Skip to main content

Question regarding virus

Comments

47 comments

  • Customer

    I did make a screen shot with the info on, but pasted it into a Word document. Is there any way I can attach that file and send it to you? I tried uploading the file below, but got a message I was unable to upload that type of file.

     

    In reading several of the posts from today, it sounds as if we are having a lot of the same problems.

     

    Sandy

    0
  • Support

    Hi Sandy,

     

    You didn't need to buy Ad-Aware for it remove malware. The free version will remove detected malware as well as the paid version. The paid version simply has additional features to block malware from entering your system in the first place. However, keep in mind that some of today's malware can disable your security programs, so that may also be at play here.

     

    That's a very difficult time to be switching AVs, I agree. Have already you uninstalled Norton?

     

    Yes, please do attach your document and I'll take a look at it, or you can just copy and paste the info on it into a reply here.

    Edit: I re-read your post and see that it is probably am image. You should be able to attach an image here to your reply as long as it is in .gif or .jpg format (it will also take .bmp but those are so large it may be difficult to upload)

     

    I can help with some diagnostic tools and malware removal procedures to see if we can get back your PC into shape.

     

    Let's start with this tool. It will give me a lot of diagnostic information about your system and possible malware hiding to give me a clue of what we are left dealing with and what tools we can proceed with of other steps for removal that may be needed.

     

    This is a free tool and I really just need to see the log from it first

     

    * Download Trend Micro Hijack Thisâ„¢

    http://download.bleepingcomputer.com/hijac.../HJTInstall.exe

    Doubleclick the HJTInstall.exe to start it.

    By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

    HijackThis will open after install. Press the Scan button below.

    This will start the scan and open a log.

    Copy and paste the contents of the log in your next reply.

    0
  • Customer

    Hi,

    This is a copy of the HijackThis logfile:

     

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 9:45:21 PM, on 3/16/2008

    Platform: Windows XP (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Boot mode: Normal

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\System32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Viewpoint\Common\ViewpointService.exe

    C:\WINDOWS\System32\devldr32.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\WINDOWS\System32\WgaTray.exe

    C:\WINDOWS\System32\wuauclt.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\WINDOWS\explorer.exe

    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=28129

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://lookfor.cc/sp.php?pin=28129

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O2 - BHO: RDL Rolex - {C9101D88-5C46-4757-87FC-40CAA937F9F2} - C:\WINDOWS\drnpfdxfxv.dll (file missing)

    O2 - BHO: SyedIEHlprObj Class - {F104576A-91BA-40AD-91DE-2C20801339AB} - C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O3 - Toolbar: enlfxgw - {EAF43BEC-A979-470B-8EC0-9225C11CB213} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\enlfxgw.dll (file missing)

    O3 - Toolbar: etlrlws - {CE98234D-64C9-42BE-80B9-5D9EC9E1E0A4} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\etlrlws.dll (file missing)

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\mokeogmv.exe

    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab

    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928...ip/RdxIE601.cab

    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308

    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447

    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab

    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://foodnet2.view22.com/view22/app/view22rte.cab

    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab

    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

    O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} - http://www.search-climbers.net/download/cab/ieplugin.cab

    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab

    O20 - AppInit_DLLs: C:\WINDOWS\System32\win_3u.dll

    O21 - SSODL: btrklfr - {2D0C1281-D97C-4ED4-9E7E-B72DE2FEFB4B} - C:\WINDOWS\btrklfr.dll (file missing)

    O21 - SSODL: MonSetup - {89da981f-b01a-4a92-ab98-c8026aa55815} - C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll

    O21 - SSODL: bokpkov - {E9FB8075-6A1C-4B6B-A642-58997A26E3DB} - C:\WINDOWS\bokpkov.dll (file missing)

    O21 - SSODL: altvxvm - {4CB6BFDF-00BA-4458-9320-1B8C5D7BD0D0} - C:\WINDOWS\altvxvm.dll (file missing)

    O21 - SSODL: zip - {76df3b7b-becf-4781-9760-5f62e5901545} - C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll

    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg

    O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg

    O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg

     

    --

    End of file - 12368 bytes

    0
  • Customer

    Two lines in the log file grabbed my attention.

     

    O3 - Toolbar: enlfxgw - {EAF43BEC-A979-470B-8EC0-9225C11CB213} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\enlfxgw.dll (file missing)

    O3 - Toolbar: etlrlws - {CE98234D-64C9-42BE-80B9-5D9EC9E1E0A4} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\etlrlws.dll (file missing)

     

    Two new toolbars have appeared in IE the last week. enlfxgw and etlrlws

     

    I am a two on the one to ten scale of what I know about computers so be patient.

     

    Sandy

    0
  • Support

    Yes, well, those have already been fixed. It is what is behind them that we need to get at. Just sit back and let me do the driving because I do know what I'm doing here and what I'm looking at. "Leave the driving to us"

     

    We have a combo of problems, a malware cocktail at the moment so I will ask your patience in these next steps because Hijackthis just gives me a snapshot of A) your operating system and specifications which lets me know which tools I can grab and B ) what possible malware we might be dealing with and c) other stuff I don't have the time to explain, but I can help you with this. This isn't going to be a quick and easy one but we will get you resolved, I promise.

     

    We only use free tools here by the way. Two steps next to follow. It may not solve everything but should make a serious dent in the malware and will give me some valuable info in the logs they produce in what steps may be needed after that.

     

    Download ComboFix and save it to your desktop.

     

    **Note: It is important that it is saved directly to your desktop**

     

    1. Close any open browsers.

     

    2. Double click on combofix.exe & follow the prompts.

    • When finished, it will produce a report for you.

    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    Note:

    Do not mouseclick combofix's window while it's running. That may cause it to stall

     

     

    .................

    This one will do a complete system scan and tell me if any system files are infected (plus some other valuable log info)

     

    * Go here to run an online scannner from ESET.


    • Note: You will need to use Internet explorer for this scan

    • Tick the box next to YES, I accept the Terms of Use.

    • Click Start

    • When asked, allow the activex control to install

    • Click Start

    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked

    • Click Scan

    • Wait for the scan to finish

    • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

    • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

    0
  • Customer

    Here is the ComboFix Log file:

     

     

    ComboFix 08-03-14.4 - Sandy 2008-03-16 23:08:22.2 - NTFSx86

    Running from: C:\Documents and Settings\Sandy\Desktop\ComboFix.exe

    * Created a new restore point

     

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    .

    ADS - svchost.exe: deleted 28672 bytes in 1 streams.

     

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

     

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

    C:\kmd.exe

    C:\WINDOWS\file896.exe

    C:\WINDOWS\system32\dllgh8jkd1q8.exe

     

    ----- BITS: Possible infected sites -----

     

    hxxp://flycodecs.com

    .

    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .

     

    -------\LEGACY_FCI

     

     

    ((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))

    .

     

    2008-03-16 21:44 . 2008-03-16 21:44 <DIR> d-------- C:\Program Files\Trend Micro

    2008-03-15 14:44 . 2008-03-15 14:44 <DIR> d-------- C:\Program Files\Lavasoft

    2008-03-15 14:43 . 2008-03-15 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

    2008-03-14 17:35 . 2008-03-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

    2008-03-13 10:32 . 2008-03-13 10:33 <DIR> d-------- C:\WINDOWS\LMI108D.tmp

    2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll

    2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll

    2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat

    2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf

    2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys

    2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys

    2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys

    2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys

    2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys

    2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys

    2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys

    2008-03-07 05:06 . 2008-03-12 11:49 118 --a------ C:\WINDOWS\system32\MRT.INI

    2008-03-05 09:58 . 2008-03-05 21:40 <DIR> d-------- C:\WINDOWS\LMIE7.tmp

    2008-03-04 09:40 . 2008-03-04 09:40 48 --a------ C:\amp.bat

    2008-03-04 09:37 . 2008-03-04 09:37 12,288 -r-h----- C:\WINDOWS\system32\syst0bv.exe

     

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-03-17 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

    2008-03-17 03:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared

    2008-03-15 17:00 --------- d-----w C:\Program Files\Google

    2008-03-14 20:05 85,504 --sha-w C:\Program Files\Thumbs.db

    2008-03-11 03:05 --------- d-----w C:\Program Files\Norton Internet Security

    2008-03-10 03:28 --------- d-----w C:\Program Files\Quicken

    2008-03-07 03:55 --------- d-----w C:\Program Files\Yahoo!

    2008-03-05 15:10 --------- d-----w C:\Program Files\WebLog Expert

    2008-03-04 22:46 --------- d-----w C:\Documents and Settings\Sandy\Application Data\Symantec

    2008-01-24 03:10 251,584 ----a-w C:\Documents and Settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT

    2008-01-23 01:54 --------- d-----w C:\Program Files\Microsoft ActiveSync

    2008-01-23 01:49 --------- d-----w C:\Program Files\Common Files\L&H

    .

     

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9101D88-5C46-4757-87FC-40CAA937F9F2}]

    C:\WINDOWS\drnpfdxfxv.dll

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F104576A-91BA-40AD-91DE-2C20801339AB}]

    2004-06-02 07:12 1343488 --a------ C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

    "{EAF43BEC-A979-470B-8EC0-9225C11CB213}"= "C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\enlfxgw.dll" [ ]

    "{CE98234D-64C9-42BE-80B9-5D9EC9E1E0A4}"= "C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\etlrlws.dll" [ ]

     

    [HKEY_CLASSES_ROOT\clsid\{eaf43bec-a979-470b-8ec0-9225c11cb213}]

    [HKEY_CLASSES_ROOT\enlfxgw.1]

    [HKEY_CLASSES_ROOT\TypeLib\{979218FD-1E10-4F3A-AB90-98F77F50C7C2}]

    [HKEY_CLASSES_ROOT\enlfxgw]

     

    [HKEY_CLASSES_ROOT\clsid\{ce98234d-64c9-42be-80b9-5d9ec9e1e0a4}]

    [HKEY_CLASSES_ROOT\etlrlws.1]

    [HKEY_CLASSES_ROOT\TypeLib\{D8767936-8CDB-42B7-95D3-FFBBB0CFF278}]

    [HKEY_CLASSES_ROOT\etlrlws]

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]

    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]

    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-18 10:36 180269]

    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]

     

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-01-30 12:57 13312]

    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

     

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

    "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-03 11:58 78848]

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

    "btrklfr"= {2D0C1281-D97C-4ED4-9E7E-B72DE2FEFB4B} - C:\WINDOWS\btrklfr.dll [ ]

    "MonSetup"= {89da981f-b01a-4a92-ab98-c8026aa55815} - C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll [2008-03-12 15:28 18674]

    "bokpkov"= {E9FB8075-6A1C-4B6B-A642-58997A26E3DB} - C:\WINDOWS\bokpkov.dll [ ]

    "altvxvm"= {4CB6BFDF-00BA-4458-9320-1B8C5D7BD0D0} - C:\WINDOWS\altvxvm.dll [ ]

    "zip"= {76df3b7b-becf-4781-9760-5f62e5901545} - C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll [2008-03-12 15:28 23250]

     

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    "AppInit_DLLs"=C:\WINDOWS\System32\win_3u.dll

     

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]

    C:\Documents and Settings\Sandy\Local Settings\Application Data\cftmon.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]

    C:\DOCUME~1\Sandy\LOCALS~1\Temp\winlogon.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

    --a------ 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

    --a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

    --a------ 2007-03-14 18:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

    --a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

    --------- 2004-05-06 20:07 155648 C:\WINDOWS\system32\NeroCheck.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]

    C:\WINDOWS\system32\drivers\spools.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

    --a------ 2007-01-14 01:11 771704 C:\Program Files\Norton Internet Security\osCheck.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Express]

    C:\WINDOWS\twain.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

    --a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandIcon]

    --a------ 2000-11-13 10:36 131072 C:\ImageMate CompactFlash USB\SandIcon.Exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

    --a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

    --a------ 2006-07-18 10:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]

    --a------ 2005-06-13 01:30 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

     

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

    R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\System32\DRIVERS\pcx500.sys [2001-08-17 06:11]

    S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []

    S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\System32\DRIVERS\atipcxxx.sys [2001-08-17 06:49]

    S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 06:49]

    S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\System32\DRIVERS\ativxbar.sys [2001-08-17 06:49]

     

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

     

    *Newly Created Service* - COMHOST

    .

    Contents of the 'Scheduled Tasks' folder

    "2008-03-05 08:00:16 C:\WINDOWS\Tasks\Norton Internet Security - All - Sandy.job"

    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeg/SE- /TASK:

    "2008-02-29 14:24:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job"

    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:

    .

    **************************************************************************

     

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-03-16 23:18:59

    Windows 5.1.2600 NTFS

     

    scanning hidden processes ...

     

    scanning hidden autostart entries ...

     

    scanning hidden files ...

     

    scan completed successfully

    hidden files: 0

     

    **************************************************************************

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

     

    PROCESS: C:\WINDOWS\explorer.exe [6.00.2600.0000]

    -> C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll

    -> C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    C:\WINDOWS\System32\Ati2evxx.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    C:\WINDOWS\System32\wdfmgr.exe

    C:\WINDOWS\System32\devldr32.exe

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\WINDOWS\System32\WgaTray.exe

    C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    .

    **************************************************************************

    .

    Completion time: 2008-03-16 23:23:51 - machine was rebooted [sandy]

    ComboFix-quarantined-files.txt 2008-03-17 05:23:41

    ComboFix2.txt 2008-03-06 03:43:46

    .

    2008-03-15 08:55:48 --- E O F ---

     

    Here is the new HijackThis Log file (and I am goning online to do the ESET scan now):

     

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 11:26:01 PM, on 3/16/2008

    Platform: Windows XP (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Boot mode: Normal

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\System32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Viewpoint\Common\ViewpointService.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\WINDOWS\System32\devldr32.exe

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    C:\Program Files\QuickTime\qttask.exe

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\WINDOWS\System32\WgaTray.exe

    C:\WINDOWS\System32\wuauclt.exe

    C:\WINDOWS\System32\wuauclt.exe

    C:\WINDOWS\explorer.exe

    C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

    C:\WINDOWS\system32\notepad.exe

    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O2 - BHO: RDL Rolex - {C9101D88-5C46-4757-87FC-40CAA937F9F2} - C:\WINDOWS\drnpfdxfxv.dll (file missing)

    O2 - BHO: SyedIEHlprObj Class - {F104576A-91BA-40AD-91DE-2C20801339AB} - C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O3 - Toolbar: enlfxgw - {EAF43BEC-A979-470B-8EC0-9225C11CB213} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\enlfxgw.dll (file missing)

    O3 - Toolbar: etlrlws - {CE98234D-64C9-42BE-80B9-5D9EC9E1E0A4} - C:\DOCUME~1\Sandy\LOCALS~1\Temp\ac8zt2\etlrlws.dll (file missing)

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\mokeogmv.exe

    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab

    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928...ip/RdxIE601.cab

    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308

    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447

    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab

    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://foodnet2.view22.com/view22/app/view22rte.cab

    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab

    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

    O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} - http://www.search-climbers.net/download/cab/ieplugin.cab

    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab

    O20 - AppInit_DLLs: C:\WINDOWS\System32\win_3u.dll

    O21 - SSODL: btrklfr - {2D0C1281-D97C-4ED4-9E7E-B72DE2FEFB4B} - C:\WINDOWS\btrklfr.dll (file missing)

    O21 - SSODL: MonSetup - {89da981f-b01a-4a92-ab98-c8026aa55815} - C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll

    O21 - SSODL: bokpkov - {E9FB8075-6A1C-4B6B-A642-58997A26E3DB} - C:\WINDOWS\bokpkov.dll (file missing)

    O21 - SSODL: altvxvm - {4CB6BFDF-00BA-4458-9320-1B8C5D7BD0D0} - C:\WINDOWS\altvxvm.dll (file missing)

    O21 - SSODL: zip - {76df3b7b-becf-4781-9760-5f62e5901545} - C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll

    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg

    O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg

    O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg

     

    --

    End of file - 12874 bytes

    0
  • Support

    Don't worry about being a Two on a scale of 1 to 10. We're quite used to that and tailor our responses and replies to accommodate those who fear complicated instructions, so we try to make them easy to follow. If you do have any problems understanding my steps, please feel free to let me know. We are all new to some things the first time and we understand how scarey this all may seem. We are also used to folks who are 2's on malware removal The 10's already know how to solve it and would not be here requesting help (they are usually the ones here helping you), so you are not alone

    0
  • Customer

    A few quick responses this morning.

     

    I have not uninstalled Norton yet. I did download AVG, but haven't installed it yet.

     

    I have uploaded the jpg file from the scan where I couldn't quarantine or remove the files.

     

    During the night and this morning, there have been three instances where web pages opened on my pc and music started playing.

     

    Sandy

     

     

     

    That's a very difficult time to be switching AVs, I agree. Have already you uninstalled Norton?

    Yes, please do attach your document and I'll take a look at it, or you can just copy and paste the info on it into a reply here.

    Edit: I re-read your post and see that it is probably am image. You should be able to attach an image here to your reply as long as it is in .gif or .jpg format (it will also take .bmp but those are so large it may be difficult to upload)

    0
  • Customer

    Okay...I can't get this to work. It keeps shutting IE down.

    Sandy

     

     

     

    This one will do a complete system scan and tell me if any system files are infected (plus some other valuable log info)

     

    * Go here to run an online scannner from ESET.


    • Note: You will need to use Internet explorer for this scan

    • Tick the box next to YES, I accept the Terms of Use.

    • Click Start

    • When asked, allow the activex control to install

    • Click Start

    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked

    • Click Scan

    • Wait for the scan to finish

    • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

    • Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

    0
  • Support

    This machine is really infected. One huge problem is that it is extremely vulnerable to exploit because you do not have any Critical security updates installed. How come no windows updates - no service packs?

     

     

    Run this free tool next please:

     

    Download SDFix and save it to your Desktop.

     

    Double click SDFix.exe and it will extract the files to %systemdrive%

    (Drive that contains the Windows Directory, typically C:\SDFix)

     

    Please then reboot your computer in Safe Mode by doing the following :

    • Restart your computer

    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

    • Instead of Windows loading as normal, the Advanced Options Menu should appear;

    • Select the first option, to run Windows in Safe Mode, then press Enter.

    • Choose your usual account.

    • Open the extracted SDFix folder and double click RunThis.bat to start the script.

    • Type Y to begin the cleanup process.

    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

    • Press any Key and it will restart the PC.

    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).

    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    0
  • Customer

    My home page is now changing to other sites. This had not been happening for a few days. It was opening on about:blank.

     

    Now it is opening on something I have never seen before.

    0
  • Support

    No, can't update to SP2 right now while it's infected. You need a genuine copy of XP for it to update. I may be able to help with that but first....

     

    When you purchased this machine did it come with the original install disk? Do you have that?

    0
  • Customer

    i purchased this computer from a friend and i have never been able to get the update to run correctly. I don't want to update to Vista, but would purchase XP, but where do you recommend i log on to? MS website has it for $149. Is there someplace less expensive?

    Should i go ahead and get XP SP2 on this machine or run the tool first that you just recommended?

    Sandy

     

     

    This machine is really infected. One huge problem is that it is extremely vulnerable to exploit because you do not have any Critical security updates installed. How come no windows updates - no service packs?

    Run this free tool next please:

    0
  • Customer

    Shall I go ahead with SDFix?

    0
  • Customer

    No...sorry...

     

     

     

    When you purchased this machine did it come with the original install disk? Do you have that?

    0
  • Support

    Well, the trojan I suspect I see in those logs is a nasty one and SDFix may be able to remove it but I can't make any guarantees you might not lose windows and with no install disk and no recovery console installed on there it is a risk. But since you are going to need to get genuine windows on there, you may just want to think about a reformat and reinstall. Are you capable of doing that? I'm not sure the exact nature of the trojan on there but it does smell like a remote access trojan (the SDbot family, hence the name of fix tool "SDFix") . Some have been known to make removal difficult and make a pc unbootable or otherwise inoperable during the removal process. It is rare but it does happen.

     

    How long have you had the machine and is there any sensitive info of yours on it?

    0
  • Customer

    I am sure you can tell this is an older machine. It has always been a very solid reliable machine until the last maybe ten days. I have always had Norton running on my computers, but several people have told me Ad-Aware and AVG combined are just as good. I have been impressed with the support staff (you) at Lavasoft.

     

    Sensitive info...yes.

     

    What next, great master?

    0
  • Customer

    I have went ahead with SDFix. Here is the report, followed by a new HiJackThis log file. Thanks.

    Sandy

     

     

    SDFix: Version 1.158

     

    Run by Sandy on Mon 03/17/2008 at 07:13 PM

     

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

     

    Checking Services :

     

     

    Restoring Windows Registry Values

    Restoring Windows Default Hosts File

     

    Rebooting

     

     

    Checking Files :

     

    Trojan Files Found:

     

    C:\WINDOWS\SYSTEM32\SIRENA~1.DLL - Deleted

     

     

     

     

     

    Removing Temp Files

     

    ADS Check :

     

     

     

    Final Check :

     

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-03-17 19:25:20

    Windows 5.1.2600 NTFS

     

    scanning hidden processes ...

     

    scanning hidden services & system hive ...

     

    scanning hidden registry entries ...

     

    scanning hidden files ...

     

    scan completed successfully

    hidden processes: 0

    hidden services: 0

    hidden files: 0

     

     

    Remaining Services :

     

     

     

    Authorized Application Key Export:

     

    Remaining Files :

     

     

    File Backups: - C:\SDFix\backups\backups.zip

     

    Files with Hidden Attributes :

     

    Wed 30 Jan 2002 24,448 A.SHR --- "C:\NTBOOTDD.SYS"

    Tue 4 Mar 2008 12,288 ...HR --- "C:\WINDOWS\system32\syst0bv.exe"

    Fri 27 Jul 2007 39,936 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL0001.tmp"

    Thu 28 Jun 2007 43,520 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL0003.tmp"

    Sat 2 Jun 2007 45,568 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL0871.tmp"

    Thu 21 Jun 2007 37,888 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL0975.tmp"

    Sat 2 Jun 2007 39,936 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL1555.tmp"

    Thu 19 Apr 2007 26,624 ...H. --- "C:\Frey\Soap\Invoices & Packlists\~WRL1826.tmp"

    Wed 12 Mar 2008 23,250 ..SHR --- "C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll"

    Wed 12 Mar 2008 18,674 ..SHR --- "C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll"

    Fri 28 May 2004 0 ...H. --- "C:\Documents and Settings\Sandy\Application Data\Microsoft\Word\~WRL4025.tmp"

    Wed 21 Nov 2007 7,798 A..H. --- "C:\Documents and Settings\Sandy\Application Data\Microsoft\Office\Shortcut Bar\Off32.tmp"

     

    Finished!

     

    ---------------------------------------------------------------

     

     

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 7:36:25 PM, on 3/17/2008

    Platform: Windows XP (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Boot mode: Normal

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\System32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Viewpoint\Common\ViewpointService.exe

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\System32\WgaTray.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\System32\wuauclt.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\WINDOWS\System32\devldr32.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O2 - BHO: SyedIEHlprObj Class - {F104576A-91BA-40AD-91DE-2C20801339AB} - C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\mokeogmv.exe

    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab

    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928...ip/RdxIE601.cab

    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308

    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447

    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab

    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://foodnet2.view22.com/view22/app/view22rte.cab

    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab

    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

    O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} - http://www.search-climbers.net/download/cab/ieplugin.cab

    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab

    O20 - AppInit_DLLs: C:\WINDOWS\System32\win_3u.dll

    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg

    O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg

    O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg

     

    --

    End of file - 11074 bytes

    0
  • Support

    Ok, glad that went ok, but I still see some problems. Could you give me another run with Combofix and fresh log from it please?

    0
  • Customer

    Here is the new log file from ComboFix.

    Thanks,

    Sandy

     

     

    ComboFix 08-03-14.4 - Sandy 2008-03-17 20:18:54.4 - NTFSx86

    Running from: C:\Documents and Settings\Sandy\Desktop\ComboFix.exe

     

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    .

     

    ((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))

    .

     

    2008-03-17 19:10 . 2008-03-17 19:10 <DIR> d-------- C:\WINDOWS\ERUNT

    2008-03-17 19:05 . 2008-03-17 19:31 <DIR> d-------- C:\SDFix

    2008-03-16 23:32 . 2008-03-16 23:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner

    2008-03-16 21:44 . 2008-03-16 21:44 <DIR> d-------- C:\Program Files\Trend Micro

    2008-03-15 14:44 . 2008-03-15 14:44 <DIR> d-------- C:\Program Files\Lavasoft

    2008-03-15 14:43 . 2008-03-15 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

    2008-03-14 17:35 . 2008-03-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

    2008-03-13 10:32 . 2008-03-13 10:33 <DIR> d-------- C:\WINDOWS\LMI108D.tmp

    2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll

    2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll

    2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat

    2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf

    2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys

    2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys

    2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys

    2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys

    2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys

    2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys

    2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys

    2008-03-07 05:06 . 2008-03-12 11:49 118 --a------ C:\WINDOWS\system32\MRT.INI

    2008-03-05 09:58 . 2008-03-05 21:40 <DIR> d-------- C:\WINDOWS\LMIE7.tmp

    2008-03-04 09:40 . 2008-03-04 09:40 48 --a------ C:\amp.bat

    2008-03-04 09:37 . 2008-03-04 09:37 12,288 -r-h----- C:\WINDOWS\system32\syst0bv.exe

     

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-03-18 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

    2008-03-17 22:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared

    2008-03-17 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information

    2008-03-15 17:00 --------- d-----w C:\Program Files\Google

    2008-03-14 20:05 85,504 --sha-w C:\Program Files\Thumbs.db

    2008-03-12 21:19 12,800 ----a-w C:\WINDOWS\system32\svchost.exe

    2008-03-11 03:05 --------- d-----w C:\Program Files\Norton Internet Security

    2008-03-10 03:28 --------- d-----w C:\Program Files\Quicken

    2008-03-07 03:55 --------- d-----w C:\Program Files\Yahoo!

    2008-03-05 15:10 --------- d-----w C:\Program Files\WebLog Expert

    2008-03-04 22:46 --------- d-----w C:\Documents and Settings\Sandy\Application Data\Symantec

    2008-02-11 15:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll

    2008-02-11 15:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll

    2008-02-08 19:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll

    2008-02-05 14:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe

    2008-01-24 03:10 251,584 ----a-w C:\Documents and Settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT

    2008-01-23 01:54 --------- d-----w C:\Program Files\Microsoft ActiveSync

    2008-01-23 01:49 --------- d-----w C:\Program Files\Common Files\L&H

    .

     

    ((((((((((((((((((((((((((((( snapshot@2008-03-16_23.23.09.78 )))))))))))))))))))))))))))))))))))))))))

    .

    + 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

    + 2008-03-18 01:11:06 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat

    + 2008-03-18 01:11:06 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

    + 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

    + 2008-03-18 01:10:55 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat

    + 2008-03-18 01:10:55 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

    + 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\LastGood\System32\LegitCheckControl.DLL

    + 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiA.dll

    + 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiW.dll

    + 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\LastGood\System32\lnod32umc.dll

    + 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\LastGood\System32\lnod32upd.dll

    + 2008-02-11 15:39:26 253,952 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLA.dll

    + 2008-02-11 15:39:18 237,568 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLW.dll

    + 2008-02-08 19:53:46 110,592 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerLang.dll

    + 2008-02-05 14:48:04 77,824 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerUninstaller.exe

    - 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll

    + 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL

    + 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll

    + 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll

    + 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll

    + 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll

    + 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll

    - 2008-03-17 05:17:27 32,768 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

    + 2008-03-18 02:19:39 163,840 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

     

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F104576A-91BA-40AD-91DE-2C20801339AB}]

    2004-06-02 07:12 1343488 --a------ C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]

     

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-01-30 12:57 13312]

    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

     

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

    "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-03 11:58 78848]

     

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    "AppInit_DLLs"=C:\WINDOWS\System32\win_3u.dll

     

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]

    C:\Documents and Settings\Sandy\Local Settings\Application Data\cftmon.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]

    C:\DOCUME~1\Sandy\LOCALS~1\Temp\winlogon.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

    --a------ 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

    --a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

    --a------ 2007-03-14 18:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

    --a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

    --------- 2004-05-06 20:07 155648 C:\WINDOWS\system32\NeroCheck.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]

    C:\WINDOWS\system32\drivers\spools.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

    --a------ 2007-01-14 01:11 771704 C:\Program Files\Norton Internet Security\osCheck.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Express]

    C:\WINDOWS\twain.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

    --a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandIcon]

    C:\ImageMate CompactFlash USB\SandIcon.Exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

    --a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

    --a------ 2006-07-18 10:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]

    --a------ 2005-06-13 01:30 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

     

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

    R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\System32\DRIVERS\pcx500.sys [2001-08-17 06:11]

    S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []

    S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\System32\DRIVERS\atipcxxx.sys [2001-08-17 06:49]

    S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 06:49]

    S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\System32\DRIVERS\ativxbar.sys [2001-08-17 06:49]

     

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

     

    *Newly Created Service* - COMHOST

    .

    Contents of the 'Scheduled Tasks' folder

    "2008-03-05 08:00:16 C:\WINDOWS\Tasks\Norton Internet Security - All - Sandy.job"

    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeg/SE- /TASK:

    "2008-02-29 14:24:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job"

    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:

    .

    **************************************************************************

     

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-03-17 20:22:36

    Windows 5.1.2600 NTFS

     

    scanning hidden processes ...

     

    scanning hidden autostart entries ...

     

    scanning hidden files ...

     

    scan completed successfully

    hidden files: 0

     

    **************************************************************************

    .

    Completion time: 2008-03-17 20:23:59

    ComboFix-quarantined-files.txt 2008-03-18 02:23:55

    ComboFix2.txt 2008-03-17 21:29:47

    ComboFix3.txt 2008-03-17 05:23:52

    ComboFix4.txt 2008-03-06 03:43:46

    .

    2008-03-15 08:55:48 --- E O F ---

    0
  • Support

    I'm going to try to help you get the malware off of here but I smell a rootkit possibly and am going to call in a consult on how proceed with the fix - I do need that Combofix report for that which will give us the current state after running those other tools. I now see you have posted that so let me call in the calvary and see if we can proceed. (might be morning before I can get someone in here to look at it with me)

     

    But then we have the problem of an unpatched XP machine and one that has possibly been compromised. (consider that your sensitive data MAY have been stolen by an intruder once we get it clean it would be a good idea to change all passwords and monitor any accounts you have, bank, credit card, email account, anything).

     

    For the unpatched machine, I can get you a genuine boxed version of XP with SP2 sent to you from Microsoft as a gift from me. I don't know if you can just reinstall that and you may have to check with the manufacturer of the machine on if that is possible or what it would cost to get some disks from them. A trusted local repair shop might be needed if you are not real savvy with computers.

     

    If you haven't backed up any important data on your PC that you want to keep, start doing that and keep this machine off the net as much as possible. If you have access to another clean computer you can use to check for new messages here, then do that.

     

    Oh, and I'm not the support team. Technical support for Lavasoft products is here:

    http://www.lavasoft.com/support/supportcenter/

     

    But this isn't a problem with the Ad-Aware program so they can't really help with malware removal. I do that here on my own free time because helping with malware removal is what I do for fun and enjoyment of helping others. My official duties here are Forum Administrator (helping provide these forums for free users and others who wish to discuss Lavasoft products and share information) and I also am a malware consultant.

     

    I don't usually advise people to switch AV products as all the top rated best ones are all about the same. And all can miss an infection, especially a new variant of whatever is going around and your unpatched machine is sure susceptible to that. If you have a good current version of Symantec (something current as in 2007 or 2008) then that should be good enough, especially if you are comfortable with it. Ad-Aware is a nice extra program to have for spyware protection as that is our specialty. IF you have a very old version of Norton (like 2003 or 2004) that is very old and obsolete and I would advise to get then AVG as if this machine is older, the more current versions of Symantec might really slow it down and hurt performance. Malware has changed over the years and nowdays you really need a current up to date version of Antivirus.

     

    So even if we can get this clean and working and you happy with good current security programs, an unpatched machine is very likely to just get infected again right away.

    0
  • Support

    Keep the Norton on there for now. 2007 is current version and I see no need to complicate matters trying to uninstall that and learn a new AV as it is not much advantage to doing that. The biggest problem with the security on this PC is the unpatched vulnerabilities - we'll tackle that problem next. This may be a valid windows you have installed and it just needs updating, but we can't do that while it's infected. Please don't go surfing anywhere on it other than to check for instructions here for the time being.

     

    I have set of steps here to fix, thanks to the assistance and second opinion of one of our malware removal experts here in the forums. Thanks to Miekiemoes!

     

    1, Make a copy of these instructions to have handy or print them out. You'll need to do these steps with all browsers closed and best to disconnect from the internet during this fix (so you won't be able to view the steps from here).

     

    2. CLose all programs and any open windows or browsers and open HijackThis. Choose to do a *system scan only*

     

    3. When it finishes, place a checkmark next to the following entries in the list:

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

     

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129

     

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

     

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

     

    O2 - BHO: SyedIEHlprObj Class - {F104576A-91BA-40AD-91DE-2C20801339AB} - C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

     

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\mokeogmv.exe

     

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/102b16dfbe7928...ip/RdxIE601.cab

     

    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://foodnet2.view22.com/view22/app/view22rte.cab

     

    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

     

    O16 - DPF: {F104576A-91BA-40AD-91DE-2C2080133900} - http://www.search-climbers.net/download/cab/ieplugin.cab

     

    O20 - AppInit_DLLs: C:\WINDOWS\System32\win_3u.dll

     

    Once you have the listed entries checkmarked, press the *Fix checked* button in HijackThis and then you can close it and proceed to the next step 4.

     

    4. * Open notepad - don't use any other texteditor than notepad or the script will fail.

     

    Copy/paste the text you see in bold below into notepad:

     

    File::

    C:\Program Files\Internet Explorer\mokeogmv.exe

    C:\WINDOWS\system32\syst0bv.exe

    C:\amp.bat

    C:\WINDOWS\System32\win_3u.dll

    C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

    Folder::

    C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}

    C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}

    Registry::

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F104576A-91BA-40AD-91DE-2C20801339AB}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    "AppInit_DLLs"=""

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]

     

    Save this notepad file as CFScript.txt, in the same location as ComboFix.exe (your desktop)

     

     

    Refering to the picture above, drag CFScript.txt and drop into ComboFix.exe

    This will start ComboFix again.

     

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

     

    Note:

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

     

    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

     

    * Combofix.txt

    * A new HijackThis log

    ...............

     

    6. There are two files I need for you to check to see if they are infected, so I need you to do the following for a single file virus scan on them.

     

    Go here:

    http://www.virustotal.com/

     

    Use the browse button to navigate to the following file:

     

    C:\WINDOWS\LMIE7.tmp

     

    A separate box should popup to allow you to browse to the file in that location (C:\Windows) When you see LMIE7.tmp, click on it to highlight it and hit the *open* button. You should now see that file in the browse box there at Virustotal. Hit *send file* and wait while it scans your file. It will give you a report at the end when it finishes. Please copy that report and paste into your reply back here.

     

    Now do the same with file:

    C:\WINDOWS\LMI108D.tmp

    0
  • Customer

    I am getting ready to go offline. I will check here in the am sometime.

     

    A lot to think about...I have Norton 2007, with one month to go before I have to update to 2008. I am thinking it is time to get something new. I have loved this pc and never had any problems, but it is getting old (like me)!

     

    Will check for a post from you tomorrow.

     

    Bye for now.

     

    Sandy

    0
  • Customer

    I am now to this point. LMIE7 and LMI108D are folders. Do you want me to run each file inside the folder through the virustotal scan? These are folders created when Norton's tech help worked on my machine. On March 5th, they got the computer back to working correctly. On the 13th, I think they gave up.

    Sandy

     

     

     

    6. There are two files I need for you to check to see if they are infected, so I need you to do the following for a single file virus scan on them.

     

    Go here:

    http://www.virustotal.com/

     

    Use the browse button to navigate to the following file:

     

    C:\WINDOWS\LMIE7.tmp

     

    A separate box should popup to allow you to browse to the file in that location (C:\Windows) When you see LMIE7.tmp, click on it to highlight it and hit the *open* button. You should now see that file in the browse box there at Virustotal. Hit *send file* and wait while it scans your file. It will give you a report at the end when it finishes. Please copy that report and paste into your reply back here.

     

    Now do the same with file:

    C:\WINDOWS\LMI108D.tmp

    0
  • Customer

    Here is the new ComboFix log file followed by the new HijackThis log file:

     

     

    ComboFix 08-03-14.4 - Sandy 2008-03-18 11:18:29.5 - NTFSx86

    Running from: C:\Documents and Settings\Sandy\Desktop\ComboFix.exe

    Command switches used :: C:\Documents and Settings\Sandy\Desktop\CFScript.txt

    * Created a new restore point

     

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    .

     

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

     

    C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}

    C:\WINDOWS\Installer\{76df3b7b-becf-4781-9760-5f62e5901545}\zip.dll

    C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}

    C:\WINDOWS\Installer\{89da981f-b01a-4a92-ab98-c8026aa55815}\MonSetup.dll

     

    .

    ((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))

    .

     

    2008-03-17 19:10 . 2008-03-17 19:10 <DIR> d-------- C:\WINDOWS\ERUNT

    2008-03-17 19:05 . 2008-03-17 19:31 <DIR> d-------- C:\SDFix

    2008-03-16 23:32 . 2008-03-16 23:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner

    2008-03-16 21:44 . 2008-03-16 21:44 <DIR> d-------- C:\Program Files\Trend Micro

    2008-03-15 14:44 . 2008-03-15 14:44 <DIR> d-------- C:\Program Files\Lavasoft

    2008-03-15 14:43 . 2008-03-15 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

    2008-03-14 17:35 . 2008-03-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

    2008-03-13 10:32 . 2008-03-13 10:33 <DIR> d-------- C:\WINDOWS\LMI108D.tmp

    2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll

    2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll

    2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat

    2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf

    2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys

    2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys

    2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys

    2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys

    2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys

    2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys

    2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys

    2008-03-07 05:06 . 2008-03-12 11:49 118 --a------ C:\WINDOWS\system32\MRT.INI

    2008-03-05 09:58 . 2008-03-05 21:40 <DIR> d-------- C:\WINDOWS\LMIE7.tmp

    2008-03-04 09:40 . 2008-03-04 09:40 48 --a------ C:\amp.bat

    2008-03-04 09:37 . 2008-03-04 09:37 12,288 -r-h----- C:\WINDOWS\system32\syst0bv.exe

     

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-03-18 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

    2008-03-18 14:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared

    2008-03-17 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information

    2008-03-15 17:00 --------- d-----w C:\Program Files\Google

    2008-03-14 20:05 85,504 --sha-w C:\Program Files\Thumbs.db

    2008-03-12 21:19 12,800 ----a-w C:\WINDOWS\system32\svchost.exe

    2008-03-11 03:05 --------- d-----w C:\Program Files\Norton Internet Security

    2008-03-10 03:28 --------- d-----w C:\Program Files\Quicken

    2008-03-07 03:55 --------- d-----w C:\Program Files\Yahoo!

    2008-03-05 15:10 --------- d-----w C:\Program Files\WebLog Expert

    2008-03-04 22:46 --------- d-----w C:\Documents and Settings\Sandy\Application Data\Symantec

    2008-02-11 15:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll

    2008-02-11 15:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll

    2008-02-08 19:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll

    2008-02-05 14:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe

    2008-01-24 03:10 251,584 ----a-w C:\Documents and Settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT

    2008-01-23 01:54 --------- d-----w C:\Program Files\Microsoft ActiveSync

    2008-01-23 01:49 --------- d-----w C:\Program Files\Common Files\L&H

    .

     

    ((((((((((((((((((((((((((((( snapshot@2008-03-16_23.23.09.78 )))))))))))))))))))))))))))))))))))))))))

    .

    + 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

    + 2008-03-18 01:11:06 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat

    + 2008-03-18 01:11:06 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

    + 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

    + 2008-03-18 01:10:55 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat

    + 2008-03-18 01:10:55 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

    + 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\LastGood\System32\LegitCheckControl.DLL

    + 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiA.dll

    + 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiW.dll

    + 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\LastGood\System32\lnod32umc.dll

    + 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\LastGood\System32\lnod32upd.dll

    + 2008-02-11 15:39:26 253,952 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLA.dll

    + 2008-02-11 15:39:18 237,568 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLW.dll

    + 2008-02-08 19:53:46 110,592 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerLang.dll

    + 2008-02-05 14:48:04 77,824 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerUninstaller.exe

    - 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll

    + 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL

    + 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll

    + 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll

    + 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll

    + 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll

    + 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll

    + 2008-03-18 07:41:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d0.dat

    - 2008-03-17 05:17:27 32,768 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

    + 2008-03-18 17:15:16 360,448 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]

     

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-01-30 12:57 13312]

    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

     

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

    "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-03 11:58 78848]

     

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    "AppInit_DLLs"=C:\WINDOWS\System32\win_3u.dll

     

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]

    C:\Documents and Settings\Sandy\Local Settings\Application Data\cftmon.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]

    C:\DOCUME~1\Sandy\LOCALS~1\Temp\winlogon.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

    --a------ 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

    --a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

    --a------ 2007-03-14 18:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

    --a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

    --------- 2004-05-06 20:07 155648 C:\WINDOWS\system32\NeroCheck.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

    --a------ 2007-01-14 01:11 771704 C:\Program Files\Norton Internet Security\osCheck.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Express]

    C:\WINDOWS\twain.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

    --a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandIcon]

    C:\ImageMate CompactFlash USB\SandIcon.Exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

    --a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

    --a------ 2006-07-18 10:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]

    --a------ 2005-06-13 01:30 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

     

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

    R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\System32\DRIVERS\pcx500.sys [2001-08-17 06:11]

    S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []

    S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\System32\DRIVERS\atipcxxx.sys [2001-08-17 06:49]

    S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 06:49]

    S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\System32\DRIVERS\ativxbar.sys [2001-08-17 06:49]

     

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

     

    *Newly Created Service* - COMHOST

    .

    Contents of the 'Scheduled Tasks' folder

    "2008-03-05 08:00:16 C:\WINDOWS\Tasks\Norton Internet Security - All - Sandy.job"

    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeg/SE- /TASK:

    "2008-02-29 14:24:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job"

    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:

    .

    **************************************************************************

     

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-03-18 11:23:38

    Windows 5.1.2600 NTFS

     

    scanning hidden processes ...

     

    scanning hidden autostart entries ...

     

    scanning hidden files ...

     

    scan completed successfully

    hidden files: 0

     

    **************************************************************************

    .

    Completion time: 2008-03-18 11:24:58

    ComboFix-quarantined-files.txt 2008-03-18 17:24:48

    ComboFix2.txt 2008-03-17 21:29:47

    ComboFix3.txt 2008-03-17 05:23:52

    ComboFix4.txt 2008-03-06 03:43:46

    .

    2008-03-15 08:55:48 --- E O F ---

     

    ______________________________________________

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 11:27:35 AM, on 3/18/2008

    Platform: Windows XP (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Boot mode: Normal

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\System32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Viewpoint\Common\ViewpointService.exe

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\System32\WgaTray.exe

    C:\WINDOWS\System32\wuauclt.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\WINDOWS\System32\devldr32.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

    C:\WINDOWS\explorer.exe

    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab

    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308

    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447

    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab

    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab

    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab

    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg

    O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg

    O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg

     

    --

    End of file - 10019 bytes

    0
  • Support

    You know, I have to compliment you on following the instructions I've been giving. You do really well. It's looking better but I still see some issues there (not sure if I'm reading the logs right so I'll check with Mieke once more to get her opinion).

     

    On those temp directories in question. If Norton created them, I'm not too worried about them, they were simply mystery files.

     

    I would like to do this next please because I do want examine the files that the last Combofix run quarantined some files and I want to see what is there.

     

    Go to this folder:

     

    C:\QooBox\Quarantine

    rightclick on it. Choose "send to compressed (zipped) folder" and that will make a zip file

    in the same location, i.e.;

    C:\QooBox\Quarantine.zip

     

     

    Please go here to upload a suspicious file for analysis.

    http://www.uploadmalware.com/

     

    * Enter your username from this forum as: nedustbu at LS

     

    * Copy and paste the link to this thread: http://www.lavasoftsupport.com/index.php?showtopic=17040

     

    * Click "Browse" on the 1. field.

    Browse to the following file and click the file with your mouse, press "Open"

    C:\QooBox\Quarantine.zip

     

    * In the comments, please mention that I asked you to upload this file

     

    * Click on Send File

     

    I'll get it and report to you back here

    .................

    Meanwhile, I see signs of a really ancient infection that I haven't seen a long, long time, so I want to run this tool on it to see what the results are (this is a free tool from Trend Micro)

     

    Go here:

    http://us.trendmicro.com/us/products/perso...dder/index.html

     

    Click the *Remove Coolwebsearch* button.

     

    That should prompt a download of a file. Save it to your desktop.

    Then double click CWShredder.exe to run it

     

    The icon to click on will look like this:

     

    You will get a screen like this. Checkmark the box that says: "Move CWS files found to the recycle bin instead of deleting them"

     

     

    Then press the *Fix* button to the far right and that will run the tool.

     

    It should make a log at the end. Could you please copy and paste the results back here please?

    0
  • Support

    Ack, hope I'm not to late to catch you.

     

    I meant to ask if you had Ad-watch turned off (and you should probably temporarily turn off Symantec also) during these runs. Ad-Watch especially as it might interfere with the fixes we are trying to make.

    0
  • Customer

    This is the results from CWShredder. Let me know if this is what you are looking for.

    Sandy

    __________________________________________

     

    **** Run Keys ****

     

     

     

    **** Browser Helper Objects ****

     

    BHO: [Adobe PDF Reader Link Helper] C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    BHO: [Adobe PDF Reader Link Helper] C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

    BHO: [sSVHelper Class] C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    BHO: [sT] C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

    BHO: [Google Toolbar Helper] c:\program files\google\googletoolbar1.dll

    BHO: [MSNToolBandBHO] C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

     

     

    **** IE Toolbars ****

     

    TOOLBAR: [MSN] C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx

    TOOLBAR: [&Google] c:\program files\google\googletoolbar1.dll

     

     

    **** IE Extensions ****

     

    IEExt: [Web Browser Applet Control] C:\WINDOWS\System32\msjava.dll

    IEExt: [@shdoclc.dll,-866] C:\WINDOWS\System32\msjava.dll

    IEExt: [Messenger] C:\Program Files\Messenger\MSMSGS.EXE

     

     

    **** Hosts File Entries ****

     

    HOSTS: 127.0.0.1 localhost

    HOSTS: 127.0.0.1 localhost

     

     

    **** IE Settings ****

     

    Default Page: http://go.microsoft.com/fwlink/?LinkId=69157

    Default Search: http://go.microsoft.com/fwlink/?LinkId=54896

     

     

    **** IE Context Menu (Right click) ****

     

    IEContext: [E&xport to Microsoft Excel] res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

     

     

    **** Layered Service Providers ****

     

    LSP: MSAFD Tcpip [TCP/IP]

    LSP: MSAFD Tcpip [uDP/IP]

    LSP: RSVP UDP Service Provider

    LSP: RSVP TCP Service Provider

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9A698E84-917B-470D-AACE-A4B53C78DB6A}] SEQPACKET 0

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9A698E84-917B-470D-AACE-A4B53C78DB6A}] DATAGRAM 0

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A027DA03-4B42-4F4F-843F-FD4BCAFA15E4}] SEQPACKET 1

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A027DA03-4B42-4F4F-843F-FD4BCAFA15E4}] DATAGRAM 1

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D014E927-8DBC-421C-B0EB-EC50EE78E4AE}] SEQPACKET 2

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D014E927-8DBC-421C-B0EB-EC50EE78E4AE}] DATAGRAM 2

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5DA86DA3-6BB3-4D41-BC68-2CFE26FD9543}] SEQPACKET 3

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5DA86DA3-6BB3-4D41-BC68-2CFE26FD9543}] DATAGRAM 3

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{08269CD8-8B7B-4349-862F-3A9592824C53}] SEQPACKET 4

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{08269CD8-8B7B-4349-862F-3A9592824C53}] DATAGRAM 4

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF277F47-711D-4A29-AB82-BEAE7774B133}] SEQPACKET 5

    LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF277F47-711D-4A29-AB82-BEAE7774B133}] DATAGRAM 5

     

     

    **** Blocked Control Panel Items ****

     

    BLOCKED: [ncpa.cpl] No

    BLOCKED: [odbccp32.cpl] No

     

     

    **** Downloaded Program Files ****

     

    Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]

    {02BCC737-B171-4746-94C9-0D8A0B2C0089} [http://office.microsoft.com/templates/ieawsdc.cab] C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL

    {0335A685-ED24-4F7B-A08E-3BD15D84E668} [http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab]

    {10E0E75E-6701-4134-9D95-C0942ED1F1C8} [http://www.snapfish.com/SnapfishOutlookImport.cab]

    {166B1BCA-3F9C-11CF-8075-444553540000} [http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw_promo.cab]

    {17492023-C23A-453E-A040-C7C580BBF700} [http://go.microsoft.com/fwlink/?linkid=39204]

    {1F2F4C9E-6F09-47BC-970D-3C54734667FE} [http://www.symantec.com/techsupp/asa/LSSupCtl.cab]

    {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} [http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab] C:\WINDOWS\Downloaded Program Files\navapi.vxd C:\WINDOWS\Downloaded Program Files\navapi32.dll C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll C:\WINDOWS\Downloaded Program Files\avsniff.dll

    {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} [C:\Program Files\Yahoo!\Common\yinsthelper.dll]

    {406B5949-7190-4245-91A9-30A17DE16AD0} [http://www.snapfish.com/SnapfishActivia.cab]

    {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} [http://www.eset.eu/buxus/docs/OnlineScanner.cab] C:\WINDOWS\System32\unicows.dll C:\WINDOWS\System32\lnod32umc.dll C:\WINDOWS\System32\lnod32upd.dll C:\WINDOWS\System32\lnod32apiW.dll C:\WINDOWS\System32\lnod32apiA.dll C:\WINDOWS\System32\OnlineScannerDLLW.dll C:\WINDOWS\System32\OnlineScannerDLLA.dll C:\WINDOWS\System32\OnlineScanner.ocx

    {60EFC337-15C2-4369-B2A0-3429B071D8B8} [http://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB]

    {6414512B-B978-451D-A0D8-FCFDF33E833C} [http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108410660308]

    {644E432F-49D3-41A1-8DD5-E099162EEEC5} [http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab]

    {6A344D34-5231-452A-8A57-D064AC9B7862} [https://webdl.symantec.com/activex/symdlmgr.cab]

    {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152998967447]

    {6F750200-1362-4815-A476-88533DE61D0C} [http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab]

    {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} [http://www.shockwave.com/content/luxor/mjolauncher.cab]

    {8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab]

    {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab]

    {9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38103.3629050926]

    {A8658086-E6AC-4957-BC8E-8D54A7E8A790} [http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB]

    {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} [http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab]

    {B8BE5E93-A60C-4D26-A2DC-220313175592} [http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab]

    {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab]

    {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab]

    {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab]

    {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab]

    {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab]

    {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab]

    {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab]

    {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab]

    {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab]

    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab]

    {CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]

    {CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]

    {CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]

    {CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]

    {CB50428B-657F-47DF-9B32-671F82AA73F7} [http://www.photodex.com/pxplay.cab]

     

     

    **** Windows Services ****

     

    [aawservice] "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"

    [Alerter] %SystemRoot%\System32\svchost.exe -k LocalService

    [ALG] %SystemRoot%\System32\alg.exe

    [AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs

    [aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

    [Ati HotKey Poller] %SystemRoot%\System32\Ati2evxx.exe

    [AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs

    [Automatic LiveUpdate Scheduler] "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"

    [bITS] %SystemRoot%\System32\svchost.exe -k netsvcs

    [browser] %SystemRoot%\system32\svchost.exe -k netsvcs

    [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

    [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

    [cisvc] %SystemRoot%\system32\cisvc.exe

    [ClipSrv] %SystemRoot%\system32\clipsrv.exe

    [CLTNetCnService] "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon

    [comHost] "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe"

    [COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

    [CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs

    [Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs

    [dmadmin] %SystemRoot%\System32\dmadmin.exe /com

    [dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs

    [Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService

    [ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs

    [Eventlog] %SystemRoot%\system32\services.exe

    [EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs

    [FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs

    [gusvc] "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

    [helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs

    [HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs

    [iDriverT] "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"

    [imapiService] C:\WINDOWS\System32\imapi.exe

    [iPod Service] C:\Program Files\iPod\bin\iPodService.exe

    [iSPwdSvc] "C:\Program Files\Norton Internet Security\isPwdSvc.exe"

    [lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs

    [lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs

    [LiveUpdate] "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"

    [LiveUpdate Notice Ex] "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

    [LiveUpdate Notice Service] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll"

    [LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService

    [MDM] "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

    [Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs

    [mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe

    [MSDTC] C:\WINDOWS\System32\msdtc.exe

    [MSIServer] %systemroot%\system32\msiexec.exe /V

    [NetDDE] %SystemRoot%\system32\netdde.exe

    [NetDDEdsdm] %SystemRoot%\system32\netdde.exe

    [Netlogon] %SystemRoot%\system32\lsass.exe

    [Netman] %SystemRoot%\System32\svchost.exe -k netsvcs

    [Nla] %SystemRoot%\System32\svchost.exe -k netsvcs

    [NtLmSsp] %SystemRoot%\System32\lsass.exe

    [NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs

    [PlugPlay] %SystemRoot%\system32\services.exe

    [Pml Driver HPZ12] %SystemRoot%\System32\svchost.exe -k HPZ12

    [PolicyAgent] %SystemRoot%\system32\lsass.exe

    [ProtectedStorage] %SystemRoot%\system32\lsass.exe

    [RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs

    [RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs

    [RDSessMgr] C:\WINDOWS\system32\sessmgr.exe

    [RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs

    [RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService

    [RpcLocator] %SystemRoot%\System32\locator.exe

    [RpcSs] %SystemRoot%\system32\svchost -k rpcss

    [RSVP] %SystemRoot%\System32\rsvp.exe

    [samSs] %SystemRoot%\system32\lsass.exe

    [sCardDrv] %SystemRoot%\System32\SCardSvr.exe

    [sCardSvr] %SystemRoot%\System32\SCardSvr.exe

    [seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs

    [sENS] %SystemRoot%\system32\svchost.exe -k netsvcs

    [sharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs

    [shellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs

    [spooler] %SystemRoot%\system32\spoolsv.exe

    [srservice] %SystemRoot%\System32\svchost.exe -k netsvcs

    [sSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService

    [stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc

    [swPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{F3934BDD-7FC3-4230-9F32-9E0E3E4F3148}

    [symantec Core LC] "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"

    [symAppCore] "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"

    [sysmonLog] %SystemRoot%\system32\smlogsvc.exe

    [TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs

    [TermService] %SystemRoot%\System32\svchost.exe -k netsvcs

    [Themes] %SystemRoot%\System32\svchost.exe -k netsvcs

    [TlntSvr] C:\WINDOWS\System32\tlntsvr.exe

    [TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs

    [uMWdf] C:\WINDOWS\System32\wdfmgr.exe

    [uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs

    [upnphost] %SystemRoot%\System32\svchost.exe -k LocalService

    [uPS] %SystemRoot%\System32\ups.exe

    [usnjsvc] "C:\Program Files\MSN Messenger\usnsvc.exe"

    [Viewpoint Manager Service] "C:\Program Files\Viewpoint\Common\ViewpointService.exe"

    [VSS] %SystemRoot%\System32\vssvc.exe

    [W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs

    [WebClient] %SystemRoot%\System32\svchost.exe -k LocalService

    [winmgmt] %systemroot%\system32\svchost.exe -k netsvcs

    [WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs

    [Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs

    [WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe

    [wuauserv] %systemroot%\system32\svchost.exe -k netsvcs

    [WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs

     

     

    **** Custom IE Search Items ****

     

    SEARCH: [searchAssistant] http://www.google.com/ie

    SEARCH: [searchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

    SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

    SEARCH: [Default_Search_URL] http://www.google.com/ie

     

     

    **** Complete IE Options ****

     

    IEOPT: [Default_Page_URL] http://go.microsoft.com/fwlink/?LinkId=69157

    IEOPT: [Default_Search_URL] http://go.microsoft.com/fwlink/?LinkId=54896

    IEOPT: [search Page] http://go.microsoft.com/fwlink/?LinkId=54896

    IEOPT: [Enable_Disk_Cache] yes

    IEOPT: [Cache_Percent_of_Disk]

    IEOPT: [Delete_Temp_Files_On_Exit] yes

    IEOPT: [Local Page] %SystemRoot%\system32\blank.htm

    IEOPT: [Anchor_Visitation_Horizon]

    IEOPT: [use_Async_DNS] yes

    IEOPT: [Placeholder_Width]

    IEOPT: [Placeholder_Height]

    IEOPT: [start Page] http://www.msn.com/

    IEOPT: [CompanyName] Microsoft Corporation

    IEOPT: [Custom_Key] MICROSO

    IEOPT: [Wizard_Version] 6.00.2800.1106

    IEOPT: [FullScreen] no

    IEOPT: [use_DlgBox_Colors] yes

    IEOPT: [use Search Asst] no

    0
  • Customer

    I just checked back here and found this post. No I didn't have Ad-watch turned off. Let me know if you want me to run the fixes again with both Ad-watch and Symantec off.

    Sandy

     

     

     

    I meant to ask if you had Ad-watch turned off (and you should probably temporarily turn off Symantec also) during these runs. Ad-Watch especially as it might interfere with the fixes we are trying to make.

    0
  • Customer

    Hereis the new ComboFix.txt, followed by a new HijackThis log.

     

     

     

    ComboFix 08-03-14.4 - Sandy 2008-03-18 13:40:37.6 - NTFSx86

    Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.154 [GMT -6:00]

    Running from: C:\Documents and Settings\Sandy\Desktop\ComboFix.exe

    Command switches used :: C:\Documents and Settings\Sandy\Desktop\CFScript.txt

    * Created a new restore point

     

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

     

    FILE ::

    C:\amp.bat

    C:\Program Files\Internet Explorer\mokeogmv.exe

    C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

    C:\WINDOWS\system32\syst0bv.exe

    C:\WINDOWS\System32\win_3u.dll

    .

     

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

     

    C:\amp.bat

    C:\WINDOWS\Downloaded Program Files\ieplugin001.dll

    C:\WINDOWS\system32\syst0bv.exe

     

    .

    ((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))

    .

     

    2008-03-17 19:10 . 2008-03-17 19:10 <DIR> d-------- C:\WINDOWS\ERUNT

    2008-03-17 19:05 . 2008-03-17 19:31 <DIR> d-------- C:\SDFix

    2008-03-16 23:32 . 2008-03-16 23:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner

    2008-03-16 21:44 . 2008-03-16 21:44 <DIR> d-------- C:\Program Files\Trend Micro

    2008-03-15 14:44 . 2008-03-15 14:44 <DIR> d-------- C:\Program Files\Lavasoft

    2008-03-15 14:43 . 2008-03-15 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

    2008-03-14 17:35 . 2008-03-14 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

    2008-03-13 10:32 . 2008-03-13 10:33 <DIR> d-------- C:\WINDOWS\LMI108D.tmp

    2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll

    2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll

    2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat

    2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf

    2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys

    2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys

    2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys

    2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys

    2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys

    2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys

    2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys

    2008-03-07 05:06 . 2008-03-12 11:49 118 --a------ C:\WINDOWS\system32\MRT.INI

    2008-03-05 09:58 . 2008-03-05 21:40 <DIR> d-------- C:\WINDOWS\LMIE7.tmp

     

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2008-03-18 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

    2008-03-18 17:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared

    2008-03-17 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information

    2008-03-15 17:00 --------- d-----w C:\Program Files\Google

    2008-03-14 20:05 85,504 --sha-w C:\Program Files\Thumbs.db

    2008-03-12 21:19 12,800 ----a-w C:\WINDOWS\system32\svchost.exe

    2008-03-11 03:05 --------- d-----w C:\Program Files\Norton Internet Security

    2008-03-10 03:28 --------- d-----w C:\Program Files\Quicken

    2008-03-07 03:55 --------- d-----w C:\Program Files\Yahoo!

    2008-03-05 15:10 --------- d-----w C:\Program Files\WebLog Expert

    2008-03-04 22:46 --------- d-----w C:\Documents and Settings\Sandy\Application Data\Symantec

    2008-02-11 15:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll

    2008-02-11 15:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll

    2008-02-08 19:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll

    2008-02-05 14:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe

    2008-01-24 03:10 251,584 ----a-w C:\Documents and Settings\Sandy\Application Data\GDIPFONTCACHEV1.DAT

    2008-01-23 01:54 --------- d-----w C:\Program Files\Microsoft ActiveSync

    2008-01-23 01:49 --------- d-----w C:\Program Files\Common Files\L&H

    .

     

    ((((((((((((((((((((((((((((( snapshot@2008-03-16_23.23.09.78 )))))))))))))))))))))))))))))))))))))))))

    .

    + 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

    + 2008-03-18 01:11:06 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat

    + 2008-03-18 01:11:06 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

    + 2008-03-16 12:18:30 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

    + 2008-03-18 01:10:55 7,372,800 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat

    + 2008-03-18 01:10:55 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

    + 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\LastGood\System32\LegitCheckControl.DLL

    + 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiA.dll

    + 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\LastGood\System32\lnod32apiW.dll

    + 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\LastGood\System32\lnod32umc.dll

    + 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\LastGood\System32\lnod32upd.dll

    + 2008-02-11 15:39:26 253,952 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLA.dll

    + 2008-02-11 15:39:18 237,568 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerDLLW.dll

    + 2008-02-08 19:53:46 110,592 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerLang.dll

    + 2008-02-05 14:48:04 77,824 ----a-w C:\WINDOWS\LastGood\System32\OnlineScannerUninstaller.exe

    - 2007-04-10 20:02:50 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll

    + 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL

    + 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll

    + 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll

    + 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll

    + 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll

    + 2004-12-07 16:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll

    + 2008-03-18 07:41:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d0.dat

    - 2008-03-17 05:17:27 32,768 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

    + 2008-03-18 19:31:31 458,752 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

     

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-01-30 12:57 13312]

    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

     

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

    "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-05-03 11:58 78848]

     

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]

    C:\Documents and Settings\Sandy\Local Settings\Application Data\cftmon.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]

    C:\DOCUME~1\Sandy\LOCALS~1\Temp\winlogon.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

    --a------ 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

    --a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

    --a------ 2007-03-14 18:05 257088 C:\Program Files\iTunes\iTunesHelper.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

    --a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

    --------- 2004-05-06 20:07 155648 C:\WINDOWS\system32\NeroCheck.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

    --a------ 2007-01-14 01:11 771704 C:\Program Files\Norton Internet Security\osCheck.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outlook Express]

    C:\WINDOWS\twain.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

    --a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandIcon]

    C:\ImageMate CompactFlash USB\SandIcon.Exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

    --a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

    --a------ 2006-07-18 10:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

     

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]

    --a------ 2005-06-13 01:30 192512 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

     

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]

    R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\System32\DRIVERS\pcx500.sys [2001-08-17 06:11]

    S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []

    S3 ATIPCXXX;ATI Parental control device;C:\WINDOWS\System32\DRIVERS\atipcxxx.sys [2001-08-17 06:49]

    S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 06:49]

    S3 ATIVXSXX;ATI Audio Crossbar (ATIVXBAR);C:\WINDOWS\System32\DRIVERS\ativxbar.sys [2001-08-17 06:49]

     

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

     

    *Newly Created Service* - COMHOST

    .

    Contents of the 'Scheduled Tasks' folder

    "2008-03-05 08:00:16 C:\WINDOWS\Tasks\Norton Internet Security - All - Sandy.job"

    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeg/SE- /TASK:

    "2008-02-29 14:24:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Sandy.job"

    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:

    .

    **************************************************************************

     

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2008-03-18 13:43:33

    Windows 5.1.2600 NTFS

     

    scanning hidden processes ...

     

    scanning hidden autostart entries ...

     

    scanning hidden files ...

     

    scan completed successfully

    hidden files: 0

     

    **************************************************************************

    .

    Completion time: 2008-03-18 13:44:30

    ComboFix-quarantined-files.txt 2008-03-18 19:44:21

    ComboFix2.txt 2008-03-18 17:24:59

    ComboFix3.txt 2008-03-17 21:29:47

    ComboFix4.txt 2008-03-17 05:23:52

    ComboFix5.txt 2008-03-06 03:43:46

    .

    2008-03-15 08:55:48 --- E O F ---

    --------------------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 1:47:42 PM, on 3/18/2008

    Platform: Windows XP (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Boot mode: Normal

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\System32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Viewpoint\Common\ViewpointService.exe

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\WINDOWS\System32\WgaTray.exe

    C:\WINDOWS\System32\wuauclt.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\WINDOWS\System32\devldr32.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    C:\WINDOWS\explorer.exe

    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

    O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab

    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

    O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108410660308

    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152998967447

    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab

    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab

    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...aploader_v6.cab

    O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - file://C:\Program Files\OpenCube\Visual QuickMenu Pro\program\comdlg32.cab

    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    O24 - Desktop Component 0: (no name) - http://gardenperennials.net/assets/perenni...cqscale-125.jpg

    O24 - Desktop Component 1: (no name) - http://gardenperennials.net/assets/perenni...CAscale-125.jpg

    O24 - Desktop Component 2: (no name) - http://gardenperennials.net/assets/perennials-350/paccg.jpg

     

    --

    End of file - 9960 bytes

    -------------------------------------------------------------

    0

Please sign in to leave a comment.