Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outerinfo And Other Pop-ups That Re-appear After Removal


  • Please log in to reply
9 replies to this topic

#1 havoc110

havoc110

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 23 July 2007 - 01:43 PM

Hello, board members,

I have a terrible infestation. Outerinfo that I cannot install, virtumond that reappears, and probably more.

I have followed the preparation guide to the best of my abilities:

I am using AdAware 2007. It will clean and remove, but will not be clean upon re-boot, after many tries.
Also running Spybot S&D. Same story. Also Norton A/V 2005 w/ current definitions.

I did not get good results with the housecall, panda, or bitdefender.
Housecall ran once. I accidentally closed it when I mistook it for one of the many pop-ups that appeared while running.
(The pop-up's graphics had stayed over the Housecall window after I closed it, and I closed the housecall window).
Further attempts to run Housecall stopped during "Preparing" (I gave it about 15-20 min). Panda never ran, would
not get past "Updating = 0%". And betdefender gave me a series of pop-ups to "ErrorDefender" which I closed down
and avoided.

Niether the Outerinfo uninstall or the stand-alone uninstaller d/l'ed from Outerinfo were able to uninstall.

Stinger ran clean. I still have System Restore Disabled.

Thanks for any and all help you can provide.
Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21, on 2007-07-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\??sembly\r?ndll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\lhkkvjih.dll",forkonce
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert to Palm e-Book - C:\Program Files\CnPUG-WavePDB\WavePDB.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrab...rabblecubes.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installd...leanerstart.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_2/controls/ybrequest.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183147794796
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.leesallee.com/Remote/msrdp.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v44/royal/royal.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 12478 bytes

BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:05 AM

Posted 24 July 2007 - 07:09 PM

Welcome to BC :thumbsup:

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#3 havoc110

havoc110
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 25 July 2007 - 07:03 AM

Thanks so much for your help, SJ.

Some more info that might help:
I think the problem is Virtumonde.
Spybot S&D keeps finding it and it returns after removal.
I also ran VundoFix and VirtumundoBeGone with no sucess.

Also, there does not seem to be any virus activity if I am not
using IE.

When I ran ComboFix, I entered "1" to continue. Then watched the screen
for a couple minutes. I had stepped away from my PC and then I heard it reboot,
so I cannot report if the window said anything else, sorry.

Here is the ComboFix log:

"Don Walsh" - 2007-07-25 7:40:01 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\DONWAL~1\APPLIC~1.\fnts~1
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\tn3
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\DOWNLO~1\UERT_0001_D19M2109NetInstaller.exe
C:\WINDOWS\DOWNLO~1\UPRP_0001_D21M2103NetInstaller.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\bcupooja.exe
C:\WINDOWS\system32\brsdxsyo.exe
C:\WINDOWS\system32\bxnrdgxq.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\grrlukig.exe
C:\WINDOWS\system32\jidctngs.exe
C:\WINDOWS\system32\qfcjvdix.exe
C:\WINDOWS\system32\qikhhdhy.exe
C:\WINDOWS\system32\tjempoge.exe
C:\WINDOWS\system32\wtsicomsv32.exe
C:\WINDOWS\system32\yrplxmiw.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\LEGACY_NPF
-------\core


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-23 15:26 6,511 ---hs---- C:\WINDOWS\SYSTEM32\oqtss.bak1
2007-07-23 15:26 266,336 --a------ C:\WINDOWS\SYSTEM32\sstqo.dll.vir
2007-07-23 15:16 <DIR> d-------- C:\VundoFix Backups
2007-07-23 13:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 13:36 126,016 --a------ C:\WINDOWS\SYSTEM32\lhkkvjih.dll
2007-07-23 13:25 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-07-23 13:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-23 13:24 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-07-23 13:24 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-23 13:24 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-07-23 13:24 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-07-23 13:24 1,265,696 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-07-23 13:23 110,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kl1.sys
2007-07-23 13:23 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-07-23 13:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-07-23 13:21 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-23 11:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\Panda Software
2007-07-23 10:42 <DIR> d-------- C:\DOCUME~1\DONWAL~1\.housecall6.6
2007-07-23 07:45 126,016 --a------ C:\WINDOWS\SYSTEM32\wnjjynga.dll
2007-07-21 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-21 18:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-21 07:21 <DIR> d-------- C:\AV-CLS
2007-07-20 15:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 15:47 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-07-20 15:47 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-07-20 15:47 3,786 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-07-20 15:47 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-07-20 13:44 31,254 --a------ C:\WINDOWS\SYSTEM32\nnnnnmj.dll.vir
2007-07-20 13:44 <DIR> d-------- C:\Temp\brr
2007-07-20 13:44 <DIR> d-------- C:\Temp
2007-07-17 11:08 <DIR> d-------- C:\DOCUME~1\DONWAL~1\APPLIC~1\DivX
2007-07-17 09:56 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-07-17 09:56 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-07-17 09:56 116,472 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-07-16 14:57 <DIR> d-------- C:\Program Files\Virtools
2007-07-09 15:07 524,288 --a------ C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-07-09 15:07 3,596,288 --a------ C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-07-09 15:07 200,704 --a------ C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-07-09 15:07 1,044,480 --a------ C:\WINDOWS\SYSTEM32\libdivx.dll
2007-07-09 15:05 823,296 --a------ C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-07-09 15:05 823,296 --a------ C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-07-09 15:05 802,816 --a------ C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-07-09 15:05 740,442 --a------ C:\WINDOWS\SYSTEM32\DivX.dll
2007-07-09 15:05 73,728 --a------ C:\WINDOWS\SYSTEM32\dpl100.dll
2007-07-09 15:05 593,920 --a------ C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-07-09 15:05 57,344 --a------ C:\WINDOWS\SYSTEM32\dpv11.dll
2007-07-09 15:05 53,248 --a------ C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-07-09 15:05 344,064 --a------ C:\WINDOWS\SYSTEM32\dpus11.dll
2007-07-09 15:05 294,912 --a------ C:\WINDOWS\SYSTEM32\dpu11.dll
2007-07-09 15:05 294,912 --a------ C:\WINDOWS\SYSTEM32\dpu10.dll
2007-07-09 15:05 196,608 --a------ C:\WINDOWS\SYSTEM32\dtu100.dll
2007-07-09 15:05 124,472 --a------ C:\WINDOWS\SYSTEM32\DivXCodecUpdateChecker.exe
2007-07-09 15:05 12,288 --a------ C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-06-30 11:27 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-29 23:55 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 11:47:19 15,884 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-21 22:49:10 -------- d-----w C:\Program Files\Lavasoft
2007-07-21 22:49:05 -------- d-----w C:\DOCUME~1\DONWAL~1\APPLIC~1\Lavasoft
2007-07-21 11:05:35 -------- d-----w C:\Program Files\Trillian
2007-07-20 17:46:41 -------- d--h--w C:\Program Files\xnews
2007-07-19 00:29:14 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-18 19:11:12 -------- d-----w C:\DOCUME~1\DONWAL~1\APPLIC~1\WeatherBug
2007-07-17 13:56:55 -------- d-----w C:\Program Files\DivX
2007-07-09 19:07:47 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-06-25 17:43:35 -------- d-----w C:\Program Files\Symantec
2007-06-14 16:08:08 -------- d-----w C:\Program Files\Palm
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-03-07 07:30:24 16 ----a-w C:\DOCUME~1\DONWAL~1\APPLIC~1\QNVW601P.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0B7ED5D-208A-42D4-BFEB-DCFF5B233B45}]
C:\WINDOWS\system32\vturq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 12:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 18:32]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-12-26 17:57]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2005-01-10 13:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-15 07:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"TClockEx"="C:\Program Files\TClockEx\TCLOCKEX.EXE" [2000-03-09 01:15]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\Don Walsh\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-09-25 11:47:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-03 17:21:07]
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [1857-01-01 04:00:00]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [1857-01-01 04:00:00]
DESKTOP.INI [2002-09-03 11:00:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-03-25 12:00:19]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

R0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
R1 AFD;AFD Networking Support Environment;C:\WINDOWS\system32\drivers\afd.sys
R1 mnmdd;mnmdd;C:\WINDOWS\system32\drivers\mnmdd.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 cdenable;cdenable;C:\WINDOWS\system32\Drivers\cdenable.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 lanmanserver;Server;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 lanmanworkstation;Workstation;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R2 winmgmt;Windows Management Instrumentation;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 wdmaud;Microsoft WINMM WDM Audio Compatibility Driver;C:\WINDOWS\system32\drivers\wdmaud.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 mnmsrvc;NetMeeting Remote Desktop Sharing;C:\WINDOWS\System32\mnmsrvc.exe
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


Contents of the 'Scheduled Tasks' folder
2007-07-20 13:08:13 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Don Walsh.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 07:48:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-25 7:52:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-25 07:52

--- E O F ---


And now a current HJThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:05 AM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B0B7ED5D-208A-42D4-BFEB-DCFF5B233B45} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert to Palm e-Book - C:\Program Files\CnPUG-WavePDB\WavePDB.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrab...rabblecubes.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installd...leanerstart.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_2/controls/ybrequest.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183147794796
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.leesallee.com/Remote/msrdp.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v44/royal/royal.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 12440 bytes


Many Thanks Again,

Don.

Oh, and additionally, I was able
to uninstall Outerinfo, FWIW.

Don.

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:05 AM

Posted 25 July 2007 - 11:32 AM

Good job so far, still some vundo leftover.


Open notepad and copy/paste the text in the quotebox below into it:

Collect::[4]
C:\WINDOWS\SYSTEM32\oqtss.bak1
C:\WINDOWS\SYSTEM32\lhkkvjih.dll
C:\WINDOWS\SYSTEM32\wnjjynga.dll
File::
C:\WINDOWS\SYSTEM32\sstqo.dll.vir
C:\WINDOWS\SYSTEM32\nnnnnmj.dll.vir
Folder::
C:\Temp
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0B7ED5D-208A-42D4-BFEB-DCFF5B233B45}]

Save this as CFScript.txt
Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip, a prompt will appear, click Ok and your browser will open.
Click on Browse to find the file on your Desktop.

In your next reply, please include a fresh Hijackthis log and Combofix log.


===================================

Please perform a scan with Kaspersky Webscan Online Virus Scanner
1. Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
2. Read the Requirements and Privacy statement, then select "Accept".
3. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
4. Click "Yes or select "Install" to download the ActiveX controls that allows ActiveScan to run.
5. When the download is complete it will say ready, click "Next".
6. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
7. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
8. Click "OK".
9. Under "Select a target to scan", click on "My Computer".
10. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
Microsoft MVP Consumer Security--2007-2010

#5 havoc110

havoc110
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 25 July 2007 - 02:07 PM

OK.

Item 1: ComboFix Log (zip file submitted successfully)

"Don Walsh" - 2007-07-25 13:23:09 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Don Walsh\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp
C:\VundoFix Backups
C:\VundoFix Backups\qrutv.bak1.bad
C:\VundoFix Backups\qrutv.bak2.bad
C:\VundoFix Backups\qrutv.ini.bad
C:\VundoFix Backups\qrutv.ini2.bad
C:\VundoFix Backups\vturq.dll.bad
C:\VundoFix Backups\ygobpwea.dll.bad
C:\WINDOWS\SYSTEM32\lhkkvjih.dll
C:\WINDOWS\SYSTEM32\nnnnnmj.dll.vir
C:\WINDOWS\SYSTEM32\oqtss.bak1
C:\WINDOWS\SYSTEM32\sstqo.dll.vir
C:\WINDOWS\SYSTEM32\wnjjynga.dll


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-23 13:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 13:25 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-07-23 13:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-23 13:24 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-07-23 13:24 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-23 13:24 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-07-23 13:24 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-07-23 13:24 1,468,448 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-07-23 13:23 110,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kl1.sys
2007-07-23 13:23 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-07-23 13:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-07-23 13:21 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-23 11:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\Panda Software
2007-07-23 10:42 <DIR> d-------- C:\DOCUME~1\DONWAL~1\.housecall6.6
2007-07-21 18:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-21 18:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-21 07:21 <DIR> d-------- C:\AV-CLS
2007-07-20 15:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 15:47 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-07-20 15:47 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-07-20 15:47 3,786 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-07-20 15:47 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-07-17 11:08 <DIR> d-------- C:\DOCUME~1\DONWAL~1\APPLIC~1\DivX
2007-07-17 09:56 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2007-07-17 09:56 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2007-07-17 09:56 116,472 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2007-07-16 14:57 <DIR> d-------- C:\Program Files\Virtools
2007-07-09 15:07 524,288 --a------ C:\WINDOWS\SYSTEM32\DivXsm.exe
2007-07-09 15:07 3,596,288 --a------ C:\WINDOWS\SYSTEM32\qt-dx331.dll
2007-07-09 15:07 200,704 --a------ C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-07-09 15:07 1,044,480 --a------ C:\WINDOWS\SYSTEM32\libdivx.dll
2007-07-09 15:05 823,296 --a------ C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2007-07-09 15:05 823,296 --a------ C:\WINDOWS\SYSTEM32\divx_xx07.dll
2007-07-09 15:05 802,816 --a------ C:\WINDOWS\SYSTEM32\divx_xx11.dll
2007-07-09 15:05 740,442 --a------ C:\WINDOWS\SYSTEM32\DivX.dll
2007-07-09 15:05 73,728 --a------ C:\WINDOWS\SYSTEM32\dpl100.dll
2007-07-09 15:05 593,920 --a------ C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2007-07-09 15:05 57,344 --a------ C:\WINDOWS\SYSTEM32\dpv11.dll
2007-07-09 15:05 53,248 --a------ C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2007-07-09 15:05 344,064 --a------ C:\WINDOWS\SYSTEM32\dpus11.dll
2007-07-09 15:05 294,912 --a------ C:\WINDOWS\SYSTEM32\dpu11.dll
2007-07-09 15:05 294,912 --a------ C:\WINDOWS\SYSTEM32\dpu10.dll
2007-07-09 15:05 196,608 --a------ C:\WINDOWS\SYSTEM32\dtu100.dll
2007-07-09 15:05 124,472 --a------ C:\WINDOWS\SYSTEM32\DivXCodecUpdateChecker.exe
2007-07-09 15:05 12,288 --a------ C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-06-30 11:27 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-29 23:55 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 11:47:19 15,884 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-21 22:49:10 -------- d-----w C:\Program Files\Lavasoft
2007-07-21 22:49:05 -------- d-----w C:\DOCUME~1\DONWAL~1\APPLIC~1\Lavasoft
2007-07-21 11:05:35 -------- d-----w C:\Program Files\Trillian
2007-07-20 17:46:41 -------- d--h--w C:\Program Files\xnews
2007-07-19 00:29:14 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-18 19:11:12 -------- d-----w C:\DOCUME~1\DONWAL~1\APPLIC~1\WeatherBug
2007-07-17 13:56:55 -------- d-----w C:\Program Files\DivX
2007-07-09 19:07:47 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-06-25 17:43:35 -------- d-----w C:\Program Files\Symantec
2007-06-14 16:08:08 -------- d-----w C:\Program Files\Palm
2007-06-04 19:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2004-03-07 07:30:24 16 ----a-w C:\DOCUME~1\DONWAL~1\APPLIC~1\QNVW601P.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 03:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 12:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 18:32]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-12-26 17:57]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2005-01-10 13:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-15 07:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"TClockEx"="C:\Program Files\TClockEx\TCLOCKEX.EXE" [2000-03-09 01:15]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\Don Walsh\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-09-25 11:47:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-03 17:21:07]
AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [1857-01-01 04:00:00]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [1857-01-01 04:00:00]
DESKTOP.INI [2002-09-03 11:00:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-03-25 12:00:19]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

R0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
R1 AFD;AFD Networking Support Environment;C:\WINDOWS\system32\drivers\afd.sys
R1 mnmdd;mnmdd;C:\WINDOWS\system32\drivers\mnmdd.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 cdenable;cdenable;C:\WINDOWS\system32\Drivers\cdenable.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 lanmanserver;Server;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 lanmanworkstation;Workstation;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R2 winmgmt;Windows Management Instrumentation;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 wdmaud;Microsoft WINMM WDM Audio Compatibility Driver;C:\WINDOWS\system32\drivers\wdmaud.sys
S1 P3;Intel PentiumIII Processor Driver;C:\WINDOWS\system32\DRIVERS\p3.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 mnmsrvc;NetMeeting Remote Desktop Sharing;C:\WINDOWS\System32\mnmsrvc.exe
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-07-20 13:08:13 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Don Walsh.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 13:27:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-25 13:28:47
C:\ComboFix-quarantined-files.txt ... 2007-07-25 13:28
C:\ComboFix2.txt ... 2007-07-25 07:52

--- E O F ---


Item #2: current HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:26 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\SWHELP~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert to Palm e-Book - C:\Program Files\CnPUG-WavePDB\WavePDB.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrab...rabblecubes.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installd...leanerstart.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_2/controls/ybrequest.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183147794796
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.leesallee.com/Remote/msrdp.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v44/royal/royal.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 12600 bytes


Item #3: Kaspersky Log file:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 25, 2007 3:03:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/07/2007
Kaspersky Anti-Virus database records: 367707
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 79758
Number of viruses found: 26
Number of infected objects: 67
Number of suspicious objects: 0
Duration of the scan process: 01:19:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-25_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Don Walsh\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Don Walsh\Desktop\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\Documents and Settings\Don Walsh\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\Don Walsh\Desktop\OiUninstaller.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Don Walsh\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\sent 04.dbx/[From "Donald Walsh" <donwalsh1@comcast.net>][Date Thu, 12 Feb 2004 07:16:50 -0500]/UNNAMED/AUGE16G.exe Infected: Trojan.Win32.Revop.b skipped
C:\Documents and Settings\Don Walsh\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\sent 04.dbx/[From "Donald Walsh" <donwalsh1@comcast.net>][Date Thu, 12 Feb 2004 07:16:50 -0500]/UNNAMED Infected: Trojan.Win32.Revop.b skipped
C:\Documents and Settings\Don Walsh\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\sent 04.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Don Walsh\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\sent 05.dbx/[From "Donald Walsh" <dwalsh@leesallee.com>][Date Mon, 29 Aug 2005 10:35:52 -0400]/UNNAMED/link.voicemessage.com.listen.index.php1Ab2c.pif Infected: Email-Worm.Win32.Zafi.b skipped
C:\Documents and Settings\Don Walsh\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\sent 05.dbx/[From "Donald Walsh" <dwalsh@leesallee.com>][Date Mon, 29 Aug 2005 10:35:52 -0400]/UNNAMED Infected: Email-Worm.Win32.Zafi.b skipped
C:\Documents and Settings\Don Walsh\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\sent 05.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Don Walsh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Don Walsh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Don Walsh\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Don Walsh\Local Settings\History\History.IE5\MSHist012007072520070726\index.dat Object is locked skipped
C:\Documents and Settings\Don Walsh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Don Walsh\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Don Walsh\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\00A00780.tmp Infected: Trojan.Java.ClassLoader.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\030C0262.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B202392.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B4F4AD4.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\126B7ECC Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Norton AntiVirus\Quarantine\137C4296.ocx Infected: VirTool.Win32.Collector skipped
C:\Program Files\Norton AntiVirus\Quarantine\18485EF5.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\18EB40C6.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\1B8D6CBF Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E356320.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\42835010.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\48A65CD8.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B383A94.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Program Files\Norton AntiVirus\Quarantine\4BF967C0.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\Program Files\Norton AntiVirus\Quarantine\4D203BE3.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\4F0F369D.tmp Infected: Trojan.Java.ClassLoader.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\571D79BF.exe Infected: not-a-virus:Downloader.Win32.WinFixer.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\5FFE021C.ocx Infected: VirTool.Win32.Collector skipped
C:\Program Files\Norton AntiVirus\Quarantine\61A8784B.wmv Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\69322597.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Program Files\Norton AntiVirus\Quarantine\69EC7ECA.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\Program Files\Norton AntiVirus\Quarantine\6BB90AC8.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\6EE04AFC.tmp Infected: Trojan.Java.ClassLoader.ao skipped
C:\Program Files\Norton AntiVirus\Quarantine\787A3F09.exe Infected: Trojan.Win32.Dialer.ar skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\k11u72.exe.vir/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\k11u72.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\wr-1-0000077.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\YazzleBundle-1549.exe.vir/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\YazzleBundle-1549.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\svhost\wr-1-0000077.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir Infected: Trojan.Win32.Small.oa skipped
C:\QooBox\Quarantine\C\VundoFix Backups\vturq.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\DOWNLO~1\UERT_0001_D19M2109NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bcupooja.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\brsdxsyo.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bxnrdgxq.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\grrlukig.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jidctngs.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nnnnnmj.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qfcjvdix.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qikhhdhy.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sstqo.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tjempoge.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yrplxmiw.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\catchme2007-07-25_ 74808.26.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\QooBox\Quarantine\catchme2007-07-25_ 74808.26.zip ZIP: infected - 1 skipped
C:\RECYCLER\NPROTECT\00429150.EXE Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\RECYCLER\NPROTECT\00429465.EXE Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERT_0001_D19M2109NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERT_0001_D19M2109NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\WINDOWS\Internet Logs\DONS-DELL.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT04064.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT04067.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Awaiting further instructions.

Continued thanks.

Don.

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:05 AM

Posted 25 July 2007 - 06:05 PM

Please DELETE the following file(s) IF STILL PRESENT. You can use Windows Explorer to navigate or use Windows Search feature to locate them.

Files:

C:\Documents and Settings\Don Walsh\Desktop\OiUninstaller.exe <-- this file
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERT_0001_D19M2109NetInstaller.exe <-- this file



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windowsi586-p.exe to install the newest version.

How is everything running??
Microsoft MVP Consumer Security--2007-2010

#7 havoc110

havoc110
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 25 July 2007 - 08:34 PM

OK

The 1st file has been deleted.

The 2nd file was not present. However, my search did find:

UERT_0001_D19M2109NetInstaller.exe.vir
located in folder
C:\QooBox\Quarantine\C\WINDOWS\DOWNLO~1

I am assuming this is a quarantined file and is OK.

I have removed old Javas/installed new Java per your instructions.

Everything seems to be back to normal working order. No pop-ups.
No BSOD.

Thanks for all your help.

#8 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:05 AM

Posted 25 July 2007 - 09:49 PM

Good !!!!! :thumbsup:


Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  • Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  • If you don't have a Firewall installed, please choose from the following:
  • If you don't have a Anti-Virus installed, please download the following free program:
  • Here are two great Preventive programs:
    • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
  • Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    • Red for Warning
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown
    Here are the link to install SiteAdisor in Internet Explorer and Firefox
  • Anti-Spyware Programs I Recommend:
  • For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place]

Microsoft MVP Consumer Security--2007-2010

#9 havoc110

havoc110
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 26 July 2007 - 06:56 AM

Great ideas. Thanks!

I have a question. I had looked at system restore several months ago.
I saw that the disk space used bar was maxed out (maybe at 12-15%?)
and I had numerous (maybe 20) restore points. So I turned the slider
down to 3% (still over a 1G of disk space to be allocated). So when I
wanted to try system restore there were NO restore points before the current day.
What gives?

I've just manually made a restore point. Will it be erased as later restore
points are created? (sort of like phased out?)

As for the other recommendations:

I have auto windows update set for once a week. (It seemed like it was always
updating otherwise).
I use the following:
Norton A/V 2005, w/ current definitions
AdAware (previously SE, now 2007 ver)
Spybot S&D
Zone Alarm (just added)

Any more info/advice would be greatly appreciated.

Don.

#10 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:05 AM

Posted 26 July 2007 - 02:56 PM

When you turned the slider down to 3% you may have lost the other restore points. Not sure why that would happen. Everything else seems okay. :thumbsup:
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users