Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Recurring Infections


  • This topic is locked This topic is locked
13 replies to this topic

#1 tigerbot

tigerbot

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 18 April 2008 - 06:27 PM

Popups and banner hijacks, browser security settings reversed, unresponsive browser for pages including Google and this site. I need a lot of help shaking these. Here's my HJT log, and thanks for support:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:36 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HiJackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74C3CEFA-86B9-4539-81B5-051139EA4E4E} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {8C5FE116-A330-469D-B5CF-D0C84761337E} - C:\WINDOWS\system32\khfcaabc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D7A3FAC9-1ADC-4502-8EC1-7E11F388A232} - \
O2 - BHO: (no name) - {DCE782A8-7492-4A35-85E9-C42E91E8380D} - C:\WINDOWS\system32\hggfebxu.dll
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\pmnnnomj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=091805 serial=pe02cbx-0000003-nmd lang=EN
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BM6726b385] Rundll32.exe "C:\WINDOWS\system32\dbvgvjtq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...ler/install.cab
O20 - Winlogon Notify: awtutqq - awtutqq.dll (file missing)
O20 - Winlogon Notify: nnnonkj - nnnonkj.dll (file missing)
O20 - Winlogon Notify: pmnnnomj - C:\WINDOWS\SYSTEM32\pmnnnomj.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7096 bytes

Edited by tigerbot, 18 April 2008 - 06:37 PM.


BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:42 PM

Posted 18 April 2008 - 08:06 PM

Hi, tigerbot. :thumbsup:

Welcome.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Please download VundoFix.exe to your desktop.

Note: In the event you already have Vundofix, this is a new version that I need you to download.
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the FixVundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 tigerbot

tigerbot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 19 April 2008 - 12:55 AM

I'm definitely still getting popups and ad banner hijacks. Vundofix didn't find anything, but here are the two other logs:

ComboFix 08-04-18.3 - heshbot 2008-04-19 1:38:55.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.633 [GMT -4:00]
Running from: C:\Documents and Settings\heshbot\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aqgguncc.dll
C:\WINDOWS\SYSTEM32\ccnuggqa.ini
C:\WINDOWS\system32\efcbawuv.dll
C:\WINDOWS\system32\nlncblkv.dll
C:\WINDOWS\SYSTEM32\vuwabcfe.ini
C:\WINDOWS\SYSTEM32\vuwabcfe.ini2
C:\WINDOWS\system32\wsqihvpm.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 00:55 . 2008-04-19 00:55 <DIR> d-------- C:\VundoFix Backups
2008-04-19 00:53 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-18 15:26 . 2008-04-18 15:26 87,616 --a------ C:\WINDOWS\SYSTEM32\wtmclftd.dll_old
2008-04-18 15:26 . 2008-04-18 16:36 474 --ahs---- C:\WINDOWS\SYSTEM32\dtflcmtw.ini
2008-04-18 15:20 . 2008-04-19 01:30 109,752 --a------ C:\WINDOWS\BM6726b385.xml
2008-04-17 15:19 . 2008-04-18 15:19 354 --ahs---- C:\WINDOWS\SYSTEM32\nwgyhqkm.ini
2008-04-17 14:44 . 2008-04-17 14:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\xcsDd01
2008-04-17 14:44 . 2008-04-17 14:44 <DIR> d-------- C:\temp\berDrv11
2008-04-17 14:44 . 2008-04-17 14:44 34,099 --a------ C:\WINDOWS\SYSTEM32\pmnnnomj.dll
2008-04-17 06:18 . 2008-04-17 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-17 06:13 . 2008-04-17 06:16 <DIR> d-------- C:\Program Files\TmNationsForever
2008-04-07 00:43 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2008-04-07 00:43 . 2008-04-14 18:04 163,353 --a------ C:\WINDOWS\SYSTEM32\nvapps.xml
2008-04-07 00:43 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\SYSTEM32\nvdisp.nvu
2008-04-07 00:35 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2008-04-05 14:23 . 2007-04-24 16:30 60,273 --a------ C:\WINDOWS\SYSTEM32\pthreadGC2.dll
2008-03-25 18:54 . 2008-03-25 18:58 <DIR> d-------- C:\Program Files\ROM CHECK FAIL
2008-03-24 15:03 . 2008-03-24 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\xTmp
2008-03-24 15:03 . 2008-03-24 15:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz1
2008-03-24 15:03 . 2008-03-24 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\usnv
2008-03-24 15:03 . 2008-03-24 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\IDME
2008-03-24 15:02 . 2008-03-24 15:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\aqVreo01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 04:53 --------- d-----w C:\Program Files\Java
2008-04-18 19:56 --------- d-----w C:\Documents and Settings\heshbot\Application Data\Media Player Classic
2008-04-08 17:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 08:44 --------- d-----w C:\Program Files\EA GAMES
2008-04-07 03:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 18:23 --------- d-----w C:\Program Files\ffdshow
2008-03-24 19:05 --------- d-----w C:\Program Files\CyberLink
2008-03-06 02:05 --------- d-----w C:\Program Files\Napster
2008-03-01 22:23 --------- d-----w C:\Program Files\NCSoft
2008-03-01 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-02-19 20:32 --------- d-----w C:\Program Files\Viewpoint
2008-02-19 20:31 --------- d-----w C:\Program Files\AIM
2008-02-19 20:31 --------- d-----w C:\Documents and Settings\heshbot\Application Data\Aim
2008-02-19 20:30 --------- d-----w C:\Program Files\AOD
2008-02-19 08:09 --------- d-----w C:\Program Files\WorldCommunityGrid
2008-02-19 08:05 --------- d-----w C:\Program Files\mIRC
2008-02-19 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 05:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 02:37 --------- d-----w C:\Program Files\AquariaDemo
2008-02-15 21:02 691,545 ----a-w C:\WINDOWS\unins002.exe
2007-02-24 03:12 4,608 -csha-w C:\Program Files\Thumbs.db
2007-02-01 20:49 58,436,178 -c--a-w C:\Program Files\data2.cab
2007-02-01 20:49 4,750 -c--a-w C:\Program Files\layout.bin
2007-02-01 20:49 30,575 -c--a-w C:\Program Files\data1.hdr
2007-02-01 20:49 23,962,185 -c--a-w C:\Program Files\data1.cab
2007-01-30 17:06 233,642 -c--a-w C:\Program Files\setup.inx
2007-01-26 16:01 1,993,656 -c--a-w C:\Program Files\setup.isn
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2001-09-10 13:00 139,264 -c--a-w C:\WINDOWS\INF\i386\Rtscan.dll
2001-09-10 12:10 61,440 -c--a-w C:\WINDOWS\INF\i386\onetUSD.dll
2001-08-17 22:43 32,768 -c--a-w C:\WINDOWS\INF\i386\Wiamicro.dll
2001-08-03 22:29 13,824 -c--a-w C:\WINDOWS\INF\i386\usbscan.sys
2001-06-29 12:10 163,840 -c--a-w C:\WINDOWS\INF\i386\viceo.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_ 0.37.59.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 04:31:51 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-19 05:44:56 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2004-02-23 02:52:42 24,681 -c--a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2004-02-23 02:52:44 28,779 -c--a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74C3CEFA-86B9-4539-81B5-051139EA4E4E}]
C:\WINDOWS\system32\mllji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C5FE116-A330-469D-B5CF-D0C84761337E}]
C:\WINDOWS\system32\khfcaabc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7A3FAC9-1ADC-4502-8EC1-7E11F388A232}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
2008-04-17 14:44 34099 --a------ C:\WINDOWS\system32\pmnnnomj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-03 19:58 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 07:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"Corel Painter Essentials 21a"="C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe" [ ]
"EnvyHFCPL"="C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe" [2004-02-23 17:25 1757696]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\system32\pmnnnomj.dll [2008-04-17 14:44 34099]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutqq]
awtutqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonkj]
nnnonkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnnomj]
pmnnnomj.dll 2008-04-17 14:44 34099 C:\WINDOWS\SYSTEM32\pmnnnomj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineij32]
wineij32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^heshbot^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
path=C:\Documents and Settings\heshbot\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
backup=C:\WINDOWS\pss\Spruce - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^heshbot^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
path=C:\Documents and Settings\heshbot\Start Menu\Programs\Startup\World Community Grid Agent.lnk
backup=C:\WINDOWS\pss\World Community Grid Agent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\64158019]
C:\WINDOWS\system32\siaotpbu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
C:\Program Files\Outerinfo\OuterinfoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
C:\WINDOWS\system32\artchker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6726b385]
C:\WINDOWS\system32\nbinpfru.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
--a------ 2004-05-27 21:05 323584 C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
C:\Program Files\LimeShop\LimeShoprun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
C:\DOCUME~1\heshbot\LOCALS~1\Temp\MBDownloader_876919.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nuhwtyxi]
C:\Program Files\ovcdgtev\anclmhkr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
C:\Program Files\Outerinfo\Outerinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
C:\Program Files\Outerinfo\OuterinfoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu77.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-03 19:58 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 18:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\Documents and Settings\heshbot\Local Settings\Temp\TICHD003.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"OneCareMP"=2 (0x2)
"cmdService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Spooler"=2 (0x2)
"TabletService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"C:\\Program Files\\TmNationsForever\\TmForever.exe"=

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-06-30 02:49]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-01-24 06:11]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2004-02-26 16:40]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 01:45:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 01:46:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pmnnnomj.dll
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-19 1:51:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 05:51:38
ComboFix2.txt 2008-04-19 04:38:44
ComboFix3.txt 2008-04-18 23:08:05

Pre-Run: 36,617,654,272 bytes free
Post-Run: 36,602,314,752 bytes free

282 --- E O F --- 2008-04-18 20:52:19






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:42 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HiJackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74C3CEFA-86B9-4539-81B5-051139EA4E4E} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8C5FE116-A330-469D-B5CF-D0C84761337E} - C:\WINDOWS\system32\khfcaabc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D7A3FAC9-1ADC-4502-8EC1-7E11F388A232} - \
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\pmnnnomj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=091805 serial=pe02cbx-0000003-nmd lang=EN
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...ler/install.cab
O20 - Winlogon Notify: awtutqq - awtutqq.dll (file missing)
O20 - Winlogon Notify: nnnonkj - nnnonkj.dll (file missing)
O20 - Winlogon Notify: pmnnnomj - C:\WINDOWS\SYSTEM32\pmnnnomj.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7302 bytes

Edited by tigerbot, 19 April 2008 - 01:02 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:42 PM

Posted 19 April 2008 - 11:01 AM

Hi, tigerbot
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\WINDOWS\SYSTEM32\dtflcmtw.ini  C:\WINDOWS\SYSTEM32\nwgyhqkm.ini  C:\WINDOWS\SYSTEM32\pmnnnomj.dllC:\WINDOWS\system32\mllji.dllC:\WINDOWS\system32\khfcaabc.dllC:\WINDOWS\system32\artchker.exeC:\DOCUME~1\heshbot\LOCALS~1\Temp\MBDownloader_876919.exeC:\WINDOWS\mrofinu77.exeC:\Documents and Settings\heshbot\Local Settings\Temp\TICHD003.exeFolder:: C:\temp\berDrv11C:\Program Files\OuterinfoC:\Program Files\Ebates_MoeMoneyMakerC:\Program Files\LimeShopC:\Program Files\ovcdgtevC:\Program Files\Web BuyingC:\Program Files\WinAbleC:\Program Files\WinPopSuspect::C:\WINDOWS\BM6726b385.xml  C:\WINDOWS\SYSTEM32\wtmclftd.dll_old  C:\WINDOWS\system32\nbinpfru.dllDirlook::C:\WINDOWS\SYSTEM32\xTmp  C:\WINDOWS\SYSTEM32\winz1  C:\WINDOWS\SYSTEM32\usnv  C:\WINDOWS\SYSTEM32\IDME  C:\WINDOWS\SYSTEM32\aqVreo01  C:\WINDOWS\SYSTEM32\xcsDd01 Registry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74C3CEFA-86B9-4539-81B5-051139EA4E4E}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C5FE116-A330-469D-B5CF-D0C84761337E}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7A3FAC9-1ADC-4502-8EC1-7E11F388A232}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}][hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"=-[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutqq][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonkj][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnnomj][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineij32][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6726b385][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nuhwtyxi][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"cmdService"=-

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in the message.

Edited by JSntgRvr, 19 April 2008 - 11:01 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 tigerbot

tigerbot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 19 April 2008 - 01:48 PM

I'll do that now, but I wanted to post another set of CF and HJT logs that are a result of my actually being able to start my computer in Safe Mode for the first time in a long time, and running CF.

I will say that even though Vundofix didn't find anything, Spybot found 7 entries. Upon trying to remove them, it has caused lsass.exe's CPU usage to skyrocket. This isn't the first time that's happened when trying to remove similar entries. What is also happening is that even when they are "removed" and the process is unchecked in in msconfig's startup tab, it always comes back after a restart as a new, randomly named process. Spybot lists them as BHO's. When I tried to remove them in Spybot's BHO removal window, they kept popping back up. If they are turned off, temporarily, they come back on restart and cause cmd screens to pop up.

Here are my logs from Safe Mode, and later the new log with the CFScript.



ComboFix 08-04-18.3 - heshbot 2008-04-19 8:06:24.11 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\heshbot\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\gjikjjlm.ini
C:\WINDOWS\SYSTEM32\gjikjjlm.ini2
C:\WINDOWS\SYSTEM32\qrsuxbeg.ini
C:\WINDOWS\SYSTEM32\qrsuxbeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 06:40 . 2008-04-19 06:40 <DIR> d-------- C:\VundoFix Backups
2008-04-19 00:53 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-18 15:26 . 2008-04-18 16:36 474 --ahs---- C:\WINDOWS\SYSTEM32\dtflcmtw.ini
2008-04-18 15:20 . 2008-04-19 05:58 109,761 --a------ C:\WINDOWS\BM6726b385.xml
2008-04-17 15:19 . 2008-04-18 15:19 354 --ahs---- C:\WINDOWS\SYSTEM32\nwgyhqkm.ini
2008-04-17 14:44 . 2008-04-17 14:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\xcsDd01
2008-04-17 14:44 . 2008-04-17 14:44 <DIR> d-------- C:\temp\berDrv11
2008-04-17 14:44 . 2008-04-17 14:44 34,099 --a------ C:\WINDOWS\SYSTEM32\pmnnnomj.dll
2008-04-17 06:18 . 2008-04-17 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-17 06:13 . 2008-04-17 06:16 <DIR> d-------- C:\Program Files\TmNationsForever
2008-04-07 00:43 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2008-04-07 00:43 . 2008-04-14 18:04 163,353 --a------ C:\WINDOWS\SYSTEM32\nvapps.xml
2008-04-07 00:43 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\SYSTEM32\nvdisp.nvu
2008-04-07 00:35 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2008-04-05 14:23 . 2007-04-24 16:30 60,273 --a------ C:\WINDOWS\SYSTEM32\pthreadGC2.dll
2008-03-25 18:54 . 2008-03-25 18:58 <DIR> d-------- C:\Program Files\ROM CHECK FAIL
2008-03-24 15:03 . 2008-03-24 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\xTmp
2008-03-24 15:03 . 2008-03-24 15:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz1
2008-03-24 15:03 . 2008-03-24 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\usnv
2008-03-24 15:03 . 2008-03-24 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\IDME
2008-03-24 15:02 . 2008-03-24 15:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\aqVreo01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 10:27 --------- d-----w C:\Program Files\EA GAMES
2008-04-19 04:53 --------- d-----w C:\Program Files\Java
2008-04-18 19:56 --------- d-----w C:\Documents and Settings\heshbot\Application Data\Media Player Classic
2008-04-08 17:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-07 03:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 18:23 --------- d-----w C:\Program Files\ffdshow
2008-03-24 19:05 --------- d-----w C:\Program Files\CyberLink
2008-03-06 02:05 --------- d-----w C:\Program Files\Napster
2008-03-01 22:23 --------- d-----w C:\Program Files\NCSoft
2008-03-01 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-02-19 20:32 --------- d-----w C:\Program Files\Viewpoint
2008-02-19 20:31 --------- d-----w C:\Program Files\AIM
2008-02-19 20:31 --------- d-----w C:\Documents and Settings\heshbot\Application Data\Aim
2008-02-19 20:30 --------- d-----w C:\Program Files\AOD
2008-02-19 08:09 --------- d-----w C:\Program Files\WorldCommunityGrid
2008-02-19 08:05 --------- d-----w C:\Program Files\mIRC
2008-02-19 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 05:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 02:37 --------- d-----w C:\Program Files\AquariaDemo
2008-02-15 21:02 691,545 ----a-w C:\WINDOWS\unins002.exe
2007-02-24 03:12 4,608 -csha-w C:\Program Files\Thumbs.db
2007-02-01 20:49 58,436,178 -c--a-w C:\Program Files\data2.cab
2007-02-01 20:49 4,750 -c--a-w C:\Program Files\layout.bin
2007-02-01 20:49 30,575 -c--a-w C:\Program Files\data1.hdr
2007-02-01 20:49 23,962,185 -c--a-w C:\Program Files\data1.cab
2007-01-30 17:06 233,642 -c--a-w C:\Program Files\setup.inx
2007-01-26 16:01 1,993,656 -c--a-w C:\Program Files\setup.isn
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADA9F7AC-8B82-45B4-8CDB-D044A0027521}]
C:\WINDOWS\system32\gebxusrq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}]
2008-04-17 14:44 34099 --a------ C:\WINDOWS\system32\pmnnnomj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 07:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"Corel Painter Essentials 21a"="C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe" [ ]
"EnvyHFCPL"="C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe" [2004-02-23 17:25 1757696]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2}"= C:\WINDOWS\system32\pmnnnomj.dll [2008-04-17 14:44 34099]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutqq]
awtutqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonkj]
nnnonkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnnomj]
pmnnnomj.dll 2008-04-17 14:44 34099 C:\WINDOWS\SYSTEM32\pmnnnomj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineij32]
wineij32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^heshbot^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
path=C:\Documents and Settings\heshbot\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
backup=C:\WINDOWS\pss\Spruce - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^heshbot^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
path=C:\Documents and Settings\heshbot\Start Menu\Programs\Startup\World Community Grid Agent.lnk
backup=C:\WINDOWS\pss\World Community Grid Agent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\64158019]
C:\WINDOWS\system32\siaotpbu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
C:\Program Files\Outerinfo\OuterinfoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
C:\WINDOWS\system32\artchker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6726b385]
C:\WINDOWS\system32\hojyfqqa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
--a------ 2004-05-27 21:05 323584 C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
C:\Program Files\LimeShop\LimeShoprun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
C:\DOCUME~1\heshbot\LOCALS~1\Temp\MBDownloader_876919.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nuhwtyxi]
C:\Program Files\ovcdgtev\anclmhkr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
C:\Program Files\Outerinfo\Outerinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
C:\Program Files\Outerinfo\OuterinfoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu77.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-03 19:58 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
C:\Program Files\WinAble\winable.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 18:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\Documents and Settings\heshbot\Local Settings\Temp\TICHD003.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"OneCareMP"=2 (0x2)
"cmdService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Spooler"=2 (0x2)
"TabletService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"C:\\Program Files\\TmNationsForever\\TmForever.exe"=

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-06-30 02:49]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-01-24 06:11]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2004-02-26 16:40]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 01:45:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 14:27:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pmnnnomj.dll
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-19 14:33:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 18:33:10
ComboFix2.txt 2008-04-19 05:51:53

Pre-Run: 42,597,838,848 bytes free
Post-Run: 41,512,873,984 bytes free

255 --- E O F --- 2008-04-18 20:52:19



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:45 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HJT\HiJackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {ADA9F7AC-8B82-45B4-8CDB-D044A0027521} - C:\WINDOWS\system32\gebxusrq.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\pmnnnomj.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=091805 serial=pe02cbx-0000003-nmd lang=EN
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab
O20 - Winlogon Notify: awtutqq - awtutqq.dll (file missing)
O20 - Winlogon Notify: nnnonkj - nnnonkj.dll (file missing)
O20 - Winlogon Notify: pmnnnomj - C:\WINDOWS\SYSTEM32\pmnnnomj.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6628 bytes

#6 tigerbot

tigerbot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 19 April 2008 - 02:20 PM

Here are the script logs. Also, I have submitted the file.

ComboFix 08-04-18.3 - heshbot 2008-04-19 15:02:37.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.658 [GMT -4:00]
Running from: C:\Documents and Settings\heshbot\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\heshbot\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\heshbot\LOCALS~1\Temp\MBDownloader_876919.exe
C:\Documents and Settings\heshbot\Local Settings\Temp\TICHD003.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\system32\artchker.exe
C:\WINDOWS\SYSTEM32\dtflcmtw.ini
C:\WINDOWS\system32\khfcaabc.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\SYSTEM32\nwgyhqkm.ini
C:\WINDOWS\SYSTEM32\pmnnnomj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\berDrv11
C:\WINDOWS\SYSTEM32\dtflcmtw.ini
C:\WINDOWS\SYSTEM32\nwgyhqkm.ini
C:\WINDOWS\SYSTEM32\pmnnnomj.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 06:40 . 2008-04-19 06:40 <DIR> d-------- C:\VundoFix Backups
2008-04-19 00:53 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-18 15:20 . 2008-04-19 05:58 109,761 --a------ C:\WINDOWS\BM6726b385.xml
2008-04-17 14:44 . 2008-04-17 14:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\xcsDd01
2008-04-17 06:18 . 2008-04-17 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-17 06:13 . 2008-04-17 06:16 <DIR> d-------- C:\Program Files\TmNationsForever
2008-04-07 00:43 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2008-04-07 00:43 . 2008-04-14 18:04 163,353 --a------ C:\WINDOWS\SYSTEM32\nvapps.xml
2008-04-07 00:43 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\SYSTEM32\nvdisp.nvu
2008-04-07 00:35 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2008-04-05 14:23 . 2007-04-24 16:30 60,273 --a------ C:\WINDOWS\SYSTEM32\pthreadGC2.dll
2008-03-25 18:54 . 2008-03-25 18:58 <DIR> d-------- C:\Program Files\ROM CHECK FAIL
2008-03-24 15:03 . 2008-03-24 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\xTmp
2008-03-24 15:03 . 2008-03-24 15:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz1
2008-03-24 15:03 . 2008-03-24 16:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\usnv
2008-03-24 15:03 . 2008-03-24 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\IDME
2008-03-24 15:02 . 2008-03-24 15:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\aqVreo01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 10:27 --------- d-----w C:\Program Files\EA GAMES
2008-04-19 04:53 --------- d-----w C:\Program Files\Java
2008-04-18 19:56 --------- d-----w C:\Documents and Settings\heshbot\Application Data\Media Player Classic
2008-04-08 17:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-07 03:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 18:23 --------- d-----w C:\Program Files\ffdshow
2008-03-24 19:05 --------- d-----w C:\Program Files\CyberLink
2008-03-06 02:05 --------- d-----w C:\Program Files\Napster
2008-03-01 22:23 --------- d-----w C:\Program Files\NCSoft
2008-03-01 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-02-19 20:32 --------- d-----w C:\Program Files\Viewpoint
2008-02-19 20:31 --------- d-----w C:\Program Files\AIM
2008-02-19 20:31 --------- d-----w C:\Documents and Settings\heshbot\Application Data\Aim
2008-02-19 20:30 --------- d-----w C:\Program Files\AOD
2008-02-19 08:09 --------- d-----w C:\Program Files\WorldCommunityGrid
2008-02-19 08:05 --------- d-----w C:\Program Files\mIRC
2008-02-19 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 05:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 02:37 --------- d-----w C:\Program Files\AquariaDemo
2008-02-15 21:02 691,545 ----a-w C:\WINDOWS\unins002.exe
2007-02-24 03:12 4,608 -csha-w C:\Program Files\Thumbs.db
2007-02-01 20:49 58,436,178 -c--a-w C:\Program Files\data2.cab
2007-02-01 20:49 4,750 -c--a-w C:\Program Files\layout.bin
2007-02-01 20:49 30,575 -c--a-w C:\Program Files\data1.hdr
2007-02-01 20:49 23,962,185 -c--a-w C:\Program Files\data1.cab
2007-01-30 17:06 233,642 -c--a-w C:\Program Files\setup.inx
2007-01-26 16:01 1,993,656 -c--a-w C:\Program Files\setup.isn
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\SYSTEM32\aqVreo01 ----

2008-03-15 08:43 32768 --a------ C:\WINDOWS\SYSTEM32\aqVreo01\aqVreo011065.exe

---- Directory of C:\WINDOWS\SYSTEM32\IDME ----

2008-03-12 20:22 139457 --a------ C:\WINDOWS\SYSTEM32\IDME\TGbn1dll.exe
2008-01-05 16:48 126976 --a------ C:\WINDOWS\SYSTEM32\IDME\dimnet201.exe

---- Directory of C:\WINDOWS\SYSTEM32\usnv ----


---- Directory of C:\WINDOWS\SYSTEM32\winz1 ----


---- Directory of C:\WINDOWS\SYSTEM32\xcsDd01 ----

2008-04-13 08:42 32768 --a------ C:\WINDOWS\SYSTEM32\xcsDd01\xcsDd011065.exe

---- Directory of C:\WINDOWS\SYSTEM32\xTmp ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADA9F7AC-8B82-45B4-8CDB-D044A0027521}]
C:\WINDOWS\system32\gebxusrq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 07:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"Corel Painter Essentials 21a"="C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe" [ ]
"EnvyHFCPL"="C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe" [2004-02-23 17:25 1757696]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^heshbot^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
path=C:\Documents and Settings\heshbot\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
backup=C:\WINDOWS\pss\Spruce - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^heshbot^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
path=C:\Documents and Settings\heshbot\Start Menu\Programs\Startup\World Community Grid Agent.lnk
backup=C:\WINDOWS\pss\World Community Grid Agent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\64158019]
C:\WINDOWS\system32\siaotpbu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
--a------ 2004-05-27 21:05 323584 C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-03 19:58 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 18:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"OneCareMP"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Spooler"=2 (0x2)
"TabletService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"C:\\Program Files\\TmNationsForever\\TmForever.exe"=

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-06-30 02:49]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-01-24 06:11]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2004-02-26 16:40]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 01:45:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 15:09:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-19 15:15:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 19:15:33
ComboFix2.txt 2008-04-19 18:33:24

Pre-Run: 41,493,663,744 bytes free
Post-Run: 41,475,907,584 bytes free

230 --- E O F --- 2008-04-18 20:52:19





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:19 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HiJackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {ADA9F7AC-8B82-45B4-8CDB-D044A0027521} - C:\WINDOWS\system32\gebxusrq.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=091805 serial=pe02cbx-0000003-nmd lang=EN
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6259 bytes

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:42 PM

Posted 19 April 2008 - 02:22 PM

Hi, tigerbot :thumbsup:

Standby

Edited by JSntgRvr, 19 April 2008 - 02:24 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:42 PM

Posted 19 April 2008 - 02:38 PM

Hi, tigerbot :thumbsup:
  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\WINDOWS\system32\siaotpbu.dllFolder::C:\WINDOWS\SYSTEM32\xTmpC:\WINDOWS\SYSTEM32\winz1C:\WINDOWS\SYSTEM32\usnvC:\WINDOWS\SYSTEM32\IDMEC:\WINDOWS\SYSTEM32\aqVreo01C:\WINDOWS\SYSTEM32\xcsDd01 Registry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADA9F7AC-8B82-45B4-8CDB-D044A0027521}][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\64158019]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Let scan for ramnants.

Please do an online scan with Kaspersky WebScanner (Use internet Explorer)

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 tigerbot

tigerbot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 19 April 2008 - 05:42 PM

Here are the new logs, and thanks again for the help:


ComboFix 08-04-18.3 - heshbot 2008-04-19 16:39:02.13 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.662 [GMT -4:00]
Running from: C:\Documents and Settings\heshbot\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\heshbot\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\siaotpbu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\aqVreo01
C:\WINDOWS\SYSTEM32\aqVreo01\aqVreo011065.exe
C:\WINDOWS\SYSTEM32\IDME
C:\WINDOWS\SYSTEM32\IDME\dimnet201.exe
C:\WINDOWS\SYSTEM32\IDME\TGbn1dll.exe
C:\WINDOWS\SYSTEM32\usnv
C:\WINDOWS\SYSTEM32\winz1
C:\WINDOWS\SYSTEM32\xcsDd01
C:\WINDOWS\SYSTEM32\xcsDd01\xcsDd011065.exe
C:\WINDOWS\SYSTEM32\xTmp

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 06:40 . 2008-04-19 06:40 <DIR> d-------- C:\VundoFix Backups
2008-04-19 00:53 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-18 15:20 . 2008-04-19 05:58 109,761 --a------ C:\WINDOWS\BM6726b385.xml
2008-04-17 06:18 . 2008-04-17 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-17 06:13 . 2008-04-17 06:16 <DIR> d-------- C:\Program Files\TmNationsForever
2008-04-07 00:43 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2008-04-07 00:43 . 2008-04-14 18:04 163,353 --a------ C:\WINDOWS\SYSTEM32\nvapps.xml
2008-04-07 00:43 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\SYSTEM32\nvdisp.nvu
2008-04-07 00:35 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2008-04-05 14:23 . 2007-04-24 16:30 60,273 --a------ C:\WINDOWS\SYSTEM32\pthreadGC2.dll
2008-03-25 18:54 . 2008-03-25 18:58 <DIR> d-------- C:\Program Files\ROM CHECK FAIL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 10:27 --------- d-----w C:\Program Files\EA GAMES
2008-04-19 04:53 --------- d-----w C:\Program Files\Java
2008-04-18 19:56 --------- d-----w C:\Documents and Settings\heshbot\Application Data\Media Player Classic
2008-04-08 17:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-07 03:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 18:23 --------- d-----w C:\Program Files\ffdshow
2008-03-24 21:43 2,810 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-24 19:05 --------- d-----w C:\Program Files\CyberLink
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-06 02:05 --------- d-----w C:\Program Files\Napster
2008-03-04 16:33 7,680 ----a-w C:\WINDOWS\SYSTEM32\ff_vfw.dll
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-03-01 22:23 --------- d-----w C:\Program Files\NCSoft
2008-03-01 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Amazon
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-19 20:32 --------- d-----w C:\Program Files\Viewpoint
2008-02-19 20:31 --------- d-----w C:\Program Files\AIM
2008-02-19 20:31 --------- d-----w C:\Documents and Settings\heshbot\Application Data\Aim
2008-02-19 20:30 --------- d-----w C:\Program Files\AOD
2008-02-19 08:09 --------- d-----w C:\Program Files\WorldCommunityGrid
2008-02-19 08:05 --------- d-----w C:\Program Files\mIRC
2008-02-19 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 05:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-02-19 05:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-19 02:37 --------- d-----w C:\Program Files\AquariaDemo
2008-02-15 21:02 691,545 ----a-w C:\WINDOWS\unins002.exe
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-02-24 03:12 4,608 -csha-w C:\Program Files\Thumbs.db
2007-02-01 20:49 58,436,178 -c--a-w C:\Program Files\data2.cab
2007-02-01 20:49 4,750 -c--a-w C:\Program Files\layout.bin
2007-02-01 20:49 30,575 -c--a-w C:\Program Files\data1.hdr
2007-02-01 20:49 23,962,185 -c--a-w C:\Program Files\data1.cab
2007-01-30 17:06 233,642 -c--a-w C:\Program Files\setup.inx
2007-01-26 16:01 1,993,656 -c--a-w C:\Program Files\setup.isn
2006-12-03 01:05 2,522 ----a-w C:\Program Files\func.js
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2001-09-10 13:00 139,264 -c--a-w C:\WINDOWS\INF\i386\Rtscan.dll
2001-09-10 12:10 61,440 -c--a-w C:\WINDOWS\INF\i386\onetUSD.dll
2001-08-17 22:43 32,768 -c--a-w C:\WINDOWS\INF\i386\Wiamicro.dll
2001-08-03 22:29 13,824 -c--a-w C:\WINDOWS\INF\i386\usbscan.sys
2001-06-29 12:10 163,840 -c--a-w C:\WINDOWS\INF\i386\viceo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 07:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"Corel Painter Essentials 21a"="C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe" [ ]
"EnvyHFCPL"="C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe" [2004-02-23 17:25 1757696]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^heshbot^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
path=C:\Documents and Settings\heshbot\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
backup=C:\WINDOWS\pss\Spruce - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^heshbot^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
path=C:\Documents and Settings\heshbot\Start Menu\Programs\Startup\World Community Grid Agent.lnk
backup=C:\WINDOWS\pss\World Community Grid Agent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
--a------ 2004-05-27 21:05 323584 C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-03 19:58 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 18:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"OneCareMP"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Spooler"=2 (0x2)
"TabletService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"C:\\Program Files\\TmNationsForever\\TmForever.exe"=

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-06-30 02:49]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-01-24 06:11]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2004-02-26 16:40]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 01:45:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 16:40:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-19 16:40:37
ComboFix-quarantined-files.txt 2008-04-19 20:40:33
ComboFix2.txt 2008-04-19 19:15:39
ComboFix3.txt 2008-04-19 18:33:24

Pre-Run: 41,475,891,200 bytes free
Post-Run: 41,461,276,672 bytes free

218 --- E O F --- 2008-04-18 20:52:19




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:02 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HiJackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=091805 serial=pe02cbx-0000003-nmd lang=EN
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandr...uncherSetup.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6113 bytes





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 19, 2008 6:40:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/04/2008
Kaspersky Anti-Virus database records: 715802
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 98411
Number of viruses found: 9
Number of infected objects: 24
Number of suspicious objects: 14
Duration of the scan process: 01:21:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip/optimize.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip/offun.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.7.8/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant2.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant4.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu1000106.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\heshbot\Application Data\Sun\Java\Deployment\cache\6.0\45\30b71c2d-6d234b28/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\heshbot\Application Data\Sun\Java\Deployment\cache\6.0\45\30b71c2d-6d234b28 ZIP: infected - 1 skipped
C:\Documents and Settings\heshbot\Application Data\Sun\Java\Deployment\cache\6.0\57\364044f9-476fce35/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\heshbot\Application Data\Sun\Java\Deployment\cache\6.0\57\364044f9-476fce35 ZIP: infected - 1 skipped
C:\Documents and Settings\heshbot\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-1d8748eb-173f924f.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\heshbot\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-1d8748eb-173f924f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\heshbot\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-4d23d5eb-5c64d272.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\heshbot\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-4d23d5eb-5c64d272.zip ZIP: infected - 1 skipped
C:\Documents and Settings\heshbot\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\heshbot\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\heshbot\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\heshbot\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\heshbot\Local Settings\History\History.IE5\MSHist012008041920080420\index.dat Object is locked skipped
C:\Documents and Settings\heshbot\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\heshbot\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\heshbot\ntuser.dat Object is locked skipped
C:\Documents and Settings\heshbot\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Jasc Software Inc\rteqenana.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aqVreo01\aqVreo011065.exe.vir Infected: Trojan-Downloader.Win32.VB.dkg skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IDME\TGbn1dll.exe.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IDME\TGbn1dll.exe.vir/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IDME\TGbn1dll.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pmnnnomj.dll.vir Infected: Trojan.Win32.Agent.eek skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xcsDd01\xcsDd011065.exe.vir Infected: Trojan-Downloader.Win32.VB.dza skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP267\A0033901.dll Infected: Trojan.Win32.Agent.eek skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP268\A0033955.exe Infected: Trojan-Downloader.Win32.VB.dkg skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP268\A0033957.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP268\A0033957.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP268\A0033957.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP268\A0033958.exe Infected: Trojan-Downloader.Win32.VB.dza skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP268\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C1257C34-B3FB-492A-BC7F-7EB8F2BCC736}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\Mz17r\Mz17r2314.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:42 PM

Posted 19 April 2008 - 08:36 PM

Hi, tigerbot :thumbsup:

Go to the Control Panel. Click on the JAVA icon. Under Temporary Internet Files, click on Settings. Click on Delete Files, then Ok, out of the properties window.

Open Spybot SD. Click on Recovery and Purge all items therein.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder:

C:\WINDOWS\SYSTEM32\Mz17r

Restart the computer.

The rest looks clear. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 tigerbot

tigerbot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 19 April 2008 - 09:49 PM

So far, so good. I'll keep an eye on things and report back in a day or so, or if anything goes awry. But I wasn't even able to get to this point without your help, so thanks a bunch.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:42 PM

Posted 20 April 2008 - 10:47 AM

Hi, tigerbot. :thumbsup:

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
Create a Restore point (If the above process fails):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html .
Keep me posted.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 tigerbot

tigerbot
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 23 April 2008 - 10:25 PM

It's been running smoothly thus far. Thanks for the help.

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:42 PM

Posted 23 April 2008 - 11:10 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users