Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 tunch

tunch

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 30 August 2007 - 03:17 PM

This is a repost with additional information (the original post with actions/symptoms did not go "live" do to an old HJT format).

I apparently still have a Virtumonde infection.

I have completed the pre suggestions. Ran AntiVir Scan which qurantined several issues. Ran Vundofix. Ran Vundobegone in the safe mode with Networking. All clean now. Ran Adware scan. Removed issues. Spybot sill shows a VIrtumonde instance that has not been removed (c:\WINNT\sytem32\kbdave.dll). Ran Housecall 6.5 which cleaned all but: (WINNT\system32\tmp47.tmp.dll). Ran Stinger. Loaded Firewall.

Still receiving unwanted pop-ups and the wild thing is the speed metal music that sometimes comes on while on line when there is no Application running in the TaskManager.

Here is my HJT log: any assistance is appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:41 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C75HB0KZ\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - C:\WINNT\system32\tmp47.tmp.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\RunOnce: [SpybotDeletingC2426] cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {65F0B146-F8FF-41D6-8349-DFC03B285EC9} (HlbfsReporting.ctlReporting) - http://eis.hilton.com/cis/hlbfs/Reports/HlbfsReporting.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {92ECE8AF-5804-11D4-93DD-0004AC152B66} (HlbfsFacilityList.ctlHlbfsFacilityList) - http://eis.hilton.com/cis/hlbfs/HlbfsFacilityList.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DD7074EB-1436-11D3-BBF3-000086195AD6} (HlbfsTaskList.ctlHlbfsTaskList) - http://eis.hilton.com/cis/hlbfs/HlbfsTaskList.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hiltonhotels.webex.com/client/v_myw...bex/ieatgpc.cab
O20 - Winlogon Notify: kbdave - C:\WINNT\SYSTEM32\kbdave.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Access Connection Provider (racpvc) - Parallel Technologies, Inc. - (no file)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 10942 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:48 PM

Posted 31 August 2007 - 01:00 AM

Hello,

I notice from the log that there are running more than one different Anti-Virus programs with Auto-protect enabled. Norton and Avira
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 tunch

tunch
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 31 August 2007 - 09:02 AM

miekiemoes,

Thanks. I followed your instructions. Deleted Norton. Ran ComboFix. Logs below.

Tunch

ComboFix 07-08-30.3 - "Owner" 2007-08-31 9:32:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\cookies.ini
C:\WINNT\system32\abfxjuwk.dll
C:\WINNT\system32\ddaba.exe
C:\WINNT\system32\efwulsnd.exe
C:\WINNT\system32\esbbmbgs.dll
C:\WINNT\system32\iagnvnex.dll
C:\WINNT\system32\kbdave.dll
C:\WINNT\system32\ljhdtcgf.exe
C:\WINNT\system32\sgbmbbse.ini
C:\WINNT\system32\sjigdbcj.exe
C:\WINNT\system32\tmp47.tmp.dll
C:\WINNT\system32\xenvngai.ini


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-31 09:30 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-29 21:51 53,248 --a------ C:\WINNT\system32\Process.exe
2007-08-29 21:51 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-08-29 21:51 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-08-29 16:37 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PCToolsFirewallPlus
2007-08-29 16:22 55,904 --a------ C:\WINNT\system32\drivers\pctfw.sys
2007-08-29 16:22 100,448 --a------ C:\WINNT\system32\drivers\pctfw1.sys
2007-08-29 16:21 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-08-29 11:50 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-08-29 10:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-29 10:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-29 10:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 20:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-08-27 15:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-27 11:48 1,176,789 --a------ C:\WINNT\system32\dnbc377ba5.dat
2007-08-26 16:52 3,148 --a------ C:\WINNT\system32\tmp.reg
2007-08-26 11:52 <DIR> d-------- C:\VundoFix Backups
2007-08-20 14:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-20 14:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-08-07 13:58 8,320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-08-01 13:37 <DIR> d-------- C:\Program Files\iTunes
2007-07-11 14:37 6,272 --a------ C:\WINNT\system32\drivers\AWRTPD.sys
2007-07-04 15:30 <DIR> d----c--- C:\WINNT\system32\DRVSTORE
2007-07-04 15:30 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-04 15:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-31 09:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DIGStream
2007-08-31 09:16 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-31 09:16 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-31 09:09 --------- d-------- C:\Program Files\Symantec
2007-08-31 09:03 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-08-30 13:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-28 11:13 --------- d-------- C:\Program Files\FinePixViewer
2007-08-20 07:57 --------- d-------- C:\Program Files\Inspiration 8 Trial
2007-08-19 19:25 --------- d-------- C:\Program Files\RegCure
2007-08-10 08:26 12288 --a------ C:\WINNT\impborl.dll
2007-08-06 08:23 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-08-01 13:37 --------- d-------- C:\Program Files\iPod
2007-08-01 13:31 --------- d-------- C:\Program Files\QuickTime
2007-07-30 19:19 92504 --a------ C:\WINNT\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINNT\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINNT\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINNT\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINNT\system32\dllcache\wups.dll
2007-07-19 02:59 3583488 --a------ C:\WINNT\system32\dllcache\mshtml.dll
2007-07-18 19:48 --------- d-------- C:\Program Files\America Online 8.0
2007-07-12 19:31 765952 --a------ C:\WINNT\system32\dllcache\vgx.dll
2007-06-27 10:34 823808 --a------ C:\WINNT\system32\dllcache\wininet.dll
2007-06-27 10:34 671232 --a------ C:\WINNT\system32\dllcache\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINNT\system32\dllcache\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34 477696 --a------ C:\WINNT\system32\dllcache\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINNT\system32\dllcache\msfeeds.dll
2007-06-27 10:34 44544 --------- C:\WINNT\system32\dllcache\iernonce.dll
2007-06-27 10:34 384512 --------- C:\WINNT\system32\dllcache\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINNT\system32\dllcache\ieapfltr.dll
2007-06-27 10:34 27648 --a------ C:\WINNT\system32\dllcache\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINNT\system32\dllcache\iertutil.dll
2007-06-27 10:34 232960 --------- C:\WINNT\system32\dllcache\webcheck.dll
2007-06-27 10:34 230400 --------- C:\WINNT\system32\dllcache\ieaksie.dll
2007-06-27 10:34 193024 --a------ C:\WINNT\system32\dllcache\msrating.dll
2007-06-27 10:34 153088 --------- C:\WINNT\system32\dllcache\ieakeng.dll
2007-06-27 10:34 132608 --a------ C:\WINNT\system32\dllcache\extmgr.dll
2007-06-27 10:34 124928 --------- C:\WINNT\system32\dllcache\advpack.dll
2007-06-27 10:34 1152000 --a------ C:\WINNT\system32\dllcache\urlmon.dll
2007-06-27 10:34 105984 --------- C:\WINNT\system32\dllcache\url.dll
2007-06-27 10:34 102400 --------- C:\WINNT\system32\dllcache\occache.dll
2007-06-27 04:27 63488 --------- C:\WINNT\system32\dllcache\ie4uinit.exe
2007-06-27 04:27 625152 --------- C:\WINNT\system32\dllcache\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINNT\system32\dllcache\ieudinit.exe
2007-06-27 03:00 161792 --a------ C:\WINNT\system32\dllcache\ieakui.dll
2007-06-26 02:08 1104896 --a------ C:\WINNT\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINNT\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINNT\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINNT\system32\dllcache\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINNT\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINNT\system32\dllcache\explorer.exe
2006-03-17 12:58 28672 --a------ C:\DOCUME~1\Owner\atwbxdet.dll
2003-08-27 15:19 36963 -ra------ C:\Program Files\Common Files\SM1updtr.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-09-30 20:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 22:21]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 20:50]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [2002-08-06 17:24]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 16:50 C:\WINNT\system32\SK9910DM.EXE]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-04-28 08:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-04 12:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINNT\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter]
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
C:\WINNT\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA3013]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA5639]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA7188]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB1983]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB2117]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB2583]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB2836]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB3876]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB3904]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB4854]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB6377]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB6549]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB6806]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7090]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7208]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7379]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7721]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7963]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB8108]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB8867]
command /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB9668]
command /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC2904]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC3145]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC7672]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC8665]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1180]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1277]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1388]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1783]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1804]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1901]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1970]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD2671]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD3516]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD4068]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6099]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6297]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6959]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6999]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD7803]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD8094]
cmd /c del "C:\WINNT\system32\awtss.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD860]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD9623]
cmd /c del "C:\WINNT\system32\kbdave.dll_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINNT\system32\ayxggwww.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 cdudf_xp;cdudf_xp;C:\WINNT\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINNT\system32\drivers\pwd_2k.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\system32\DRIVERS\Sk9920nt.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINNT\system32\drivers\UdfReadr_xp.sys
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINNT\system32\DRIVERS\GWMDM.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\system32\DRIVERS\Sk99202k.sys
S2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe
S3 ADM851x;ADMtek ADM8513 USB To Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM851x.SYS
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\system32\DRIVERS\BCMDM.sys
S3 dvd_2K;dvd_2K;C:\WINNT\system32\drivers\dvd_2K.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys

*Newly Created Service* - NMSSVC

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-31 09:41:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-31 9:45:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-31 09:45


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:48 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Terry\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {65F0B146-F8FF-41D6-8349-DFC03B285EC9} (HlbfsReporting.ctlReporting) - <I deleted a reference to a corporate Intranet site---tunch>
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {92ECE8AF-5804-11D4-93DD-0004AC152B66} (HlbfsFacilityList.ctlHlbfsFacilityList) - <I deleted a reference to a corporate Intranet site---tunch>
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DD7074EB-1436-11D3-BBF3-000086195AD6} (HlbfsTaskList.ctlHlbfsTaskList) - <I deleted a reference to a corporate Intranet site---tunch>
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -<I deleted a reference to a corporate Intranet site---tunch>
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Access Connection Provider (racpvc) - Parallel Technologies, Inc. - (no file)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 8802 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:48 PM

Posted 31 August 2007 - 09:18 AM

Hi,

Let's deal with the rest now... But first, since you uninstalled Norton, also uninstall the Norton LiveUpdate via software > add/remove programs.
Then reboot.

After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA3013]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA5639]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingA7188]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB1983]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB2117]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB2583]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB2836]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB3876]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB3904]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB4854]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB6377]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB6549]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB6806]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7090]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7208]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7379]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7721]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB7963]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB8108]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB8867]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingB9668]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC2904]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC3145]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC7672]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingC8665]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1180]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1277]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1388]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1783]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1804]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1901]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD1970]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD2671]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD3516]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD4068]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6099]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6297]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6959]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD6999]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD7803]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD8094]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD860]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotDeletingD9623]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 tunch

tunch
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 31 August 2007 - 10:50 AM

Hello. Thanks again.

ComboFix 07-08-30.3 - "Owner" 2007-08-31 11:27:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.71 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-31 09:30 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-29 21:51 53,248 --a------ C:\WINNT\system32\Process.exe
2007-08-29 21:51 51,200 --a------ C:\WINNT\system32\dumphive.exe
2007-08-29 21:51 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-08-29 16:37 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PCToolsFirewallPlus
2007-08-29 16:22 55,904 --a------ C:\WINNT\system32\drivers\pctfw.sys
2007-08-29 16:22 100,448 --a------ C:\WINNT\system32\drivers\pctfw1.sys
2007-08-29 16:21 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-08-29 11:50 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-08-29 10:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-29 10:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-29 10:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 20:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-08-27 15:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-27 11:48 1,176,789 --a------ C:\WINNT\system32\dnbc377ba5.dat
2007-08-26 16:52 3,148 --a------ C:\WINNT\system32\tmp.reg
2007-08-26 11:52 <DIR> d-------- C:\VundoFix Backups
2007-08-20 14:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-20 14:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-08-07 13:58 8,320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-08-01 13:37 <DIR> d-------- C:\Program Files\iTunes
2007-07-11 14:37 6,272 --a------ C:\WINNT\system32\drivers\AWRTPD.sys
2007-07-04 15:30 <DIR> d----c--- C:\WINNT\system32\DRVSTORE
2007-07-04 15:30 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-04 15:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-31 11:11 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-31 09:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DIGStream
2007-08-31 09:16 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-31 09:03 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-08-30 13:51 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-28 11:13 --------- d-------- C:\Program Files\FinePixViewer
2007-08-20 07:57 --------- d-------- C:\Program Files\Inspiration 8 Trial
2007-08-19 19:25 --------- d-------- C:\Program Files\RegCure
2007-08-10 08:26 12288 --a------ C:\WINNT\impborl.dll
2007-08-06 08:23 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-08-01 13:37 --------- d-------- C:\Program Files\iPod
2007-08-01 13:31 --------- d-------- C:\Program Files\QuickTime
2007-07-30 19:19 92504 --a------ C:\WINNT\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINNT\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINNT\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINNT\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINNT\system32\dllcache\wups.dll
2007-07-19 02:59 3583488 --a------ C:\WINNT\system32\dllcache\mshtml.dll
2007-07-18 19:48 --------- d-------- C:\Program Files\America Online 8.0
2007-07-12 19:31 765952 --a------ C:\WINNT\system32\dllcache\vgx.dll
2007-06-27 10:34 823808 --a------ C:\WINNT\system32\dllcache\wininet.dll
2007-06-27 10:34 671232 --a------ C:\WINNT\system32\dllcache\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINNT\system32\dllcache\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34 477696 --a------ C:\WINNT\system32\dllcache\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINNT\system32\dllcache\msfeeds.dll
2007-06-27 10:34 44544 --------- C:\WINNT\system32\dllcache\iernonce.dll
2007-06-27 10:34 384512 --------- C:\WINNT\system32\dllcache\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINNT\system32\dllcache\ieapfltr.dll
2007-06-27 10:34 27648 --a------ C:\WINNT\system32\dllcache\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINNT\system32\dllcache\iertutil.dll
2007-06-27 10:34 232960 --------- C:\WINNT\system32\dllcache\webcheck.dll
2007-06-27 10:34 230400 --------- C:\WINNT\system32\dllcache\ieaksie.dll
2007-06-27 10:34 193024 --a------ C:\WINNT\system32\dllcache\msrating.dll
2007-06-27 10:34 153088 --------- C:\WINNT\system32\dllcache\ieakeng.dll
2007-06-27 10:34 132608 --a------ C:\WINNT\system32\dllcache\extmgr.dll
2007-06-27 10:34 124928 --------- C:\WINNT\system32\dllcache\advpack.dll
2007-06-27 10:34 1152000 --a------ C:\WINNT\system32\dllcache\urlmon.dll
2007-06-27 10:34 105984 --------- C:\WINNT\system32\dllcache\url.dll
2007-06-27 10:34 102400 --------- C:\WINNT\system32\dllcache\occache.dll
2007-06-27 04:27 63488 --------- C:\WINNT\system32\dllcache\ie4uinit.exe
2007-06-27 04:27 625152 --------- C:\WINNT\system32\dllcache\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINNT\system32\dllcache\ieudinit.exe
2007-06-27 03:00 161792 --a------ C:\WINNT\system32\dllcache\ieakui.dll
2007-06-26 02:08 1104896 --a------ C:\WINNT\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINNT\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINNT\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINNT\system32\dllcache\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINNT\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINNT\system32\dllcache\explorer.exe
2006-03-17 12:58 28672 --a------ C:\DOCUME~1\Owner\atwbxdet.dll
2003-08-27 15:19 36963 -ra------ C:\Program Files\Common Files\SM1updtr.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-09-30 20:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 22:21]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 20:50]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [2002-08-06 17:24]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 16:50 C:\WINNT\system32\SK9910DM.EXE]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-04-28 08:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-04 12:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=C:\WINNT\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter]
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
C:\WINNT\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 cdudf_xp;cdudf_xp;C:\WINNT\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINNT\system32\drivers\pwd_2k.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\system32\DRIVERS\Sk9920nt.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINNT\system32\drivers\UdfReadr_xp.sys
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINNT\system32\DRIVERS\GWMDM.sys
R3 mmc_2K;mmc_2K;C:\WINNT\system32\drivers\mmc_2K.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\system32\drivers\NMSCFG.SYS
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\system32\DRIVERS\Sk99202k.sys
S3 ADM851x;ADMtek ADM8513 USB To Fast Ethernet Adapter;C:\WINNT\system32\DRIVERS\ADM851x.SYS
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\system32\DRIVERS\BCMDM.sys
S3 dvd_2K;dvd_2K;C:\WINNT\system32\drivers\dvd_2K.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys

*Newly Created Service* - NMSSVC

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-31 11:32:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-31 11:34:04
C:\ComboFix-quarantined-files.txt ... 2007-08-31 11:33
C:\ComboFix2.txt ... 2007-08-31 09:45

--- E O F ---


Here is the HJT Log:

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:18 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Owner\My Documents\Terry\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {65F0B146-F8FF-41D6-8349-DFC03B285EC9} (HlbfsReporting.ctlReporting) - <I deleted a reference to a corporate intranet site--tunch>
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {92ECE8AF-5804-11D4-93DD-0004AC152B66} (HlbfsFacilityList.ctlHlbfsFacilityList) - <I deleted a reference to a corporate intranet site--tunch>
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DD7074EB-1436-11D3-BBF3-000086195AD6} (HlbfsTaskList.ctlHlbfsTaskList) - <I deleted a reference to a corporate intranet site--tunch>
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - <I deleted a reference to a corporate intranet site--tunch>
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Access Connection Provider (racpvc) - Parallel Technologies, Inc. - (no file)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 8565 bytes

#6 tunch

tunch
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 31 August 2007 - 11:08 AM

Hello.

After this last fix, my Avira is going nuts. I seem to have everything. I am quarantining the instances. Would it be scanning it's own or the fomer Nortons' quarantine files?

Thanks

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:48 PM

Posted 31 August 2007 - 12:38 PM

Would it be scanning it's own or the fomer Nortons' quarantine files?

Yes, that's possible. It may also detect the files present in C:\Qoobox, which is the folder Combofix created where it quarantined the bad files. And the files in the folder C:\VundoFix Backups
Wonder why that folder didn't get deleted since I added it in the intructions for CFScript.

In anyway, delete the C:\Qoobox folder and the C:\VundoFix Backups folder.
Avira should be able to delete the leftovers without any problems since the malware is not active anymore.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 tunch

tunch
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 31 August 2007 - 03:30 PM

miekiemoes.

So far all is well. Thank you for ending about two weeks of frustration. I appreciate it and will donate.

One more question though...aside from banning my teenager from the computer, what should our routine be to prevent this from re-ocurring. How often with the virus, spyware scans? Is Alvira a good product (I did not care for Norton).

Thanks again.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:48 PM

Posted 31 August 2007 - 03:40 PM

Glad I could help. :thumbsup:

For an Antivirus, since it's loaded in the background anyway, it will detect malware whenever it comes in (if they recognise it ofcourse).
Perform afull scan at least once a week, but you can set this in your Avira settings under scheduler, so it will do this automatically for you.
For your Antispyware, that one you'll have to run manually (on demand) at least once a week as well.
Yes, Avira is a great scanner. I use it as well. I assume you're using the free version? There's also a premium version (the one I have) which also detects spyware/adware and has some extra features. Read here for the difference between the Personal Classic one (free one) and the Premium: http://www.avira.com/en/products/personal.html
As you will see, it's not expensive at all either if you compare it with other non free Antivirus.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

Edited by miekiemoes, 31 August 2007 - 03:41 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:48 PM

Posted 01 September 2007 - 02:01 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users