Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible_vundo-1


  • This topic is locked This topic is locked
8 replies to this topic

#1 br549

br549

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 24 July 2007 - 05:25 PM

My system is a 2.66 GHZ Pentium , XP HOME SP 2. My anti-virus SW is V-Com System Suite 7.

I noticed yesterday morning some viruses being identified and cleaned by my System Suite but it would not clean or quarantine the Possible_Vundo-1 and a file in my Windows\System32 called awvvu.dll. After numerous scans, both in and out of Safe mode, and spybot runs and Ad-Aware runs the SW finally quarantined that file and a coupe of others but trojan viruses still pop regularly.

In addition, numerous popups and ads with IE 7 occurred but not on Firefox. SW such as Winantispyware and Mirar were loaded somehow but removed with the various scans.

I have completed all actions your preparation page has requested, however the Panda antivirus program left no log file that I can find.

A possibility of the origin of this problem is that a trial version of Adobe Dream Weaver was loaded and tested by my daughter and it may have changed some settings. The Virus popups are not as frequent and the IE 7 popups have also slowed greatly.

Here is the Hijack this log file run after all the prep actions were done.

Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:11 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\upcnsgcA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\??pPatch\s?rvices.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\SEMBLY~1\ati2evxx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\Documents and Settings\Ralph\Desktop\Maintenance\stinger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [upcnsgcA] C:\WINDOWS\upcnsgcA.exe
O4 - HKLM\..\Run: [{15-50-06-6F-ZN}] c:\windows\system32\modsregs.exe SKY009
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Rjw] C:\WINDOWS\??pPatch\s?rvices.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SEMBLY~1\ati2evxx.exe" -vt yazb
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: Netnews - {F5C0748D-CAAE-42BD-A279-E8792652F89D} - news:worldnet.help.new-users (file missing) (HKCU)
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122123507546
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.com/tsweb/msrdp.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\promydyrta.html

--
End of file - 8396 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:01 PM

Posted 25 July 2007 - 03:27 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 br549

br549
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 25 July 2007 - 08:15 AM

OK Here is combofix log

"Ralph" - 2007-07-25 8:56:39 [GMT -4:00] - ComboFix 07-07-24.5 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\gebaywv.dll
C:\WINDOWS\system32\vtuspml.dll
C:\WINDOWS\system32\pnhgxfxc.exe
C:\WINDOWS\system32\gebaywv.dll
C:\WINDOWS\system32\vtuspml.dll
C:\WINDOWS\system32\vtusqol.dll
C:\WINDOWS\system32\vtusqol.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Ralph\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Ralph\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\Documents and Settings\Ralph.\err.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\sembly~1
C:\Program Files\sembly~1\ati2evxx.exe
C:\Program Files\Windows NT\promydyrta.html
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\DOWNLO~1.\Temp
C:\WINDOWS\ppatch~1
C:\WINDOWS\ppatch~1\s?rvices.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L11
C:\WINDOWS\system32\L11\z553.exe
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L3\wr716.exe
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\L9
C:\WINDOWS\system32\version69ie7fix.dll
C:\WINDOWS\system32\wapisvtr.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-25 05:31 126,016 --a------ C:\WINDOWS\SYSTEM32\tolysdcj.dll
2007-07-25 05:22 1,733,755 --ahs---- C:\WINDOWS\SYSTEM32\vyadd.bak2
2007-07-24 15:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\Panda Software
2007-07-24 14:57 <DIR> d-------- C:\DOCUME~1\Ralph\.housecall6.6
2007-07-24 14:38 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-24 14:32 6,467 --ahs---- C:\WINDOWS\SYSTEM32\vyadd.bak1
2007-07-24 14:32 228,960 --a------ C:\WINDOWS\SYSTEM32\ddayv.dll
2007-07-23 17:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 17:20 1,786,701 --ahs---- C:\WINDOWS\SYSTEM32\uvvwa.bak2
2007-07-23 15:44 786,432 --ah----- C:\DOCUME~1\ADMINI~1.MAI\NTUSER.DAT
2007-07-23 15:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAI\APPLIC~1\Sonic
2007-07-23 15:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAI\APPLIC~1\Real
2007-07-23 15:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAI\APPLIC~1\Jasc Software Inc
2007-07-23 05:20 6,488 --ahs---- C:\WINDOWS\SYSTEM32\uvvwa.bak1
2007-07-23 05:15 1,136,352 -rahs---- C:\WINDOWS\upcnsgcA.exe
2007-07-23 05:15 <DIR> d-------- C:\Temp\brr
2007-07-23 05:15 <DIR> d-------- C:\Temp\0c2
2007-07-21 15:58 6,820 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2007-07-21 15:21 <DIR> d-------- C:\Program Files\Steam
2007-07-19 19:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-19 16:04 108,144 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2007-07-19 16:04 <DIR> dr-h----- C:\DOCUME~1\Ralph\APPLIC~1\SecuROM
2007-07-19 15:45 <DIR> d-------- C:\Program Files\Electronic Arts
2007-07-19 15:43 68,888 --a------ C:\WINDOWS\SYSTEM32\xinput1_3.dll
2007-07-19 15:43 62,744 --a------ C:\WINDOWS\SYSTEM32\xinput1_2.dll
2007-07-19 15:43 237,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_4.dll
2007-07-19 15:43 236,824 --a------ C:\WINDOWS\SYSTEM32\xactengine2_3.dll
2007-07-19 15:43 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2007-07-19 15:43 15,128 --a------ C:\WINDOWS\SYSTEM32\x3daudio1_1.dll
2007-07-18 20:33 <DIR> d-------- C:\Program Files\Bonjour
2007-07-18 20:23 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-07-01 12:04 <DIR> d-------- C:\DOCUME~1\Ralph\APPLIC~1\Apple Computer
2007-07-01 11:58 <DIR> d-------- C:\Program Files\QuickTime
2007-07-01 11:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-30 10:20 36,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\an983.sys
2007-06-29 17:03 <DIR> d-------- C:\Netgear
2007-06-26 21:59 344,064 --a------ C:\WINDOWS\SYSTEM32\ATIDEMGX.dll
2007-06-26 21:44 8,232,960 --a------ C:\WINDOWS\SYSTEM32\atioglx2.dll
2007-06-26 21:30 972,072 --a------ C:\WINDOWS\SYSTEM32\ativva6x.dat
2007-06-26 21:30 3,107,788 --a------ C:\WINDOWS\SYSTEM32\ativvaxx.dat
2007-06-26 21:30 3,107,788 --a------ C:\WINDOWS\SYSTEM32\ativva5x.dat
2007-06-26 21:14 176,128 --a------ C:\WINDOWS\SYSTEM32\atiok3x2.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 13:01:54 -------- d-----w C:\Program Files\Windows NT
2007-07-24 21:17:02 -------- d-----w C:\DOCUME~1\Ralph\APPLIC~1\DMCache
2007-07-23 20:27:37 35,363 ----a-w C:\WINDOWS\system32\windrvNT.sys
2007-07-23 05:58:16 -------- d-----w C:\Program Files\Microsoft Money
2007-07-18 19:08:45 -------- d-----w C:\Program Files\Agent
2007-07-14 10:41:52 -------- d-----w C:\DOCUME~1\Ralph\APPLIC~1\ZoomBrowser EX
2007-07-06 18:55:32 -------- d-----w C:\DOCUME~1\Ralph\APPLIC~1\Roxio
2007-06-30 01:05:00 520,192 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2007-06-27 02:27:54 44,240 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-27 01:58:35 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-06-27 01:58:17 2,303,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-27 01:56:43 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-06-27 01:51:21 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-06-27 01:51:09 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-06-27 01:51:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-27 01:50:54 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-06-27 01:50:42 118,784 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-06-27 01:49:21 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-06-27 01:48:32 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-06-27 01:41:08 2,940,992 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-06-27 01:31:03 1,519,744 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-06-27 01:19:33 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-06-27 01:17:35 266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-06-27 01:16:12 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-06-27 01:15:32 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-27 01:10:32 376,832 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-06-24 14:47:13 -------- d-----w C:\Program Files\Canon
2007-06-24 14:46:16 -------- d-----w C:\Program Files\Common Files\Canon
2007-06-20 01:58:12 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-05 17:40:44 149,278 ----a-w C:\WINDOWS\system32\atiicdxx.dat
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FB39F63-6ACF-4945-A077-E8C79316562C}]
2007-07-24 14:32 228960 --a------ C:\WINDOWS\system32\ddayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FFA20D5-57FE-44CA-975B-D25B6E520216}]
C:\Program Files\ComPlus Applications\horevo83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32FC17BE-9958-4FA6-85C5-DF4E5EE6A9A0}]
C:\WINDOWS\system32\awvvu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{654B1BA8-853C-819F-1C17-FC8DBA57D2C8}]
C:\WINDOWS\system32\akqqc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-07-29 00:27]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-29 00:27]
"mm_server"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe" [2004-07-29 00:27]
"Fix-It AV"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [2007-01-26 15:32]
"VirusScannerPro"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [2007-01-26 15:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-29 20:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 14:53]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]
"Rjw"="C:\WINDOWS\??pPatch\s?rvices.exe" []

C:\Documents and Settings\Ralph\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Dialog Helper.lnk - C:\Program Files\VCOM\PowerDesk\pddlghlp.exe [2005-09-08 09:50:22]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2000-10-10 21:25:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2006-01-01 12:10:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-08-05 15:13:53]
PowerReg Scheduler.exe [2002-06-17 17:34:18]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows NT\promydyrta.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvu]
C:\WINDOWS\system32\awvvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayv]
C:\WINDOWS\system32\ddayv.dll 2007-07-24 14:32 228960 C:\WINDOWS\SYSTEM32\ddayv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Webshots.lnk]
backup=C:\WINDOWS\pss\Webshots.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ralph^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Ralph\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 phylock;phylock;C:\WINDOWS\system32\drivers\phylock.sys
R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R1 TermDD;Terminal Device Driver;C:\WINDOWS\system32\DRIVERS\termdd.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R2 tmpreflt;tmpreflt;\??\C:\PROGRA~1\VCOM\SYSTEM~1\tmpreflt.sys
R2 tmxpflt;tmxpflt;\??\C:\PROGRA~1\VCOM\SYSTEM~1\tmxpflt.sys
R2 Vsapint;Vsapint;\??\C:\PROGRA~1\VCOM\SYSTEM~1\Vsapint.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 KFilter;KFilter;\??\C:\PROGRA~1\VCOM\SYSTEM~1\KFilter.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 TermService;Terminal Services;C:\WINDOWS\System32\svchost -k DComLaunch
R3 WinDriver;WinDriver kernel module;C:\WINDOWS\system32\Drivers\windrvr.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 aaudstum;aaudstum;\??\C:\DOCUME~1\Ralph\LOCALS~1\Temp\aaudstum.sys
S3 Bulk503;Chameleon Mega Digital Camera;C:\WINDOWS\system32\Drivers\Bulk503.sys
S3 bvrp_pci;bvrp_pci;C:\WINDOWS\system32\drivers\bvrp_pci.sys
S3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 I97DRIVER;I97DRIVER;\??\C:\PROGRA~1\VCOM\SYSTEM~1\dgs.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 ISO503;Chameleon Mega Video Camera;C:\WINDOWS\system32\Drivers\ISO503.SYS
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 netrcacm;RCA USB based Digital Cable Modem Win2000 Driver;C:\WINDOWS\system32\DRIVERS\netrcacm.sys
S3 rdpdr;Terminal Server Device Redirector Driver;C:\WINDOWS\system32\DRIVERS\rdpdr.sys
S3 TPP200;USB Storage Adapter V2 (TPP);C:\WINDOWS\system32\DRIVERS\TPP200.SYS
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04778f66-823a-11db-acde-001111627c36}]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2004-01-31 22:30:00 C:\WINDOWS\tasks\ISP signup reminder 1.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 09:07:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-25 9:10:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-25 09:09

--- E O F ---


Here is Hijack log after the combofix


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:31 AM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Rjw] C:\WINDOWS\??pPatch\s?rvices.exe
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: Netnews - {F5C0748D-CAAE-42BD-A279-E8792652F89D} - news:worldnet.help.new-users (file missing) (HKCU)
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122123507546
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.com/tsweb/msrdp.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\promydyrta.html

--
End of file - 7533 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:01 PM

Posted 25 July 2007 - 03:14 PM

Hello,

It appears that your V-Com System Suite 7 isn't doing a good job since there's still so many malware leftover on your system. Combofix already deleted a HUGE amount of malware but there's still a lot we have to deal with.
Maybe it's time to reconsider another Antivirus?

Anyway,

Perform next instructions in the right order please..

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "C:\Program Files\Windows NT\promydyrta.html" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
C:\Program Files\ComPlus Applications\horevo83122.dll
C:\WINDOWS\SYSTEM32\tolysdcj.dll
C:\WINDOWS\SYSTEM32\vyadd.bak2
C:\WINDOWS\SYSTEM32\vyadd.bak1
C:\WINDOWS\SYSTEM32\ddayv.dll
C:\WINDOWS\SYSTEM32\uvvwa.bak2
C:\WINDOWS\SYSTEM32\uvvwa.bak1
C:\WINDOWS\upcnsgcA.exe

Folder::
C:\Temp\brr
C:\Temp\0c2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FB39F63-6ACF-4945-A077-E8C79316562C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FFA20D5-57FE-44CA-975B-D25B6E520216}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32FC17BE-9958-4FA6-85C5-DF4E5EE6A9A0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{654B1BA8-853C-819F-1C17-FC8DBA57D2C8}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rjw"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ralph^Start Menu^Programs^Startup^Think-Adz.lnk]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 br549

br549
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 25 July 2007 - 05:32 PM

Thanks again.

The malware left was also after Spybot, ad-aware, panda express, and stinger were run as preliminary requirements to posting the HJT files originally.

Here is combo file:

"Ralph" - 2007-07-25 18:16:44 [GMT -4:00] - ComboFix 07-07-24.5 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Ralph\Desktop\CFScript


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
C:\Temp\0c2
C:\Temp\0c2\tmpFF.log
C:\Temp\brr
C:\Temp\brr\tmpZTF.log
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\SYSTEM32\ddayv.dll
C:\WINDOWS\SYSTEM32\tolysdcj.dll
C:\WINDOWS\SYSTEM32\uvvwa.bak1
C:\WINDOWS\SYSTEM32\uvvwa.bak2
C:\WINDOWS\SYSTEM32\vyadd.bak1
C:\WINDOWS\SYSTEM32\vyadd.bak2
C:\WINDOWS\upcnsgcA.exe


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-24 15:09 <DIR> d-------- C:\WINDOWS\SYSTEM32\Panda Software
2007-07-24 14:57 <DIR> d-------- C:\DOCUME~1\Ralph\.housecall6.6
2007-07-24 14:38 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 17:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 15:44 786,432 --ah----- C:\DOCUME~1\ADMINI~1.MAI\NTUSER.DAT
2007-07-23 15:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAI\APPLIC~1\Sonic
2007-07-23 15:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAI\APPLIC~1\Real
2007-07-23 15:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1.MAI\APPLIC~1\Jasc Software Inc
2007-07-21 15:58 6,820 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2007-07-21 15:21 <DIR> d-------- C:\Program Files\Steam
2007-07-19 19:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-19 16:04 108,144 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2007-07-19 16:04 <DIR> dr-h----- C:\DOCUME~1\Ralph\APPLIC~1\SecuROM
2007-07-19 15:45 <DIR> d-------- C:\Program Files\Electronic Arts
2007-07-19 15:43 68,888 --a------ C:\WINDOWS\SYSTEM32\xinput1_3.dll
2007-07-19 15:43 62,744 --a------ C:\WINDOWS\SYSTEM32\xinput1_2.dll
2007-07-19 15:43 237,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_4.dll
2007-07-19 15:43 236,824 --a------ C:\WINDOWS\SYSTEM32\xactengine2_3.dll
2007-07-19 15:43 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2007-07-19 15:43 15,128 --a------ C:\WINDOWS\SYSTEM32\x3daudio1_1.dll
2007-07-18 20:33 <DIR> d-------- C:\Program Files\Bonjour
2007-07-18 20:23 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-07-01 12:04 <DIR> d-------- C:\DOCUME~1\Ralph\APPLIC~1\Apple Computer
2007-07-01 11:58 <DIR> d-------- C:\Program Files\QuickTime
2007-07-01 11:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-30 10:20 36,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\an983.sys
2007-06-29 17:03 <DIR> d-------- C:\Netgear
2007-06-26 21:59 344,064 --a------ C:\WINDOWS\SYSTEM32\ATIDEMGX.dll
2007-06-26 21:44 8,232,960 --a------ C:\WINDOWS\SYSTEM32\atioglx2.dll
2007-06-26 21:30 972,072 --a------ C:\WINDOWS\SYSTEM32\ativva6x.dat
2007-06-26 21:30 3,107,788 --a------ C:\WINDOWS\SYSTEM32\ativvaxx.dat
2007-06-26 21:30 3,107,788 --a------ C:\WINDOWS\SYSTEM32\ativva5x.dat
2007-06-26 21:14 176,128 --a------ C:\WINDOWS\SYSTEM32\atiok3x2.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 20:43:54 -------- d-----w C:\Program Files\Microsoft Money
2007-07-25 20:12:35 -------- d-----w C:\DOCUME~1\Ralph\APPLIC~1\DMCache
2007-07-25 13:01:54 -------- d-----w C:\Program Files\Windows NT
2007-07-23 20:27:37 35,363 ----a-w C:\WINDOWS\system32\windrvNT.sys
2007-07-18 19:08:45 -------- d-----w C:\Program Files\Agent
2007-07-14 10:41:52 -------- d-----w C:\DOCUME~1\Ralph\APPLIC~1\ZoomBrowser EX
2007-07-06 18:55:32 -------- d-----w C:\DOCUME~1\Ralph\APPLIC~1\Roxio
2007-06-30 01:05:00 520,192 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2007-06-27 02:27:54 44,240 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-27 01:58:35 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-06-27 01:58:17 2,303,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-27 01:56:43 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-06-27 01:51:21 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-06-27 01:51:09 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-06-27 01:51:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-27 01:50:54 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-06-27 01:50:42 118,784 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-06-27 01:49:21 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-06-27 01:48:32 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-06-27 01:41:08 2,940,992 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-06-27 01:31:03 1,519,744 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-06-27 01:19:33 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-06-27 01:17:35 266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-06-27 01:16:12 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-06-27 01:15:32 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-27 01:10:32 376,832 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-06-24 14:47:13 -------- d-----w C:\Program Files\Canon
2007-06-24 14:46:16 -------- d-----w C:\Program Files\Common Files\Canon
2007-06-20 01:58:12 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-05 17:40:44 149,278 ----a-w C:\WINDOWS\system32\atiicdxx.dat
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E92FE076-0307-4FCD-9B6C-10F0F49647EB}]
C:\WINDOWS\system32\ddayv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-07-29 00:27]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-29 00:27]
"mm_server"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe" [2004-07-29 00:27]
"Fix-It AV"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [2007-01-26 15:32]
"VirusScannerPro"="C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe" [2007-01-26 15:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-29 20:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 14:53]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 14:00]

C:\Documents and Settings\Ralph\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
Dialog Helper.lnk - C:\Program Files\VCOM\PowerDesk\pddlghlp.exe [2005-09-08 09:50:22]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2000-10-10 21:25:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2006-01-01 12:10:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-08-05 15:13:53]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Webshots.lnk]
backup=C:\WINDOWS\pss\Webshots.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 phylock;phylock;C:\WINDOWS\system32\drivers\phylock.sys
R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R1 TermDD;Terminal Device Driver;C:\WINDOWS\system32\DRIVERS\termdd.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R2 tmpreflt;tmpreflt;\??\C:\PROGRA~1\VCOM\SYSTEM~1\tmpreflt.sys
R2 tmxpflt;tmxpflt;\??\C:\PROGRA~1\VCOM\SYSTEM~1\tmxpflt.sys
R2 Vsapint;Vsapint;\??\C:\PROGRA~1\VCOM\SYSTEM~1\Vsapint.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 KFilter;KFilter;\??\C:\PROGRA~1\VCOM\SYSTEM~1\KFilter.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 TermService;Terminal Services;C:\WINDOWS\System32\svchost -k DComLaunch
R3 WinDriver;WinDriver kernel module;C:\WINDOWS\system32\Drivers\windrvr.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 aaudstum;aaudstum;\??\C:\DOCUME~1\Ralph\LOCALS~1\Temp\aaudstum.sys
S3 Bulk503;Chameleon Mega Digital Camera;C:\WINDOWS\system32\Drivers\Bulk503.sys
S3 bvrp_pci;bvrp_pci;C:\WINDOWS\system32\drivers\bvrp_pci.sys
S3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
S3 I97DRIVER;I97DRIVER;\??\C:\PROGRA~1\VCOM\SYSTEM~1\dgs.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 ISO503;Chameleon Mega Video Camera;C:\WINDOWS\system32\Drivers\ISO503.SYS
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 netrcacm;RCA USB based Digital Cable Modem Win2000 Driver;C:\WINDOWS\system32\DRIVERS\netrcacm.sys
S3 rdpdr;Terminal Server Device Redirector Driver;C:\WINDOWS\system32\DRIVERS\rdpdr.sys
S3 TPP200;USB Storage Adapter V2 (TPP);C:\WINDOWS\system32\DRIVERS\TPP200.SYS
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04778f66-823a-11db-acde-001111627c36}]
AutoRun\command- G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2004-01-31 22:30:00 C:\WINDOWS\tasks\ISP signup reminder 1.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 18:23:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-25 18:26:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-25 18:26
C:\ComboFix2.txt ... 2007-07-25 09:10

--- E O F ---


Here is HJT file run after combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:26 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E92FE076-0307-4FCD-9B6C-10F0F49647EB} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Dialog Helper.lnk = C:\Program Files\VCOM\PowerDesk\pddlghlp.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: Netnews - {F5C0748D-CAAE-42BD-A279-E8792652F89D} - news:worldnet.help.new-users (file missing) (HKCU)
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122123507546
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.com/tsweb/msrdp.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

--
End of file - 8048 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:01 PM

Posted 26 July 2007 - 03:14 AM

Hello,

Check and fix next leftovers in HijackThis:

O2 - BHO: (no name) - {E92FE076-0307-4FCD-9B6C-10F0F49647EB} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Then, delete the C:\Qoobox folder.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 br549

br549
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 26 July 2007 - 02:29 PM

So far, so good. Virus check came clean and will do Spybot/ Ad-aware, etc. before I go on vacation.

I appreciate the help and the consideration. I will let you know all the final results.

Thanks again! :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:01 PM

Posted 26 July 2007 - 03:01 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:01 PM

Posted 28 July 2007 - 05:26 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users