Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Log & Hijack Log


  • This topic is locked This topic is locked
18 replies to this topic

#1 marty54

marty54

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 09 December 2007 - 09:32 AM

VundoFix V6.7.0

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:40:01 AM 12/9/2007

Listing files found while scanning....

C:\windows\system32\awtsp.dll
C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awtsp.dll
C:\windows\system32\awtsp.dll Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini
C:\windows\system32\pstwa.ini Has been deleted!

Attempting to delete C:\windows\system32\pstwa.ini2
C:\windows\system32\pstwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!


HiJack This Log is below;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:25 AM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Katoemba Software\Calq\Calq.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {5c0ff81a-091d-d4eb-2124-56020813dffb} - {bffd3180-2065-4212-be4d-d190a18ff0c5} - C:\WINDOWS\system32\cabannaw.dll
O2 - BHO: (no name) - {D993ABEC-81DB-49CA-968C-1AD3FEF54D02} - C:\WINDOWS\system32\awtsp.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [58878f6e] rundll32.exe "C:\WINDOWS\system32\iehigdvt.dll",b
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Calq.lnk = ?
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.spauldslye.com/iNotes6W.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138465227453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138474986593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: cbxuuvt - cbxuuvt.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 15418 bytes

BC AdBot (Login to Remove)

 


#2 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 13 December 2007 - 04:14 AM

Hi marty54,

Your computer appears to have been infected by a backdoor trojan. These programs allow an attacker full access to your computer and the attacker might have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.


Temporarily disable Spy Sweeper
  • Open Spysweeper and click on Options->Program Options and uncheck Load at Windows Startup
  • On the left side click Shields and then uncheck everything there
  • Uncheck Home Page Shield
  • Uncheck Automatically restore default without notification
  • Exit the program

Then download ComboFix to your desktop
  • Double click combofix.exe and follow the prompts.
  • Note: Do not click ComboFix's window while it's running - it may cause it to stall!
  • If after ComboFix finishes you do not have internet access, then reboot your computer.
  • When finished, it shall produce a log for you, please post it in your next response.
Once complete, please post the ComboFix report and a new HijackThis log.

Edited by _silver_, 13 December 2007 - 04:17 AM.

Teacher at Malware Removal University | ASAP & UNITE Member

#3 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 17 December 2007 - 04:01 AM

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.
Teacher at Malware Removal University | ASAP & UNITE Member

#4 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 21 December 2007 - 06:21 AM

Due to lack of response, this thread will now be closed.

If you are the topic starter and would like this topic reopened, please PM a staff member with a link to this thread and we will reopen it for you. Anyone else who needs assistance should begin a new topic.
Teacher at Malware Removal University | ASAP & UNITE Member

#5 marty54

marty54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 30 December 2007 - 11:20 AM

ComboFix 07-12-21.4 - Martin 2007-12-30 10:43:47.1 - NTFSx86
Running from: C:\Documents and Settings\Martin\Desktop\FIX\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\abW9
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rMa17yy

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-30 09:50 . 2007-06-20 11:09 42,792 --a------ C:\WINDOWS\system32\gotomon.dll
2007-12-26 18:28 . 2007-08-23 21:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL
2007-12-25 18:15 . 2007-12-25 18:15 65 --a------ C:\WINDOWS\FISHUI.INI
2007-12-25 17:42 . 2007-12-26 18:25 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\DataCast
2007-12-25 17:42 . 2007-12-14 17:19 1,046,528 --------- C:\WINDOWS\system32\MFC71LU.DLL
2007-12-25 17:42 . 2007-12-14 17:19 507,904 --------- C:\WINDOWS\system32\MSLUP71.dll
2007-12-25 17:42 . 2007-12-14 17:19 352,256 --------- C:\WINDOWS\system32\MSLUR71.dll
2007-12-25 10:15 . 2007-12-25 10:15 <DIR> d-------- C:\Program Files\Lame MP3 Codec
2007-12-25 10:15 . 2002-12-03 22:13 1,048,576 --a------ C:\WINDOWS\system32\lameACM.acm
2007-12-25 10:15 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2007-12-25 10:15 . 2007-12-25 10:15 65,024 --a------ C:\WINDOWS\IFinst26.exe
2007-12-25 10:15 . 2004-12-10 21:29 401 --a------ C:\WINDOWS\system32\lame_acm.xml
2007-12-25 10:14 . 2007-12-25 10:14 <DIR> d-------- C:\Program Files\MarkAny
2007-12-25 10:13 . 2007-12-25 10:13 <DIR> d-------- C:\Program Files\Samsung
2007-12-25 10:13 . 2006-03-16 08:26 397,429 --a------ C:\WINDOWS\system32\PixtreeMP4FormatWriter.ax
2007-12-12 07:42 . 2007-12-12 07:44 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-09 21:18 . 2007-12-09 21:18 <DIR> d-------- C:\Tema
2007-12-09 15:54 . 2007-12-09 15:54 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-09 14:54 . 2007-12-09 14:54 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Apple Computer
2007-12-09 14:53 . 2007-12-17 07:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-09 14:53 . 2007-12-09 14:53 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-09 14:47 . 2007-12-09 14:48 <DIR> d-------- C:\Program Files\QuickTime
2007-12-09 14:47 . 2007-12-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-09 14:46 . 2007-12-09 14:46 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-09 14:46 . 2007-12-09 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-09 09:05 . 2007-12-12 06:57 1,017,756 ---hs---- C:\WINDOWS\system32\tvdgihei.ini
2007-12-09 09:05 . 2007-12-12 07:45 0 --a------ C:\WINDOWS\system32\cabannaw.dll
2007-12-09 07:40 . 2007-12-09 09:09 <DIR> d-------- C:\VundoFix Backups
2007-12-06 23:15 . 2007-12-09 09:04 834,160 ---hs---- C:\WINDOWS\system32\nnxrqhop.ini
2007-12-04 19:16 . 2007-12-06 23:22 838,132 ---hs---- C:\WINDOWS\system32\jnkqxqgt.ini
2007-12-04 07:07 . 2007-12-04 07:08 294 ---hs---- C:\WINDOWS\system32\mbnqgmhe.tmp
2007-12-04 07:07 . 2007-12-04 07:08 294 ---hs---- C:\WINDOWS\system32\mbnqgmhe.ini
2007-12-02 11:35 . 2007-12-04 19:15 800,906 ---hs---- C:\WINDOWS\system32\rnohusqs.ini
2007-11-29 14:42 . 2007-11-29 14:42 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-29 08:31 . 2007-11-29 11:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-28 22:34 . 2007-11-28 22:34 784,159 ---hs---- C:\WINDOWS\system32\kceslssi.ini
2007-11-28 15:10 . 2007-11-28 18:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-28 15:10 . 2007-11-28 15:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-28 15:10 . 2007-11-28 15:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-28 15:10 . 2007-11-28 15:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-27 22:32 . 2007-11-28 22:35 789,589 ---hs---- C:\WINDOWS\system32\myohtidt.ini
2007-11-27 21:12 . 2006-11-28 16:30 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-27 21:09 . 2007-11-28 15:51 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\HouseCall 6.6
2007-11-26 22:32 . 2007-11-27 22:05 784,401 ---hs---- C:\WINDOWS\system32\lonmlyfn.ini
2007-11-25 23:56 . 2007-11-25 23:56 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Uniblue
2007-11-25 22:31 . 2007-11-26 20:06 775,988 ---hs---- C:\WINDOWS\system32\hnymhgkg.ini
2007-11-25 22:09 . 2007-11-25 22:09 775,832 ---hs---- C:\WINDOWS\system32\pcudkfgp.ini
2007-11-25 15:38 . 2007-11-25 15:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-24 19:57 . 2007-11-24 19:57 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\CoffeeCup Software
2007-11-24 19:48 . 2007-11-24 19:48 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-11-24 19:48 . 2004-04-23 03:55 864,256 --a------ C:\WINDOWS\system32\wodFtpDLX.ocx
2007-11-21 07:02 . 2007-12-09 21:18 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-19 20:41 . 2007-11-19 20:41 <DIR> d-------- C:\PollManager
2007-11-16 19:59 . 2007-12-26 11:14 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\U3
2007-11-15 10:22 . 2007-11-15 10:17 129,654 --a------ C:\WINDOWS\Red Sox 2007 Banner.bmp
2007-11-14 08:18 . 2007-11-28 15:34 <DIR> d-------- C:\c503cee9df9ed6b5d627fe315962
2007-11-01 06:13 . 2007-11-03 23:14 <DIR> d-------- C:\WINDOWS\system32\Mz17r
2007-11-01 06:13 . 2007-11-01 06:13 <DIR> d-------- C:\Temp\mZOr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 15:52 --------- d-----w C:\Documents and Settings\Martin\Application Data\MSN6
2007-12-30 14:56 --------- d-----w C:\Program Files\MioNet
2007-12-30 14:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-30 14:50 --------- d-----w C:\Program Files\Citrix
2007-12-30 14:49 3,902,784 ----a-w C:\WINDOWS\java\gosetup.exe
2007-12-24 20:10 --------- d-----w C:\Program Files\Norton SystemWorks
2007-12-22 17:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-29 20:44 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-29 20:05 --------- d-----w C:\Program Files\Trend Micro
2007-11-28 22:51 --------- d-----w C:\Program Files\Symantec
2007-11-28 22:31 --------- d-----w C:\Program Files\ltmoh
2007-11-28 21:44 --------- d-----w C:\Program Files\Apoint2K
2007-11-28 20:52 --------- d-----w C:\Documents and Settings\Martin\Application Data\Symantec
2007-11-28 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 01:36 --------- d-----w C:\Documents and Settings\Martin\Application Data\wsInspector
2007-11-28 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 14:59 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-23 14:59 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-23 14:59 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-18 23:25 439,296 ----a-w C:\Documents and Settings\Martin\GoToAssist_phone__317_en.exe
2007-10-11 23:21 21,504 ----a-w C:\WINDOWS\jestertb.dll
2007-03-19 11:16 722,176 ----a-w C:\Documents and Settings\Martin\gotomypc_428.exe
2006-07-25 18:33 563,712 ----a-w C:\Documents and Settings\Martin\gotomypc_370.exe
2005-12-30 12:05 563,712 ----a-w C:\Documents and Settings\Martin\370_gotomypc.exe
2005-11-09 01:33 389,120 ----a-w C:\Documents and Settings\Martin\remote.exe
2005-10-10 20:09 284 ----a-w C:\Documents and Settings\Martin\Application Data\ViewerApp.dat
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bffd3180-2065-4212-be4d-d190a18ff0c5}]
2007-12-12 07:45 0 --a------ C:\WINDOWS\system32\cabannaw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D993ABEC-81DB-49CA-968C-1AD3FEF54D02}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GoBack]
@={1F038B9D-83F5-4b28-BA76-8654EC297DD6}

[HKEY_CLASSES_ROOT\CLSID\{1F038B9D-83F5-4b28-BA76-8654EC297DD6}]
2005-10-03 11:30 607872 -ra------ C:\Program Files\Norton SystemWorks\Norton GoBack\ShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24]
"SetDefaultMIDI"="MIDIDef.exe" []
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 14:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 00:10]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 18:43]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 19:46]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 16:12]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 14:17]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 17:47]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 12:21]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe" [2005-08-13 07:05]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"CTDVDDET"="C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTSysVol"="C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" [2003-07-09 14:36]
"SbUsb AudCtrl"="RunDll32 sbusbdll.dll" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"58878f6e"="C:\WINDOWS\system32\iehigdvt.dll" []
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 08:23]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 11:09]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 10:37]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Calq.lnk - C:\WINDOWS\Installer\{DAF35248-710B-4CA2-AB07-DC127EF86B52}\_294823.exe [2007-06-09 17:02:35]
Free WebSite Tools.lnk - C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-11-24 19:48:52]
Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2005-10-03 11:30:12]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuvt]
cbxuuvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-06-20 11:09 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk
backup=C:\WINDOWS\pss\NetScreen-Remote.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=C:\WINDOWS\pss\Verizon Online Support Center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzButton]
2004-05-14 13:29 712704 --a------ C:\Program Files\EzButton\EzButton.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 18:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 20:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys [2005-10-03 11:30]
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys [2005-10-03 11:30]
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 16:44]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 01:00]
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 20:05]
R1 ECioctl;ECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys [2004-05-06 15:40]
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys [2004-05-05 17:53]
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys [2004-05-05 16:53]
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys [2004-05-05 17:53]
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys [2004-05-05 17:53]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys [2005-10-03 11:30]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R2 MioNet;MioNet Service;"C:\Program Files\MioNet\MioNetManager.exe" -s "C:\Program Files\MioNet\wrapper.conf" []
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys [2004-01-12 20:05]
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys [2004-05-20 17:59]
R3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2005-10-03 16:35]
S3 AX88172;ASIX AX88172 USB2 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88172.sys []
S3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys [2004-05-18 17:05]
S3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys [2004-05-18 19:36]
S3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys [2004-05-11 11:53]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys [2003-12-12 04:28]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-10-03 16:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 15:43:27 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-15 02:54:40 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Martin.job"
- C:\PROGRA~1\NORTON~2\NORTON~2\Navw32.exe
"2007-12-24 20:10:06 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-30 05:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 10:58:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 11:02:47 - machine was rebooted
.
2007-12-12 12:46:33 --- E O F ---

#6 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 30 December 2007 - 11:11 PM

Hi marty54,

Check that ComboFix.exe is on your Desktop
  • Then open Notepad: press Start->Run, type notepad and click OK
  • Copy/paste the contents of the below code box into Notepad:
    File::
    C:\WINDOWS\system32\tvdgihei.ini
    C:\WINDOWS\system32\cabannaw.dll
    C:\WINDOWS\system32\nnxrqhop.ini
    C:\WINDOWS\system32\jnkqxqgt.ini
    C:\WINDOWS\system32\mbnqgmhe.tmp
    C:\WINDOWS\system32\mbnqgmhe.ini
    C:\WINDOWS\system32\rnohusqs.ini
    C:\WINDOWS\system32\kceslssi.ini
    C:\WINDOWS\system32\myohtidt.ini
    C:\WINDOWS\system32\lonmlyfn.ini
    C:\WINDOWS\system32\hnymhgkg.ini
    C:\WINDOWS\system32\pcudkfgp.ini
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\cabannaw.dll
    C:\WINDOWS\system32\awtsp.dll
    C:\WINDOWS\system32\iehigdvt.dll
    C:\WINDOWS\winshow.exe
    
    Folder::
    C:\VundoFix Backups
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bffd3180-2065-4212-be4d-d190a18ff0c5}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D993ABEC-81DB-49CA-968C-1AD3FEF54D02}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "58878f6e"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuvt]
    
    Suspect::[32]
    C:\WINDOWS\imsins.BAK
    C:\WINDOWS\jestertb.dll
    
    DirLook::
    C:\WINDOWS\system32\Mz17r
    C:\Temp\mZOr
  • Save this to your Desktop as CFScript.

    Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, ComboFix will ask you to upload malware files for further analysis, when your browser opens, copy and paste the file and path which appears on the screen and press Send File
  • ComboFix will also produce a log, please copy and paste the contents of the log in your next reply.
Note: Do not click ComboFix's window while it's running - it may cause it to stall!


Next, download: DelDomains.inf from here:
http://mvps.org/winhelp2002/DelDomains.inf
Then, close all open browsers
Right-click DelDomains.inf and select Install
Note: this will remove all entries in the Trusted Zone and Restricted Zone.

Once complete, please post the new ComboFix report and a new HijackThis log.
Teacher at Malware Removal University | ASAP & UNITE Member

#7 marty54

marty54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 31 December 2007 - 04:59 PM

ComboFix Log

ComboFix 07-12-21.4 - Martin 2007-12-31 16:36:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.58 [GMT -5:00]
Running from: C:\Documents and Settings\Martin\Desktop\FIX\ComboFix.exe
Command switches used :: C:\Documents and Settings\Martin\Desktop\FIX\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\cabannaw.dll
C:\WINDOWS\system32\hnymhgkg.ini
C:\WINDOWS\system32\iehigdvt.dll
C:\WINDOWS\system32\jnkqxqgt.ini
C:\WINDOWS\system32\kceslssi.ini
C:\WINDOWS\system32\lonmlyfn.ini
C:\WINDOWS\system32\mbnqgmhe.ini
C:\WINDOWS\system32\mbnqgmhe.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\myohtidt.ini
C:\WINDOWS\system32\nnxrqhop.ini
C:\WINDOWS\system32\pcudkfgp.ini
C:\WINDOWS\system32\rnohusqs.ini
C:\WINDOWS\system32\tvdgihei.ini
C:\WINDOWS\winshow.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\awtsp.dll.bad
C:\VundoFix Backups\pstwa.ini.bad
C:\VundoFix Backups\pstwa.ini2.bad
C:\WINDOWS\system32\cabannaw.dll
C:\WINDOWS\system32\hnymhgkg.ini
C:\WINDOWS\system32\jnkqxqgt.ini
C:\WINDOWS\system32\kceslssi.ini
C:\WINDOWS\system32\lonmlyfn.ini
C:\WINDOWS\system32\mbnqgmhe.ini
C:\WINDOWS\system32\mbnqgmhe.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\myohtidt.ini
C:\WINDOWS\system32\nnxrqhop.ini
C:\WINDOWS\system32\pcudkfgp.ini
C:\WINDOWS\system32\rnohusqs.ini
C:\WINDOWS\system32\tvdgihei.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-30 11:55 . 2007-12-30 11:57 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-12-30 09:50 . 2007-06-20 11:09 42,792 --a------ C:\WINDOWS\system32\gotomon.dll
2007-12-26 18:28 . 2007-08-23 21:06 110,592 --a------ C:\WINDOWS\system32\TG_DUMP0708.DLL
2007-12-25 18:15 . 2007-12-25 18:15 65 --a------ C:\WINDOWS\FISHUI.INI
2007-12-25 17:42 . 2007-12-26 18:25 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\DataCast
2007-12-25 17:42 . 2007-12-14 17:19 1,046,528 --------- C:\WINDOWS\system32\MFC71LU.DLL
2007-12-25 17:42 . 2007-12-14 17:19 507,904 --------- C:\WINDOWS\system32\MSLUP71.dll
2007-12-25 17:42 . 2007-12-14 17:19 352,256 --------- C:\WINDOWS\system32\MSLUR71.dll
2007-12-25 10:15 . 2007-12-25 10:15 <DIR> d-------- C:\Program Files\Lame MP3 Codec
2007-12-25 10:15 . 2002-12-03 22:13 1,048,576 --a------ C:\WINDOWS\system32\lameACM.acm
2007-12-25 10:15 . 2005-05-03 09:33 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2007-12-25 10:15 . 2007-12-25 10:15 65,024 --a------ C:\WINDOWS\IFinst26.exe
2007-12-25 10:15 . 2004-12-10 21:29 401 --a------ C:\WINDOWS\system32\lame_acm.xml
2007-12-25 10:14 . 2007-12-25 10:14 <DIR> d-------- C:\Program Files\MarkAny
2007-12-25 10:13 . 2007-12-25 10:13 <DIR> d-------- C:\Program Files\Samsung
2007-12-25 10:13 . 2006-03-16 08:26 397,429 --a------ C:\WINDOWS\system32\PixtreeMP4FormatWriter.ax
2007-12-12 07:42 . 2007-12-30 11:57 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-09 21:18 . 2007-12-09 21:18 <DIR> d-------- C:\Tema
2007-12-09 15:54 . 2007-12-09 15:54 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-09 14:54 . 2007-12-09 14:54 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Apple Computer
2007-12-09 14:53 . 2007-12-17 07:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-09 14:53 . 2007-12-09 14:53 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-09 14:47 . 2007-12-09 14:48 <DIR> d-------- C:\Program Files\QuickTime
2007-12-09 14:47 . 2007-12-09 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-09 14:46 . 2007-12-09 14:46 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-09 14:46 . 2007-12-09 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-29 14:42 . 2007-11-29 14:42 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-29 08:31 . 2007-11-29 11:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-28 15:10 . 2007-11-28 18:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-28 15:10 . 2007-11-28 15:10 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-28 15:10 . 2007-11-28 15:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-28 15:10 . 2007-11-28 15:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-27 21:12 . 2006-11-28 16:30 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-27 21:09 . 2007-11-28 15:51 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\HouseCall 6.6
2007-11-25 23:56 . 2007-11-25 23:56 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Uniblue
2007-11-25 15:38 . 2007-11-25 15:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-24 19:57 . 2007-11-24 19:57 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\CoffeeCup Software
2007-11-24 19:48 . 2007-11-24 19:48 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-11-24 19:48 . 2004-04-23 03:55 864,256 --a------ C:\WINDOWS\system32\wodFtpDLX.ocx
2007-11-19 20:41 . 2007-11-19 20:41 <DIR> d-------- C:\PollManager
2007-11-16 19:59 . 2007-12-26 11:14 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\U3
2007-11-15 10:22 . 2007-11-15 10:17 129,654 --a------ C:\WINDOWS\Red Sox 2007 Banner.bmp
2007-11-14 08:18 . 2007-11-28 15:34 <DIR> d-------- C:\c503cee9df9ed6b5d627fe315962
2007-11-01 06:13 . 2007-11-03 23:14 <DIR> d-------- C:\WINDOWS\system32\Mz17r
2007-11-01 06:13 . 2007-11-01 06:13 <DIR> d-------- C:\Temp\mZOr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 21:27 --------- d-----w C:\Documents and Settings\Martin\Application Data\MSN6
2007-12-31 18:00 --------- d-----w C:\Program Files\MioNet
2007-12-31 17:39 --------- d-----w C:\Program Files\Norton SystemWorks
2007-12-30 17:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-30 14:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-30 14:50 --------- d-----w C:\Program Files\Citrix
2007-12-30 14:49 3,902,784 ----a-w C:\WINDOWS\java\gosetup.exe
2007-12-14 22:19 40,960 ------w C:\WINDOWS\system32\MAMACExtract.dll
2007-11-29 20:44 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-29 20:05 --------- d-----w C:\Program Files\Trend Micro
2007-11-28 22:51 --------- d-----w C:\Program Files\Symantec
2007-11-28 22:31 --------- d-----w C:\Program Files\ltmoh
2007-11-28 21:44 --------- d-----w C:\Program Files\Apoint2K
2007-11-28 20:52 --------- d-----w C:\Documents and Settings\Martin\Application Data\Symantec
2007-11-28 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 01:36 --------- d-----w C:\Documents and Settings\Martin\Application Data\wsInspector
2007-11-28 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 14:59 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-23 14:59 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-23 14:59 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-23 14:59 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-20 20:36 118,784 ----a-w C:\WINDOWS\system32\MaDRM.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-18 23:25 439,296 ----a-w C:\Documents and Settings\Martin\GoToAssist_phone__317_en.exe
2007-10-11 23:21 21,504 ----a-w C:\WINDOWS\jestertb.dll
2007-10-01 19:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 19:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-19 11:16 722,176 ----a-w C:\Documents and Settings\Martin\gotomypc_428.exe
2006-07-25 18:33 563,712 ----a-w C:\Documents and Settings\Martin\gotomypc_370.exe
2005-12-30 12:05 563,712 ----a-w C:\Documents and Settings\Martin\370_gotomypc.exe
2005-11-09 01:33 389,120 ----a-w C:\Documents and Settings\Martin\remote.exe
2005-10-10 20:09 284 ----a-w C:\Documents and Settings\Martin\Application Data\ViewerApp.dat
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp\mZOr ----


---- Directory of C:\WINDOWS\system32\Mz17r ----



((((((((((((((((((((((((((((( snapshot@2007-12-30_11.00.48.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:47:04 30,592 ------w C:\WINDOWS\Driver Cache\i386\rndismpx.sys
+ 2005-10-21 01:47:05 12,800 ------w C:\WINDOWS\Driver Cache\i386\usb8023x.sys
+ 2007-12-30 16:55:26 22,486 ----a-r C:\WINDOWS\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\ARPPRODUCTICON.exe
+ 2007-12-30 16:55:26 22,486 ----a-r C:\WINDOWS\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\WCESMgrIcon.exe
+ 2006-11-13 18:38:40 22,824 ----a-w C:\WINDOWS\system32\ceutil.dll
- 2005-01-28 17:44:28 164,864 ----a-w C:\WINDOWS\system32\cewmdm.dll
+ 2005-02-18 10:59:52 226,816 ----a-w C:\WINDOWS\system32\CEWMDM.dll
- 2005-01-28 17:44:28 164,864 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
+ 2005-02-18 10:59:52 226,816 -c--a-w C:\WINDOWS\system32\dllcache\CEWMDM.dll
- 2004-08-04 06:04:31 30,080 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
+ 2005-10-21 01:47:04 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
- 2004-08-04 06:04:31 30,080 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
+ 2005-10-21 01:47:04 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
- 2004-08-04 06:04:32 12,672 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
+ 2005-10-21 01:47:05 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
- 2004-08-04 06:04:33 12,672 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
+ 2005-10-21 01:47:05 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
+ 2006-11-13 18:39:28 138,024 ----a-w C:\WINDOWS\system32\rapi.dll
+ 2007-12-31 21:20:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_10c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GoBack]
@={1F038B9D-83F5-4b28-BA76-8654EC297DD6}

[HKEY_CLASSES_ROOT\CLSID\{1F038B9D-83F5-4b28-BA76-8654EC297DD6}]
2005-10-03 11:30 607872 -ra------ C:\Program Files\Norton SystemWorks\Norton GoBack\ShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 06:24]
"SetDefaultMIDI"="MIDIDef.exe" []
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 14:08]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-22 00:10]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 18:43]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 18:00 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 19:46]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-05-06 16:12]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-15 14:17]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 17:47]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-05-20 12:21]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 12:39]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe" [2005-08-13 07:05]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"CTDVDDET"="C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"CTSysVol"="C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" [2003-07-09 14:36]
"SbUsb AudCtrl"="RunDll32 sbusbdll.dll" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 21:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 08:23]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 11:09]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 10:37]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Calq.lnk - C:\WINDOWS\Installer\{DAF35248-710B-4CA2-AB07-DC127EF86B52}\_294823.exe [2007-06-09 17:02:35]
Free WebSite Tools.lnk - C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe [2007-11-24 19:48:52]
Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2005-10-03 11:30:12]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-06-20 11:09 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetScreen-Remote.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetScreen-Remote.lnk
backup=C:\WINDOWS\pss\NetScreen-Remote.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=C:\WINDOWS\pss\Verizon Online Support Center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzButton]
2004-05-14 13:29 712704 --a------ C:\Program Files\EzButton\EzButton.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-03-09 18:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-03-08 20:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys [2005-10-03 11:30]
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys [2005-10-03 11:30]
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 16:44]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 01:00]
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 20:05]
R1 ECioctl;ECioctl;C:\WINDOWS\system32\Drivers\ECioctl.sys [2004-05-06 15:40]
R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys [2004-05-05 17:53]
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys [2004-05-05 16:53]
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys [2004-05-05 17:53]
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys [2004-05-05 17:53]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys [2005-10-03 11:30]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R2 MioNet;MioNet Service;"C:\Program Files\MioNet\MioNetManager.exe" -s "C:\Program Files\MioNet\wrapper.conf" []
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys [2004-01-12 20:05]
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys [2004-05-20 17:59]
R3 NPDriver;Norton UnErase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2005-10-03 16:35]
S3 AX88172;ASIX AX88172 USB2 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88172.sys []
S3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys [2004-05-18 17:05]
S3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys [2004-05-18 19:36]
S3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys [2004-05-11 11:53]
S3 sbusb;Sound Blaster USB Audio Driver;C:\WINDOWS\system32\DRIVERS\sbusb.sys [2003-12-12 04:28]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2005-10-03 16:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 21:43:07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-12-15 02:54:40 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Martin.job"
- C:\PROGRA~1\NORTON~2\NORTON~2\Navw32.exe
"2007-12-31 17:39:41 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-31 05:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 16:43:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 16:46:29
C:\ComboFix2.txt ... 2007-12-30 11:02
.
2007-12-12 12:46:33 --- E O F ---



NEW HIJACK LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:13 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Katoemba Software\Calq\Calq.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Calq.lnk = ?
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.spauldslye.com/iNotes6W.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138465227453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138474986593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 15514 bytes

#8 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 02 January 2008 - 08:06 AM

Hi marty54,

Sorry for the delay, I didn't get a notification that your response had been merged to the thread.

Next, please do an online scan with Kaspersky:

Open Kaspersky Online Scanner in Internet Explorer

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Once complete, please post the Kaspersky report and a new HijackThis log. Also let me know how your computer is running.
Teacher at Malware Removal University | ASAP & UNITE Member

#9 marty54

marty54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 02 January 2008 - 08:18 PM

Hi Silver,

I was just about to download and install the trial version of Kaspersky per your instructions and then I read that I should uninstall any antivirus program that is already on the machine. I use Norton Systemworks 2006. I have renewed my subscription online previously, so I'm far beyond the 2006 version.

My question is... How important is it to uninstall Norton and run Kaspersky?

Again, thanks for all your help.


Marty54

#10 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 03 January 2008 - 09:43 PM

Hi marty54,

My instructions are not to install the trial of Kaspersky, they are to use the Kaspersky web scanner which only requires the installation of an ActiveX control which is like a web application - you should leave your existing antivirus program in place.

Please go through the instructions as posted and I'm sure you'll see what I mean, if you have any other questions about this please ask.

Also, please use the AddReply button and post your response to this thread. If you post your response as a new thread then it causes a significant delay in my responses to you, and makes extra work for the Moderators.

Edited by _silver_, 03 January 2008 - 09:47 PM.

Teacher at Malware Removal University | ASAP & UNITE Member

#11 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 08 January 2008 - 10:01 PM

How are you getting on?
Teacher at Malware Removal University | ASAP & UNITE Member

#12 marty54

marty54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 10 January 2008 - 11:04 PM

Hi Silver. Thanks for your patience. The Kaspersky Log and Hijack Log are attached. The machine has been running much better as of late.

Kaspersky Log
detected: malware Exploit.HTML.Agent.j File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01296E2F.htm//CryptFF
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ks File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07905865.exe//CryptFF
detected: Trojan program Trojan-Downloader.Win32.VB.bqc File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07B17C41.exe//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08DB7086.tmp//CryptFF
detected: Trojan program Trojan-Downloader.JS.Agent.hv File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F383672.htm//CryptFF
detected: Trojan program Trojan-Downloader.JS.Agent.hv File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\101C3177.htm//CryptFF
detected: malware Exploit.HTML.Agent.j File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1129587E.htm//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.i File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F27335.tmp//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F8472E.tmp//CryptFF
detected: malware Exploit.HTML.Agent.j File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\16D410FC.htm//CryptFF
detected: Trojan program Trojan-Downloader.VBS.Agent.ck File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\188C15D4.htm//CryptFF
detected: Trojan program Trojan-Downloader.JS.Agent.jy File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18E15977.htm//CryptFF
detected: Trojan program Trojan-Downloader.Java.OpenConnection.ao File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28D57FC1.tmp//CryptFF/MagicApplet.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.ao File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28D57FC1.tmp//CryptFF/Installer.class
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\29A76CBD.tmp//CryptFF
detected: malware Exploit.HTML.Agent.j File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2A1D7CA9.htm//CryptFF
detected: Trojan program Trojan-Downloader.JS.Agent.fq File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EBB4B6B.htm//CryptFF
detected: Trojan program Trojan-Downloader.Win32.VB.bto File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2F09424E.exe//CryptFF
detected: Trojan program Trojan-Dropper.Win32.Agent.chq File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FA621A1.exe//CryptFF
detected: Trojan program Trojan-Downloader.Java.OpenConnection.ao File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\325A5F6E.tmp//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3AB0343F.tmp//CryptFF
detected: malware Exploit.HTML.Agent.j File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DC54821.htm//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.i File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3EBA746B.cla//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3EF23E2E.cla//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3EF5682A.cla//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4284027A.tmp//CryptFF
detected: adware not-a-virus:AdWare.Win32.Virtumonde.apx File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\483813FC.dll//CryptFF
detected: Trojan program Trojan-Downloader.Win32.VB.bvj File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\487A5BB4.exe//CryptFF//Shrinker
detected: Trojan program Trojan.Java.ClassLoader.i File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A777829.tmp//CryptFF
detected: Trojan program Trojan-Downloader.JS.Agent.hv File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\521C6BFA.htm//CryptFF
detected: Trojan program Trojan-Downloader.JS.Agent.hv File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52223FF3.htm//CryptFF
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57916119.exe//CryptFF//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.brq File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57940B15.exe//CryptFF//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.fhv File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A5D409D.exe//CryptFF//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CF75ACF.tmp//CryptFF
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ks File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D165EDE.exe//CryptFF
detected: Trojan program Trojan-Downloader.Win32.VB.bqc File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D2730CC.exe//CryptFF
detected: adware not-a-virus:AdWare.Win32.Virtumonde.ks File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5ED81B70.exe//CryptFF
detected: Trojan program Trojan-Dropper.Win32.Agent.chq File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EFC6949.exe//CryptFF
detected: Trojan program Trojan-Downloader.Win32.VB.bsp File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F06673E.exe//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.i File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\603A238E.tmp//CryptFF
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A3A4266.exe//CryptFF//Shrinker
detected: Trojan program Trojan-Downloader.Win32.VB.axa File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A4A1454.exe//CryptFF//Shrinker
detected: Trojan program Trojan-Downloader.Win32.Agent.fak File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B5A5BA9.exe//CryptFF//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.Small.gll File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E5C65DA.exe//CryptFF//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.VB.bto File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E876AB4.exe//CryptFF//data0006
detected: Trojan program Trojan-Downloader.Win32.VB.bto File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6EB43681.exe//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.i File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6FE20E84.tmp//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6FE53880.tmp//CryptFF
detected: Trojan program Trojan-Downloader.JS.Agent.kd File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\770324CC.htm//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.k File: C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C4C45A5.tmp//CryptFF
deleted: Trojan program Trojan-Downloader.Java.Agent.f File: C:\Documents and Settings\Martin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-419fda5b.zip/vlocal.class
disinfected: Trojan program Trojan-Downloader.Java.Agent.f File: C:\Documents and Settings\Martin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc0-514ea8e6.zip

Hijackthislog
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:21 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Katoemba Software\Calq\Calq.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Calq.lnk = ?
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.spauldslye.com/iNotes6W.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138465227453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138474986593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 15769 bytes

Thanks Silver

#13 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 11 January 2008 - 01:38 AM

Hi marty54,

The scan log was not produced by following the instructions I posted, it looks like you have instead installed Kaspersky SOS. This however should give similar results but can you please confirm that the scan was of your entire system and that the logfile is complete?

You can probably see from the log that you have a lot of infected files in your Norton Antivirus Quarantine area, you should open this program and empty the quarantined files.

Please confirm the information about the log and let me know how your computer is running.
Teacher at Malware Removal University | ASAP & UNITE Member

#14 marty54

marty54
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 13 January 2008 - 10:09 AM

Hi Silver,

I did scan "My Computer". When completed, I clicked Save File button down the bottom. The log was 47Mb! I figured I did something wrong, so I just sent you the "Detections" page. I have since deleted the files from the quarantine area of Norton. The computer seems to be running fine. Certainly nothing like when I first posted an issue here.

I'm not sure about windows in general. For some reason the computer (neither Windows Media Player nor the software that came with the MP3 player (samsung))) will not recognize an MP3 player I got my wife for Christmas. I brought it to my work computer and there was no problem whatsoever. I'm still wrestling with re-installing windows (I have the restore disk that came with my Toshiba laptop).

I'm not sure what's next.

#15 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:11:30 AM

Posted 13 January 2008 - 09:21 PM

Hi marty54,

The log file size sounds a little large, and I don't know why it would be that big. It's important for me to see a full scan log, so I'd like you to do an online scan using the instructions I've posted - if that logfile turns out to be very large, then I'll tell you how to upload it for me and I'll analyze it anyway.

It's up to you to decide about reinstalling Windows, although that wouldn't normally be necessary in order to get an MP3 player to work. When we're finished cleaning (we're almost done) I recommend you post in the External Hardware forum here at BC for help with it - there's a very good chance they will be able to get it working for you.
Teacher at Malware Removal University | ASAP & UNITE Member




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users