224 ------w c:\winnt\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\winnt\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-02-28_21.50.21.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\winnt\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\winnt\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\winnt\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\winnt\ERDNT\subs\ERDNT.EXE
- 2000-08-31 13:00:00 89,504 ----a-w c:\winnt\fdsv.exe
+ 2000-08-31 12:00:00 89,504 ----a-w c:\winnt\fdsv.exe
- 2000-08-31 13:00:00 80,412 ----a-w c:\winnt\grep.exe
+ 2000-08-31 12:00:00 80,412 ----a-w c:\winnt\grep.exe
- 2000-08-31 13:00:00 29,696 ----a-w c:\winnt\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\winnt\NIRCMD.exe
- 2000-08-31 13:00:00 98,816 ----a-w c:\winnt\sed.exe
+ 2000-08-31 12:00:00 98,816 ----a-w c:\winnt\sed.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\winnt\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\winnt\SWREG.exe
- 2000-08-31 13:00:00 136,704 ----a-w c:\winnt\SWSC.exe
+ 2000-08-31 12:00:00 136,704 ----a-w c:\winnt\SWSC.exe
- 2000-08-31 13:00:00 212,480 ----a-w c:\winnt\SWXCACLS.exe
+ 2000-08-31 12:00:00 212,480 ----a-w c:\winnt\SWXCACLS.exe
- 2008-11-10 00:29:30 53,608 ----a-w c:\winnt\system32\perfc009.dat
+ 2009-03-09 22:55:28 53,608 ----a-w c:\winnt\system32\perfc009.dat
- 2008-11-10 00:29:30 383,254 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-09 22:55:28 383,254 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-10 00:20:05 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_454.dat
- 2000-08-31 13:00:00 49,152 ----a-w c:\winnt\VFIND.exe
+ 2000-08-31 12:00:00 49,152 ----a-w c:\winnt\VFIND.exe
- 2000-08-31 13:00:00 68,096 ----a-w c:\winnt\zip.exe
+ 2000-08-31 12:00:00 68,096 ----a-w c:\winnt\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C629948-32EE-4878-BA2B-325153799562}]
2009-02-07 16:58 302080 --a------ c:\winnt\system32\byXQGvss.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-11-18 118784]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-02 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-02 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-02 49152]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-02 20480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2004-06-26 53300]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\winnt\system32\byXQGvss

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\winnt\pss\Billminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\winnt\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\winnt\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung LBP SM]
--a------ 2007-11-17 15:36 266240 c:\winnt\Samsung\LaserSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-03 09:46 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\Vpn.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-02-07 64160]
R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-20 255536]
R1 ccHP;Symantec Hash Provider;c:\winnt\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-20 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090129.005\IDSxpx86.sys [2009-01-29 276344]
R2 Crypto;Crypto;c:\winnt\system32\drivers\Crypto.sys [2004-06-26 217088]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\winnt\system32\drivers\IpSecDrv.sys [2004-06-26 114232]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-20 115560]
R3 DniVap;SafeNet WAN Miniport (VA);c:\winnt\system32\drivers\vapnt.sys [2004-06-26 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-16 99376]
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:34]

2008-10-31 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.net
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 20:20:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\ssvGQXyb.ini 372 bytes
c:\winnt\system32\ssvGQXyb.ini2 372 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3712)
c:\program files\PC Magazine Utilities\RoboType\RTHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WatchGuard\Mobile User VPN\IreIKE.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WatchGuard\Mobile User VPN\IPSecMon.exe
c:\program files\lotus\notes\ntmulti.exe
c:\winnt\system32\wbem\unsecapp.exe
c:\winnt\system32\wscntfy.exe
c:\program files\Sony Handheld\HOTSYNC.EXE
c:\program files\PC Magazine Utilities\RoboType\RoboType.exe
c:\winnt\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-09 20:26:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-10 00:26:27
ComboFix2.txt 2009-03-01 02:52:13

Pre-Run: 98,346,233,856 bytes free
Post-Run: 98,298,314,752 bytes free

217 --- E O F --- 2009-01-15 18:05:07

HJT LOG AS REQUESTED:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:42 AM, on 3/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\PC Magazine Utilities\RoboType\RoboType.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: {86851fe5-eaf7-890a-7484-7eff37ea142c} - {c241ae73-ffe7-4847-a098-7fae5ef15868} - C:\WINNT\system32\qvppdh.dll
O2 - BHO: WebSpy Reports Browser Helper Object - {C68F45EB-A501-46AB-8165-BC042CD27136} - C:\PROGRA~1\COMMON~1\WebSpy\WSREPO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [d4b056dd] rundll32.exe "C:\WINNT\system32\shmyykpr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: Charts for Marissa.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: MCS, Inc.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'SYSTEM')
O4 - S-1-5-18 Startup: Sweepstakes and Contests.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Charts for Marissa.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: MCS, Inc.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'Default user')
O4 - .DEFAULT Startup: Sweepstakes and Contests.lnk = ? (User 'Default user')
O4 - Startup: Charts for Marissa.lnk = ?
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: MCS, Inc.lnk = ?
O4 - Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl
O4 - Startup: Sweepstakes and Contests.lnk = ?
O4 - Global Startup: Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O20 - AppInit_DLLs: qvppdh.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

--
End of file - 8651 bytes

KASPERSKY LOG AS REQUESTED:
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 09, 2009 21:56:02
Records in database: 1883538
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 89712
Threat name: 6
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 02:28:11


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive backup.pst Infected: Email-Worm.Win32.Sober.p 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Email-Worm.Win32.Sober.p 1
C:\Qoobox\Quarantine\C\WINNT\system32\drivers\senekagqpakyiw.sys.vir Infected: Rootkit.Win32.TDSS.phm 1
C:\Qoobox\Quarantine\C\WINNT\system32\prunnet.exe.vir Infected: Trojan.Win32.Agent.bpna 1
C:\Qoobox\Quarantine\C\WINNT\system32\senekaltoiyqdw.dll.vir Infected: Rootkit.Win32.Agent.hcr 1
C:\Qoobox\Quarantine\C\WINNT\system32\senekaprcfrtyw.dll.vir Infected: Rootkit.Win32.Agent.hcq 1
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP1178\A0139201.sys Infected: Rootkit.Win32.TDSS.phm 1
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP1178\A0139203.dll Infected: Rootkit.Win32.Agent.hcr 1
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP1178\A0139204.dll Infected: Rootkit.Win32.Agent.hcq 1
C:\System Volume Information\_restore{6F62C496-5DBE-4FAD-817D-8EC78C190904}\RP1178\A0139220.exe Infected: Trojan.Win32.Agent.bpna 1
C:\WINNT\system32\drivers\eahiimks.sys Infected: Rootkit.Win32.Agent.hqh 1
C:\WINNT\system32\drivers\phqghume.sys Infected: Rootkit.Win32.Agent.hqh 1

The selected area was scanned.

 

[Blade81]

Hi again


Start hjt, do a system scan, check (if found):
O2 - BHO: {86851fe5-eaf7-890a-7484-7eff37ea142c} - {c241ae73-ffe7-4847-a098-7fae5ef15868} - C:\WINNT\system32\qvppdh.dll
O4 - HKLM\..\Run: [d4b056dd] rundll32.exe "C:\WINNT\system32\shmyykpr.dll",b
O20 - AppInit_DLLs: qvppdh.dll

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:

http://forums.spybot.info/showthread.php?p=296326#post296326

Collect::[4]
c:\winnt\system32\byXQGvss.dll
c:\winnt\system32\drivers\eahiimks.sys
C:\WINNT\system32\drivers\phqghume.sys

File::
c:\winnt\system32\ssvGQXyb.ini
c:\winnt\system32\ssvGQXyb.ini2
C:\WINNT\system32\qvppdh.dll
C:\WINNT\system32\shmyykpr.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C629948-32EE-4878-BA2B-325153799562}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages" = hex(7):6d,73,76,31,5f,30,00,00

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
You may be asked for a permission to send samples for further analyzing. Let ComboFix do so. Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Go thru email messages in these archives and delete suspicious looking ones:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive backup.pst
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst

 

[JDK100]

Hello again...

New Combofix log:
ComboFix 09-03-06.02 - Administrator 2009-03-13 12:03:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.154 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\system32\qvppdh.dll
c:\winnt\system32\shmyykpr.dll
c:\winnt\system32\ssvGQXyb.ini
c:\winnt\system32\ssvGQXyb.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp
c:\winnt\system32\drivers\eahiimks.sys
c:\winnt\system32\puyuimns.dll
c:\winnt\system32\qvppdh.dll
c:\winnt\system32\rpkyymhs.ini
c:\winnt\system32\shmyykpr.dll
c:\winnt\system32\ssvGQXyb.ini
c:\winnt\system32\ssvGQXyb.ini2

.
((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-09 20:55 . 2009-03-09 20:54 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-03-09 20:55 . 2009-03-09 20:54 73,728 --a------ c:\winnt\system32\javacpl.cpl
2009-03-09 20:26 . 2009-03-13 12:17 1,168 --a------ c:\winnt\cmncntrn
2009-02-23 01:02 . 2009-02-23 01:02 <DIR> d-------- c:\program files\Trend Micro
2009-02-23 00:59 . 2009-02-23 00:59 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 00:54 --------- d-----w c:\program files\Java
2009-03-05 15:25 51,160 ----a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2009-02-09 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-08 06:55 --------- d-----w c:\program files\ScreenPrint32 v3
2009-02-07 23:43 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 23:42 --------- d-----w c:\program files\Lavasoft
2009-02-07 23:42 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-07 21:24 --------- d-----r c:\program files\Norton Support
2009-01-26 16:28 --------- d-----w c:\program files\Sony Handheld
2009-01-18 21:30 64,160 ----a-w c:\winnt\system32\drivers\Lbd.sys
2009-01-18 16:18 --------- d-----w c:\program files\Paint Shop Pro 5
2009-01-15 15:46 --------- d-----w c:\program files\Google
.

((((((((((((((((((((((((((((( SnapShot@2009-02-28_21.50.21.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\winnt\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\winnt\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\winnt\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\winnt\ERDNT\subs\ERDNT.EXE
- 2000-08-31 13:00:00 89,504 ----a-w c:\winnt\fdsv.exe
+ 2000-08-31 12:00:00 89,504 ----a-w c:\winnt\fdsv.exe
- 2000-08-31 13:00:00 80,412 ----a-w c:\winnt\grep.exe
+ 2000-08-31 12:00:00 80,412 ----a-w c:\winnt\grep.exe
- 2000-08-31 13:00:00 29,696 ----a-w c:\winnt\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\winnt\NIRCMD.exe
- 2000-08-31 13:00:00 98,816 ----a-w c:\winnt\sed.exe
+ 2000-08-31 12:00:00 98,816 ----a-w c:\winnt\sed.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\winnt\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\winnt\SWREG.exe
- 2000-08-31 13:00:00 136,704 ----a-w c:\winnt\SWSC.exe
+ 2000-08-31 12:00:00 136,704 ----a-w c:\winnt\SWSC.exe
- 2000-08-31 13:00:00 212,480 ----a-w c:\winnt\SWXCACLS.exe
+ 2000-08-31 12:00:00 212,480 ----a-w c:\winnt\SWXCACLS.exe
- 2003-10-07 14:43:26 24,670 ----a-w c:\winnt\system32\java.exe
+ 2009-03-10 00:54:44 144,792 ----a-w c:\winnt\system32\java.exe
- 2003-10-07 14:43:26 28,768 ----a-w c:\winnt\system32\javaw.exe
+ 2009-03-10 00:54:44 144,792 ----a-w c:\winnt\system32\javaw.exe
+ 2009-03-10 00:54:44 148,888 ----a-w c:\winnt\system32\javaws.exe
- 2008-11-10 00:29:30 53,608 ----a-w c:\winnt\system32\perfc009.dat
+ 2009-03-13 16:14:19 53,608 ----a-w c:\winnt\system32\perfc009.dat
- 2008-11-10 00:29:30 383,254 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-13 16:14:19 383,254 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-13 16:18:24 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_6a0.dat
+ 2009-03-13 16:18:39 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_774.dat
- 2000-08-31 13:00:00 49,152 ----a-w c:\winnt\VFIND.exe
+ 2000-08-31 12:00:00 49,152 ----a-w c:\winnt\VFIND.exe
- 2000-08-31 13:00:00 68,096 ----a-w c:\winnt\zip.exe
+ 2000-08-31 12:00:00 68,096 ----a-w c:\winnt\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-11-18 118784]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-02 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-02 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-02 49152]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-02 20480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2004-06-26 53300]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\winnt\pss\Billminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\winnt\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\winnt\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung LBP SM]
--a------ 2007-11-17 15:36 266240 c:\winnt\Samsung\LaserSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-03 09:46 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\Vpn.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\ViewLog.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\CmonApp.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-02-07 64160]
R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-20 255536]
R1 ccHP;Symantec Hash Provider;c:\winnt\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-20 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090129.005\IDSxpx86.sys [2009-01-29 276344]
R2 Crypto;Crypto;c:\winnt\system32\drivers\Crypto.sys [2004-06-26 217088]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\winnt\system32\drivers\IpSecDrv.sys [2004-06-26 114232]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-20 115560]
R3 DniVap;SafeNet WAN Miniport (VA);c:\winnt\system32\drivers\vapnt.sys [2004-06-26 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-16 99376]
S0 cmncntrn;cmncntrn;c:\winnt\system32\drivers\enwatgsn.sys []
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:34]

2008-10-31 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E6F6D4A2-4182-436E-81F6-13743A8BBDA0} - c:\winnt\system32\byXQGvss.dll
HKLM-Run-d4b056dd - c:\winnt\system32\shmyykpr.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.net
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 12:18:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\drivers\enwatgsn.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WatchGuard\Mobile User VPN\IreIKE.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WatchGuard\Mobile User VPN\IPSecMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\lotus\notes\ntmulti.exe
c:\winnt\system32\wbem\unsecapp.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Sony Handheld\HOTSYNC.EXE
c:\program files\PC Magazine Utilities\RoboType\RoboType.exe
.
**************************************************************************
.
Completion time: 2009-03-13 12:24:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-13 16:24:14
ComboFix2.txt 2009-03-10 00:26:47
ComboFix3.txt 2009-03-01 02:52:13

Pre-Run: 98,407,546,880 bytes free
Post-Run: 98,460,938,240 bytes free

226 --- E O F --- 2009-01-15 18:05:07

New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:13 PM, on 3/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\PC Magazine Utilities\RoboType\RoboType.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: WebSpy Reports Browser Helper Object - {C68F45EB-A501-46AB-8165-BC042CD27136} - C:\PROGRA~1\COMMON~1\WebSpy\WSREPO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: Charts for Marissa.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: MCS, Inc.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'SYSTEM')
O4 - S-1-5-18 Startup: Sweepstakes and Contests.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Charts for Marissa.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: MCS, Inc.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'Default user')
O4 - .DEFAULT Startup: Sweepstakes and Contests.lnk = ? (User 'Default user')
O4 - Startup: Charts for Marissa.lnk = ?
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: MCS, Inc.lnk = ?
O4 - Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl
O4 - Startup: Sweepstakes and Contests.lnk = ?
O4 - Global Startup: Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

--
End of file - 8329 bytes

I am still in the process of reviewing the messages in:archive backup.pst and archive.pst Nothing I would call "suspicious" but lots of messages which I no longer need so I am deleting them at this time.

I shall await your next instructions.

Thanks, JDK

 

[Blade81]

Hi

Is your Norton Internet Security license still valid?


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
cmncntrn

File::
c:\winnt\cmncntrn
c:\winnt\system32\drivers\enwatgsn.sys

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[JDK100]

Good day...

NEW COMBOFIX LOG:
ComboFix 09-03-15.01 - Administrator 2009-03-18 12:02:30.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.204 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\cmncntrn
c:\winnt\system32\drivers\enwatgsn.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\cmncntrn

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMNCNTRN
-------\Service_cmncntrn


((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-09 20:55 . 2009-03-09 20:54 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-03-09 20:55 . 2009-03-09 20:54 73,728 --a------ c:\winnt\system32\javacpl.cpl
2009-03-09 20:26 . 2009-03-09 20:26 25,088 --a------ c:\winnt\system32\drivers\enwatgsn.sys
2009-02-23 01:02 . 2009-02-23 01:02 <DIR> d-------- c:\program files\Trend Micro
2009-02-23 00:59 . 2009-02-23 00:59 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 00:54 --------- d-----w c:\program files\Java
2009-03-05 15:25 51,160 ----a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2009-02-09 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-08 06:55 --------- d-----w c:\program files\ScreenPrint32 v3
2009-02-07 23:43 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 23:42 --------- d-----w c:\program files\Lavasoft
2009-02-07 23:42 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-07 21:24 --------- d-----r c:\program files\Norton Support
2009-01-26 16:28 --------- d-----w c:\program files\Sony Handheld
2009-01-18 21:30 64,160 ----a-w c:\winnt\system32\drivers\Lbd.sys
2009-01-18 16:18 --------- d-----w c:\program files\Paint Shop Pro 5
.

((((((((((((((((((((((((((((( SnapShot_2009-03-13_12.22.55.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-07 20:58:05 302,080 ----a-w c:\winnt\system32\byXQGvss.dll
- 2009-03-13 16:14:19 53,608 ----a-w c:\winnt\system32\perfc009.dat
+ 2009-03-14 22:35:04 53,608 ----a-w c:\winnt\system32\perfc009.dat
- 2009-03-13 16:14:19 383,254 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-14 22:35:04 383,254 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-18 16:22:13 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_7d8.dat
+ 2009-03-18 16:22:29 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-11-18 118784]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-02 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-02 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-02 49152]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-02 20480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\winnt\pss\Billminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\winnt\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\winnt\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung LBP SM]
--a------ 2007-11-17 15:36 266240 c:\winnt\Samsung\LaserSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-03 09:46 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-02-07 64160]
R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-20 255536]
R1 ccHP;Symantec Hash Provider;c:\winnt\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-20 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090129.005\IDSxpx86.sys [2009-01-29 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-20 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-16 99376]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:34]

2008-10-31 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.net
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 12:22:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1671368710-1694982895-911296165-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\lotus\notes\ntmulti.exe
c:\winnt\system32\wscntfy.exe
c:\program files\Sony Handheld\HOTSYNC.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Magazine Utilities\RoboType\RoboType.exe
.
**************************************************************************
.
Completion time: 2009-03-18 12:28:10 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-03-18 16:28:07
ComboFix2.txt 2009-03-13 16:24:20
ComboFix3.txt 2009-03-10 00:26:47
ComboFix4.txt 2009-03-01 02:52:13

Pre-Run: 98,432,118,784 bytes free
Post-Run: 98,420,641,792 bytes free

172 --- E O F --- 2009-01-15 18:05:07

NEW HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:11 PM, on 3/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Magazine Utilities\RoboType\RoboType.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: WebSpy Reports Browser Helper Object - {C68F45EB-A501-46AB-8165-BC042CD27136} - C:\PROGRA~1\COMMON~1\WebSpy\WSREPO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: Charts for Marissa.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: MCS, Inc.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'SYSTEM')
O4 - S-1-5-18 Startup: Sweepstakes and Contests.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Charts for Marissa.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: MCS, Inc.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'Default user')
O4 - .DEFAULT Startup: Sweepstakes and Contests.lnk = ? (User 'Default user')
O4 - Startup: Charts for Marissa.lnk = ?
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: MCS, Inc.lnk = ?
O4 - Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl
O4 - Startup: Sweepstakes and Contests.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

--
End of file - 7787 bytes

The system is running better, I think. The "auto-reboot" and "Svc Host" error messages seem to have stopped completely and my User Profile hasn't disappeared in a while. I am still having trouble with Norton Internet Security "advanced protection" but I will contact their Tech Support to see about getting some help with that.

What's next? Am I close?

Thanks.

 

[Blade81]

Hi

It may need re-installation of Norton to make it work properly again.

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\winnt\system32\drivers\enwatgsn.sys
c:\winnt\system32\byXQGvss.dll

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[JDK100]

GOOD AFTERNOON/EVENING...

NEW COMBOFIX LOG
ComboFix 09-03-15.01 - Administrator 2009-03-23 11:10:29.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.495.205 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFSCRIPT.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\system32\byXQGvss.dll
c:\winnt\system32\drivers\enwatgsn.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\byXQGvss.dll
c:\winnt\system32\drivers\enwatgsn.sys

.
((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-09 20:55 . 2009-03-09 20:54 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-03-09 20:55 . 2009-03-09 20:54 73,728 --a------ c:\winnt\system32\javacpl.cpl
2009-02-23 01:02 . 2009-02-23 01:02 <DIR> d-------- c:\program files\Trend Micro
2009-02-23 00:59 . 2009-02-23 00:59 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 00:54 --------- d-----w c:\program files\Java
2009-03-05 15:25 51,160 ----a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2009-02-09 14:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-08 06:55 --------- d-----w c:\program files\ScreenPrint32 v3
2009-02-07 23:43 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 23:42 --------- d-----w c:\program files\Lavasoft
2009-02-07 23:42 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-07 21:24 --------- d-----r c:\program files\Norton Support
2009-01-26 16:28 --------- d-----w c:\program files\Sony Handheld
2009-01-18 21:35 15,688 ----a-w c:\winnt\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-03-13_12.22.55.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-13 16:14:19 53,608 ----a-w c:\winnt\system32\perfc009.dat
+ 2009-03-14 22:35:04 53,608 ----a-w c:\winnt\system32\perfc009.dat
- 2009-03-13 16:14:19 383,254 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-14 22:35:04 383,254 ----a-w c:\winnt\system32\perfh009.dat
+ 2009-03-23 14:03:24 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_128.dat
+ 2009-03-23 14:03:06 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_7a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-11-18 118784]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-02 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-02 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-02 49152]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-02 20480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\winnt\pss\Billminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\winnt\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\winnt\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung LBP SM]
--a------ 2007-11-17 15:36 266240 c:\winnt\Samsung\LaserSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-03 09:46 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"UPS"=3 (0x3)
"TapiSrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-02-07 64160]
R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-20 255536]
R1 ccHP;Symantec Hash Provider;c:\winnt\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-20 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090129.005\IDSxpx86.sys [2009-01-29 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-20 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-16 99376]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:34]

2008-10-31 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.net
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 11:13:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1671368710-1694982895-911296165-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)
c:\winnt\system32\igfxsrvc.dll
c:\winnt\system32\hccutils.DLL
.
Completion time: 2009-03-23 11:16:38
ComboFix-quarantined-files.txt 2009-03-23 15:16:35
ComboFix2.txt 2009-03-18 16:28:12
ComboFix3.txt 2009-03-13 16:24:20
ComboFix4.txt 2009-03-10 00:26:47
ComboFix5.txt 2009-03-23 15:09:46

Pre-Run: 98,398,244,864 bytes free
Post-Run: 98,384,785,408 bytes free

159 --- E O F --- 2009-01-15 18:05:07

NEW HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:06 AM, on 3/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Magazine Utilities\RoboType\RoboType.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: WebSpy Reports Browser Helper Object - {C68F45EB-A501-46AB-8165-BC042CD27136} - C:\PROGRA~1\COMMON~1\WebSpy\WSREPO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: Charts for Marissa.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: MCS, Inc.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'SYSTEM')
O4 - S-1-5-18 Startup: Sweepstakes and Contests.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: Charts for Marissa.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: MCS, Inc.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl (User 'Default user')
O4 - .DEFAULT Startup: Sweepstakes and Contests.lnk = ? (User 'Default user')
O4 - Startup: Charts for Marissa.lnk = ?
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: MCS, Inc.lnk = ?
O4 - Startup: RoboType.lnk = C:\Documents and Settings\Administrator\My Documents\Daily.rtl
O4 - Startup: Sweepstakes and Contests.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

--
End of file - 7787 bytes

 

[Blade81]

Good evening

Logs look quite good now. How's the system running? Were you able to find a key to Norton problem?