Virtumonde/Winfixer help

Status
Not open for further replies.
T

ThePoo

New member
I've seem to come into contact with the Virtumonde/Vundo/WinFixer garbage. I've managed to clean several infections with the help of Spybot, Norton and a couple of other handy programs, but there's still a persistant file that cannot be cleaned.

I'ved tried using HJT and Spybot in safe mode, to no avail. The file is:

\Windows\System32\sstts.dll


Logs available on request; help:present: Been fighting with it for weeks
 
So I'm not too smart this early in the morning. I shall read the "post here" before going further; sorry for my error
 
Sorry here are my HJT & Kaspersky logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:43 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TZO\TZO_NT_Service.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TZO\TZOClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Chris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://secure.globeadvisor.com/advisor.html
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {72C5A216-8BA8-4F98-B4D7-A5D5E6A18587} - C:\WINDOWS\system32\sstts.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [MplSetUp] "C:\Program Files\RMClient\MplSetUp.exe"
O4 - HKLM\..\Run: [JobHisInit] "C:\Program Files\RMClient\JobHisInit.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [TZOClient] "C:\Program Files\TZO\TZOClient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1190385017140
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8F6CCB6-0CE0-414D-9EBB-41CAE6F7CA36}: NameServer = 216.211.26.14,216.211.26.15
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe

--
End of file - 9838 bytes


My Kaspersky log was 126 characters too big to fit into this post, so I'll bring it up when requested.

I had to change the HJT exe to a different file name, as it would not pick up the sstts.dll file.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Vundo is a tough infection to remove and since I have seen none of the results from the tools you ran, and most of the infections is hidden, I need to treat this like a new infection to be sure.

Do not post a Kaspersky scan at this point until I request it, if you have these tools onboard, delete them and download them fresh from the links I provide. Please read and follow the directions careully, the tools will not work unless you do.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks
 
Sorry for the little delay, here are my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:00 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TZO\TZO_NT_Service.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TZO\TZOClient.exe
C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Chris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://secure.globeadvisor.com/advisor.html
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B5B095C8-3349-4152-9461-3C10C622A79B} - C:\WINDOWS\system32\sstts.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [MplSetUp] "C:\Program Files\RMClient\MplSetUp.exe"
O4 - HKLM\..\Run: [JobHisInit] "C:\Program Files\RMClient\JobHisInit.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [68784dd8] rundll32.exe "C:\WINDOWS\system32\plmrvaup.dll",b
O4 - HKCU\..\Run: [TZOClient] "C:\Program Files\TZO\TZOClient.exe"
O4 - HKCU\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1190385017140
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8F6CCB6-0CE0-414D-9EBB-41CAE6F7CA36}: NameServer = 216.211.26.14,216.211.26.15
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe

--
End of file - 9683 bytes


VundoFix V6.7.0

Checking Java version...

Scan started at 12:37:06 PM 12/3/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 12:39:30 PM 12/3/2007

Listing files found while scanning....

C:\windows\system32\adeeg.ini
C:\windows\system32\adeeg.ini2
C:\windows\system32\geeda.dll

Beginning removal...

Attempting to delete C:\windows\system32\adeeg.ini
C:\windows\system32\adeeg.ini Has been deleted!

Attempting to delete C:\windows\system32\adeeg.ini2
C:\windows\system32\adeeg.ini2 Has been deleted!

Attempting to delete C:\windows\system32\geeda.dll
C:\windows\system32\geeda.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 2:56:18 PM 12/3/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 3:44:20 PM 12/3/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.0

Checking Java version...

Scan started at 9:38:44 AM 12/20/2007

Listing files found while scanning....


VundoFix V6.7.7

Checking Java version...

Scan started at 10:44:48 AM 12/24/2007

Listing files found while scanning....

C:\WINDOWS\system32\khfgdbx.dll
C:\windows\system32\ozbbtucz.dllbox
C:\WINDOWS\system32\pbsfsycd.dll
C:\WINDOWS\system32\plmrvaup.dll
C:\WINDOWS\system32\puavrmlp.ini
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\stvpgprm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\khfgdbx.dll
C:\WINDOWS\system32\khfgdbx.dll Has been deleted!

Attempting to delete C:\windows\system32\ozbbtucz.dllbox
C:\windows\system32\ozbbtucz.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\pbsfsycd.dll
C:\WINDOWS\system32\pbsfsycd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\plmrvaup.dll
C:\WINDOWS\system32\plmrvaup.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\puavrmlp.ini
C:\WINDOWS\system32\puavrmlp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sstts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\sttss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvpgprm.dll
C:\WINDOWS\system32\stvpgprm.dll Has been deleted!

Performing Repairs to the registry.
Done!


ComboFix log to follow in another post!
 
ComboFix 07-12-21.4 - Morrow Financial 2007-12-24 11:06:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526 [GMT -5:00]
Running from: C:\Documents and Settings\Morrow Financial\Desktop\Chris Tools\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Morrow Financial\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\tfwfauua.dll
C:\WINDOWS\system32\wsqfuggp.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-21 10:19 . 2007-12-21 10:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 10:57 . 2007-12-20 10:57 <DIR> d-------- C:\KAV Install Files
2007-12-20 10:53 . 2007-12-20 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-20 10:46 . 2007-12-20 10:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 10:17 . 2007-12-24 10:25 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-20 09:38 . 2007-12-24 11:02 <DIR> d-------- C:\VundoFix Backups
2007-12-15 04:09 . 2007-12-16 04:10 294 ---hs---- C:\WINDOWS\system32\desyweqr.ini
2007-12-07 02:00 . 2007-12-07 02:00 594 ---hs---- C:\WINDOWS\system32\prpaehvt.ini
2007-12-05 09:09 . 2007-12-06 08:32 534 ---hs---- C:\WINDOWS\system32\fncsihgx.ini
2007-12-04 16:17 . 2007-12-04 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-04 13:21 . 2007-12-04 13:33 354 ---hs---- C:\WINDOWS\system32\cbujriqg.ini
2007-12-03 14:32 . 2007-12-21 10:37 3,054 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-03 12:41 . 2007-12-03 12:41 164 --a------ C:\install.dat
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 15:55 . 2007-12-13 13:52 97 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-28 14:41 . 2007-11-28 14:41 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-28 13:40 . 2007-12-03 14:24 <DIR> d-------- C:\Documents and Settings\Morrow Financial\Application Data\uTorrent
2007-11-27 16:49 . 2007-11-27 16:49 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2007-11-26 13:08 . 2007-11-26 13:18 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-24 15:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-24 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-05 14:10 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 14:10 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 14:10 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 14:10 --------- d-----w C:\Program Files\Symantec
2007-11-28 20:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-26 18:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-20 19:34 --------- d-----w C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-19 22:45 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-19 22:40 --------- d-----w C:\Program Files\iTunes
2007-11-19 22:33 --------- d-----w C:\Program Files\ClickToConvert
2007-11-19 21:56 --------- d-----w C:\Program Files\TZO
2007-11-16 21:37 --------- d-----w C:\Program Files\DesignPro
2007-11-16 17:07 --------- d-----w C:\Program Files\vso
2007-11-16 14:52 --------- d-----w C:\Program Files\iPod
2007-11-16 14:51 --------- d-----w C:\Program Files\QuickTime
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 00:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 00:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 00:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 00:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 00:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 00:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 00:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 00:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 00:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-30 19:41 921,088 ----a-w C:\Program Files\Common Files\MPDPDODB.DLL
2007-10-25 17:24 --------- d-----w C:\Program Files\WebEx
2007-10-25 17:24 --------- d-----w C:\Documents and Settings\Morrow Financial\Application Data\webex
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5B095C8-3349-4152-9461-3C10C622A79B}]
C:\WINDOWS\system32\sstts.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TZOClient"="C:\Program Files\TZO\TZOClient.exe" [2005-06-17 03:02]
"DiamondView"="C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" [2007-11-05 15:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15]
"P17Helper"="Rundll32 P17.dll" []
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 04:09]
"JobHisInit"="C:\Program Files\RMClient\JobHisInit.exe" [2004-03-18 16:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 11:52]
"68784dd8"="C:\WINDOWS\system32\plmrvaup.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DiamondView"="C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" [2007-11-05 15:12]

R3 P17;SB Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys [2007-06-15 01:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f53de38d-5117-11dc-a3e1-001111391434}]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-21 02:27:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-21 01:00:01 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Morrow Financial.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 11:10:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-24 11:11:42 - machine was rebooted
.
2007-12-21 15:17:15 --- E O F ---
 
Thanks for returning your information, read and follow the directions carefully.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.

(files to add)

C:\WINDOWS\system32\plmrvaup.dll
C:\WINDOWS\system32\desyweqr.ini
C:\WINDOWS\system32\prpaehvt.ini
C:\WINDOWS\system32\fncsihgx.ini
C:\WINDOWS\system32\cbujriqg.ini
C:\WINDOWS\system32\mcrh.tmp

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {B5B095C8-3349-4152-9461-3C10C622A79B} - C:\WINDOWS\system32\sstts.dll (file missing)
O4 - HKLM\..\Run: [68784dd8] rundll32.exe "C:\WINDOWS\system32\plmrvaup.dll",b

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\plmrvaup.dll <<< make sure that file is gone

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report, a new HJT log and your comments. How is the computer running?

Thanks
 
Happy New Year!

Sorry for the long response, was quite busy over the Christmas and New Year holidays.

Here are my logs:


VundoFix V6.7.0

Checking Java version...

Scan started at 12:37:06 PM 12/3/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 12:39:30 PM 12/3/2007

Listing files found while scanning....

C:\windows\system32\adeeg.ini
C:\windows\system32\adeeg.ini2
C:\windows\system32\geeda.dll

Beginning removal...

Attempting to delete C:\windows\system32\adeeg.ini
C:\windows\system32\adeeg.ini Has been deleted!

Attempting to delete C:\windows\system32\adeeg.ini2
C:\windows\system32\adeeg.ini2 Has been deleted!

Attempting to delete C:\windows\system32\geeda.dll
C:\windows\system32\geeda.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.0

Checking Java version...

Scan started at 2:56:18 PM 12/3/2007

Listing files found while scanning....


VundoFix V6.7.0

Checking Java version...

Scan started at 3:44:20 PM 12/3/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.0

Checking Java version...

Scan started at 9:38:44 AM 12/20/2007

Listing files found while scanning....


VundoFix V6.7.7

Checking Java version...

Scan started at 10:44:48 AM 12/24/2007

Listing files found while scanning....

C:\WINDOWS\system32\khfgdbx.dll
C:\windows\system32\ozbbtucz.dllbox
C:\WINDOWS\system32\pbsfsycd.dll
C:\WINDOWS\system32\plmrvaup.dll
C:\WINDOWS\system32\puavrmlp.ini
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\stvpgprm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\khfgdbx.dll
C:\WINDOWS\system32\khfgdbx.dll Has been deleted!

Attempting to delete C:\windows\system32\ozbbtucz.dllbox
C:\windows\system32\ozbbtucz.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\pbsfsycd.dll
C:\WINDOWS\system32\pbsfsycd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\plmrvaup.dll
C:\WINDOWS\system32\plmrvaup.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\puavrmlp.ini
C:\WINDOWS\system32\puavrmlp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sstts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\sttss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvpgprm.dll
C:\WINDOWS\system32\stvpgprm.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbujriqg.ini
C:\WINDOWS\system32\cbujriqg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\desyweqr.ini
C:\WINDOWS\system32\desyweqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fncsihgx.ini
C:\WINDOWS\system32\fncsihgx.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcrh.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\prpaehvt.ini
C:\WINDOWS\system32\prpaehvt.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 12:25:16 PM 1/3/2008

Listing files found while scanning....

No infected files were found.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:02 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TZO\TZO_NT_Service.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TZO\TZOClient.exe
C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Morrow Financial\Desktop\Chris Tools\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\Chris.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://secure.globeadvisor.com/advisor.html
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [MplSetUp] "C:\Program Files\RMClient\MplSetUp.exe"
O4 - HKLM\..\Run: [JobHisInit] "C:\Program Files\RMClient\JobHisInit.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [TZOClient] "C:\Program Files\TZO\TZOClient.exe"
O4 - HKCU\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DiamondView] "C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" /background (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1190385017140
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8F6CCB6-0CE0-414D-9EBB-41CAE6F7CA36}: NameServer = 216.211.26.14,216.211.26.15
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe

--
End of file - 9904 bytes


Seems like everything is running hunky-dory now! Startup is definately a lot faster, and there's no more popups!

Thanks very much! Couldn't have done it without your help! Have a safe new year!
 
Thanks for returning your information and the feedback. Let's have a look at a Kaspersky scan to make sure nothing is hiding. You have Kaspersky already, please scan using these settings.

Before you scan, remove combofix, C:\qoobox\quarantine\, Vundofix and the C:\VundoFix Backups from your computer.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from:

http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here, no need to post it if it is clean.

Thanks
 
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
Status
Not open for further replies.
Back
Top