Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:purityscan-q Trojan, Please Help


  • This topic is locked This topic is locked
13 replies to this topic

#1 ejleithliter

ejleithliter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 22 April 2008 - 09:17 PM

I somehow picked the Trojan "Win32:PurityScan-Q" and cannot get rid of it. I ran Ad-Aware and Avast! and these programs deleted the infected files, but it keeps coming back. I also tried putting the files in the chest in avast, but that didnt work either. Avaste confirmed the name of the trojan. Since infection, my PC has been very slow and new Internet explorer browsers do not work and mozilla does not work at all. I got the Trojan while browsing with Mozilla.

Per your recommendations, I ran DSS and HiJack This. Here are their logs:

DSS Main

Deckard's System Scanner v20071014.68
Run by Eric Leithliter on 2008-04-22 18:37:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
38: 2008-04-22 19:33:29 UTC - RP1032 - Last known good configuration
37: 2008-04-21 20:00:40 UTC - RP1031 - System Checkpoint
36: 2008-04-20 16:19:45 UTC - RP1030 - System Checkpoint
35: 2008-04-19 15:21:56 UTC - RP1029 - System Checkpoint
34: 2008-04-18 14:21:57 UTC - RP1028 - System Checkpoint


-- First Restore Point --
1: 2008-04-22 19:31:42 UTC - RP995 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Eric Leithliter.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:42 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eric Leithliter\My Documents\S?mantec\??ool32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Eric Leithliter\Desktop\dss.exe
C:\DOCUME~1\ERICLE~1\LOCALS~1\TEMPOR~1\Content.IE5\O0ASOVF1\Eric Leithliter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {55d0ee9f-2f3e-6928-8f44-41a026084006} - {60048062-0a14-44f8-8296-e3f2f9ee0d55} - C:\WINDOWS\system32\lmdgutki.dll
O2 - BHO: (no name) - {6EE5008C-5EC8-4B6E-8626-EEAC5C0FBC5F} - C:\WINDOWS\system32\wvUmllJb.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\nnnkJYpO.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [70fdfb6a] rundll32.exe "C:\WINDOWS\system32\ctlufaja.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BM73cec8f6] Rundll32.exe "C:\WINDOWS\system32\acaqrhvm.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\STEM32~1\explorer.exe" -vt ndrv
O4 - HKCU\..\Run: [Disnxch] "C:\Documents and Settings\Eric Leithliter\My Documents\S?mantec\??ool32.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Start Delivery Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: www.chase.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://banking.norpacloans.com/rptviewer/ActiveXViewer.cab
O16 - DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} (XLosCtrl Class) - https://net1.creditworkbench.com/cab/xPoint50.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} (PtClickLoanWF Control) - https://ilnet.wellsfargo.com/ilonline/hmUpl...clickloanwf.cab
O16 - DPF: {9EB5CD98-D52D-4C75-84DF-B22520DB6941} (XLosCtrl Class) - https://net1.creditworkbench.com/cab/xPoint40.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1...PtClickLoan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC20D165-588D-428C-B27A-8DB95F43BC6B}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{AC20D165-588D-428C-B27A-8DB95F43BC6B}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: nnnkJYpO - C:\WINDOWS\SYSTEM32\nnnkJYpO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: (no name) - https://net1.creditworkbench.com/nImages/blue3-6.jpg
O24 - Desktop Component 1: 41_Overlook.jpg cognitivedistortion.com - http://www.cognitivedistortion.com/?cd=ad&...sz=800&sb=1

--
End of file - 11206 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 msteee - c:\windows\system32\drivers\msteee.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S2 Crypto - c:\windows\system32\drivers\crypto.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 JavaQuickStarterService (Java Quick Starter) - "c:\program files\java\jre6\bin\jqs.exe" -service -config "c:\program files\java\jre6\lib\deploy\jqs\jqs.conf" <Not Verified; Sun Microsystems, Inc.; Java™ Platform SE 6 U10>
R2 RsiSvc (Ridoc Server Information Service) - c:\program files\rds\rsisvc.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>

S2 DdsSched (Dds Scheduler Deamon) - c:\program files\rds\ddsschednt.exe <Not Verified; RICOH Company Ltd.; Ridoc Docuent System>
S4 cmdService (Command Service) - c:\windows\vghvbwfziejhcnjvbg\command.exe (file missing)
S4 ScanRouterDriverV2 - c:\program files\rds\srscandr.exe <Not Verified; Ricoh Co.,Ltd.; Server Application Program>
S4 SOption - c:\program files\rds\soption.exe <Not Verified; RICOH Company Ltd.; Ridoc Document System>
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-20 11:17:46 568 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Eric Leithliter.job
2008-04-16 09:14:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2005-05-05 09:06:34 384 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2004-07-27 17:39:20 406 --ah----- C:\WINDOWS\Tasks\{6B2A6CA7-3BCA-421E-AD31-0B5BCBC71858}_ERIC_Eric Leithliter.job


-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-22 14:01:33 0 d-------- C:\Program Files\Alwil Software
2008-04-22 13:59:12 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-22 13:58:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-04-22 12:46:51 96832 --a------ C:\WINDOWS\system32\lmdgutki.dll
2008-04-22 12:35:09 97856 --a------ C:\WINDOWS\system32\acaqrhvm.dll
2008-04-22 12:35:08 0 d-------- C:\Program Files\AntiSpywareMaster
2008-04-22 12:34:43 39936 --a------ C:\WINDOWS\system32\geBtsSJY.dll
2008-04-22 12:31:06 14140 --ahs---- C:\WINDOWS\system32\bJllmUvw.ini2
2008-04-22 12:30:49 272384 --a------ C:\WINDOWS\system32\wvUmllJb.dll
2008-04-22 12:26:40 0 d-------- C:\Program Files\Outerinfo
2008-04-22 12:26:17 37376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-04-22 12:26:16 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-04-22 12:26:10 37376 --a------ C:\WINDOWS\mrofinu572.exe
2008-04-22 12:26:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-04-22 12:25:54 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-04-22 12:25:54 0 d-------- C:\Program Files\Network Monitor
2008-04-22 12:25:53 0 d--hs---- C:\WINDOWS\VGhvbWFzIEJhcnJvbg
2008-04-22 12:25:47 86144 --a------ C:\WINDOWS\system32\drivers\msteee.sys
2008-04-22 12:25:42 0 d-------- C:\WINDOWS\system32\trcTMP
2008-04-22 12:25:42 0 d-------- C:\WINDOWS\system32\slNew
2008-04-22 12:25:42 0 d-------- C:\WINDOWS\system32\iTmp
2008-04-22 12:25:41 0 d-------- C:\WINDOWS\??stem32
2008-04-22 12:25:32 0 d-------- C:\WINDOWS\system32\xcsDd01
2008-04-22 12:25:31 0 d-------- C:\Temp
2008-04-22 12:25:30 39936 --a------ C:\WINDOWS\system32\nnnkJYpO.dll
2008-03-31 17:38:05 0 d-------- C:\Documents and Settings\Eric Leithliter\Application Data\Logitech
2008-03-31 17:37:31 0 d-------- C:\Documents and Settings\Eric Leithliter\Application Data\Leadertech
2008-03-31 17:37:29 0 d-------- C:\Program Files\Common Files\LogiShared
2008-03-31 17:35:11 69632 --a------ C:\WINDOWS\system32\KemXML.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-31 17:35:11 110592 --a------ C:\WINDOWS\system32\KemWnd.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-31 17:35:11 135168 --a------ C:\WINDOWS\system32\KemUtil.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-31 17:35:11 163840 --a------ C:\WINDOWS\system32\kemutb.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-31 17:34:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 17:34:00 0 d-------- C:\Program Files\Common Files\Logitech
2008-03-31 17:33:34 0 d-------- C:\Program Files\Logitech
2008-03-31 17:33:23 0 d-------- C:\Documents and Settings\Eric Leithliter\Application Data\InstallShield
2008-03-31 17:33:04 0 d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd


-- Find3M Report ---------------------------------------------------------------

2008-04-22 18:22:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-22 18:21:25 0 d-------- C:\Program Files\Common Files
2008-04-22 16:56:11 0 d-------- C:\Program Files\2007 E-File Magic
2008-04-22 16:55:20 0 d-------- C:\Program Files\iLinc
2008-04-22 16:51:55 0 d-------- C:\Program Files\Java
2008-04-17 12:25:56 0 d-------- C:\Program Files\MtgCoach
2008-03-31 17:33:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-25 12:45:35 0 d-------- C:\Program Files\Encompass
2008-03-14 08:52:42 0 d-------- C:\Program Files\Windows Live
2008-03-14 08:50:23 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 17:02:01 25192 --a------ C:\Documents and Settings\Eric Leithliter\Application Data\GDIPFONTCACHEV1.DAT
2008-02-26 10:18:25 0 d-------- C:\Program Files\PDFCreator


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60048062-0a14-44f8-8296-e3f2f9ee0d55}]
04/22/2008 12:46 PM 96832 --a------ C:\WINDOWS\system32\lmdgutki.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EE5008C-5EC8-4B6E-8626-EEAC5C0FBC5F}]
04/22/2008 12:30 PM 272384 --a------ C:\WINDOWS\system32\wvUmllJb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
04/22/2008 04:52 PM 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
04/22/2008 04:52 PM 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}]
04/22/2008 12:25 PM 39936 --a------ C:\WINDOWS\system32\nnnkJYpO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/19/2005 08:59 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/19/2005 08:59 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/17/2004 05:49 PM]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/27/2004 09:05 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [12/07/2004 09:44 AM]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [04/11/2007 03:32 PM C:\WINDOWS\KHALMNPR.Exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 11:37 AM]
"70fdfb6a"="C:\WINDOWS\system32\ctlufaja.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [04/22/2008 04:52 PM]
"BM73cec8f6"="C:\WINDOWS\system32\acaqrhvm.dll" [04/22/2008 12:35 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Ncao"="C:\WINDOWS\STEM32~1\explorer.exe" [04/22/2008 06:24 PM]
"Disnxch"="C:\Documents and Settings\Eric Leithliter\My Documents\S?mantec\??ool32.exe" [04/11/2008 10:52 AM]

C:\Documents and Settings\Eric Leithliter\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 10:58:38 AM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [3/31/2008 5:35:10 PM]
Start Delivery Services.lnk - C:\Program Files\RDS\DdsLaunch.exe [8/11/2004 10:37:02 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F50B3F5E-856E-4757-9BB1-B35D46CA7719}"= C:\WINDOWS\system32\nnnkJYpO.dll [04/22/2008 12:25 PM 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkJYpO]
nnnkJYpO.dll 04/22/2008 12:25 PM 39936 C:\WINDOWS\SYSTEM32\nnnkJYpO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvUmllJb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Eric Leithliter^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Eric Leithliter\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{DF-FB-BC-C5-DW}]
C:\WINDOWS\system32\trcTMP\kmdmns2.exe DWram

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"SOption"=2 (0x2)
"ScanRouterDriverV2"=2 (0x2)



-- End of Deckard's System Scanner: finished at 2008-04-22 18:46:00 ------------


EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 510 MiB / 200.12 MiB
Pagefile Memory (total/avail): 863.55 MiB / 560.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.28 MiB

C: is Fixed (NTFS) - 37.21 GiB total, 19.62 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75FJA1 - 37.25 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Security v2004 (Symantec Corporation) Disabled
AV: avast! antivirus 4.8.1169 [VPS 080422-1] v4.8.1169 (ALWIL Software) Disabled
AV: Norton AntiVirus v2004 (Symantec Corporation) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe"="C:\\Program Files\\Juniper\\NetScreen-Remote\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Eric Leithliter\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ERIC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Eric Leithliter
LOGONSERVER=\\ERIC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ERICLE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ERICLE~1\LOCALS~1\Temp
USERDOMAIN=ERIC
USERNAME=Eric Leithliter
USERPROFILE=C:\Documents and Settings\Eric Leithliter
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Eric Leithliter (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
AGENTLINK --> C:\PROGRA~1\AGENTL~1\UNWISE.EXE C:\PROGRA~1\AGENTL~1\INSTALL.LOG
AgentX --> C:\PROGRA~1\AgentX\UNWISE.EXE C:\PROGRA~1\AgentX\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BAPRINT --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Bank of America - Mortgage Technology\BAPRINT\Uninst.isu"
Broadcom Management Programs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
CC_ccProxyMSI --> MsiExec.exe /I{A398F2DC-D706-4bb2-AC38-5532CD229D08}
CC_ccStart --> MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Command --> wscript "C:\WINDOWS\VGhvbWFzIEJhcnJvbg\p31SvqIWKHL1wBLSv0.vbs"
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
eLynx Ltd. Web Post Printer --> C:\PROGRA~1\elynx\WebPost\UNWISE.EXE C:\PROGRA~1\elynx\WebPost\INSTALL.LOG
eLynx SMARTvue --> C:\PROGRA~1\elynx\SMARTvue\UNWISE.EXE C:\PROGRA~1\elynx\SMARTvue\INSTALL.LOG
Encompass --> MsiExec.exe /X{121DAE1D-FC3E-4304-A011-8A6B7C25DBE7}
Encompass NetBranch Installation Manager --> MsiExec.exe /I{97FE834D-BB7A-4D75-BA0A-F53ABE90F2CC}
Form Viewer --> MsiExec.exe /X{873D68B3-EDE5-4DFD-85AC-FFC430FB7EE2}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
GoToMeeting/GoToWebinar 3.0.0.190 --> C:\Program Files\Citrix\GoToMeeting\190\G2MUninstall.exe /uninstall
HijackThis 2.0.2 --> "C:\Documents and Settings\Eric Leithliter\Local Settings\Temporary Internet Files\Content.IE5\O0ASOVF1\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ 6 Update 10 --> MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java™ SE Development Kit 6 Update 10 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160100}
KhalInstallWrapper --> MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.5 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
LockPoint Web Client 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{187DFAFD-80B1-461C-8280-02CABB9EE351}\Setup.exe" -l0x9 UNINSTALL
Logitech Registration --> MsiExec.exe /I{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0009 -removeonly
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
MeridianLink Site Security Certificate --> C:\PROGRA~1\SITECH~1\UNWISE.EXE C:\PROGRA~1\SITECH~1\INSTALL.LOG
Microsoft Access 2000 Runtime --> MsiExec.exe /I{00180408-78E1-11D2-B60F-006097C998E7}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft WSE 2.0 SP3 Runtime --> MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
MortgageCoach --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{599FFF35-0B03-45A1-AA57-D81B1AF93FD9}\Setup.exe" -l0x9
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (1.5) --> C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5 (en-US)"
MSRedist --> MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~2\unmatch.exe
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}
Norton AntiVirus --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}
Norton Internet Security --> MsiExec.exe /I{91AA4B1F-B918-4e0b-A304-F8D4EC5D7726}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{C9D599E1-6B68-4a1f-8A4F-A1DB433DB1BF}
Norton Internet Security --> MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}
Norton Internet Security (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
PDFCreator --> MsiExec.exe /I{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}
Point --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85BC5C08-E73D-11D2-964D-444553540000}\SETUP.EXE" -l0x9 -uninst
Point --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F05E2B98-DA04-4FFA-8D08-DA218E6A2B47}\setup.exe" -l0x9 -uninst
ScanRouter V2 Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{387D6CC5-6D6C-4BA0-8EAF-955813BFC5D8}\Setup.exe" -l0x9 UNINSTALL
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SwiftView Viewer --> C:\Program Files\SwiftView\svinst.exe -Uninstall
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Toolbar (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarInstaller.exe /u /k
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WINForms Desktop --> C:\PROGRA~1\WINFOR~1\UNWISE.EXE C:\PROGRA~1\WINFOR~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type12180 / Success
Event Submitted/Written: 04/22/2008 06:24:07 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type12171 / Error
Event Submitted/Written: 04/22/2008 06:18:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type12153 / Success
Event Submitted/Written: 04/22/2008 05:15:54 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type12131 / Success
Event Submitted/Written: 04/22/2008 04:06:34 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type12123 / Error
Event Submitted/Written: 04/22/2008 03:59:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 1.99.0.0, faulting module wvumlljb.dll, version 0.0.0.0, fault address 0x00062ed3.
Processing media-specific event for [hijackthis.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15563 / Warning
Event Submitted/Written: 04/20/2008 04:15:50 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type15562 / Error
Event Submitted/Written: 04/14/2008 07:16:14 PM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{AC20D165-588D-428C-B27A-8DB95F43BC6B}.
The backup browser is stopping.

Event Record #/Type15561 / Warning
Event Submitted/Written: 04/14/2008 07:14:44 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\BARRON-SERVER on the network \Device\NetBT_Tcpip_{AC20D165-588D-428C-B27A-8DB95F43BC6B}.
The data is the error code.

Event Record #/Type15560 / Warning
Event Submitted/Written: 04/14/2008 07:14:14 PM
Event ID/Source: 8022 / BROWSER
Event Description:
The browser was unable to retrieve a list of domains from the browser master \\BARRON-SERVER on the network \Device\NetBT_Tcpip_{AC20D165-588D-428C-B27A-8DB95F43BC6B}.
The data is the error code.

Event Record #/Type15559 / Warning
Event Submitted/Written: 04/13/2008 04:15:50 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.


Any help would be greatly appreciated as this is my work computer and I cannot get anything done until this is resovled. Thank you again.

- Eric

Edited by ejleithliter, 23 April 2008 - 12:37 PM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:29 PM

Posted 23 April 2008 - 01:11 PM

Hello Ejleithliter and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 ejleithliter

ejleithliter
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 23 April 2008 - 06:58 PM

Thunder,

Thank you for your quick response to my post. I really appreciate it. I did all the steps that you requested. When I ran combofix, I got a blue screen saying that it encountered a serious error and I need to manually restart my computer. This came after it was compiling the combofix log. I was not sure if this was normal, so I ran combofix again, and it happened again. I manaully pulled the 2nd combofix log and it is below. The Trojan seems to be gone, but I am not sure. There have not been any new browser pop up since I restarted after the 2nd combo fix. Please let me know what you think.

Here are all the logs:

MBAM

Malwarebytes' Anti-Malware 1.11
Database version: 675

Scan type: Quick Scan
Objects scanned: 33734
Time elapsed: 11 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 23
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 9
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\vyapnjyn.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\wvUmllJb.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\nnnkJYpO.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dfdd3889-ce0e-4a0d-938f-6aafdf1e376e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{dfdd3889-ce0e-4a0d-938f-6aafdf1e376e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnkjypo (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} (Trojan.Network.Monitor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f50b3f5e-856e-4757-9bb1-b35d46ca7719} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM73cec8f6 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvumlljb -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvumlljb -> Delete on reboot.

Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\slNew (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\iTmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\xcsDd01 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\vyapnjyn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\nyjnpayv.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\wvUmllJb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\bJllmUvw.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\bJllmUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nnnkJYpO.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\atmtd.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\atmtd.dll._ (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lmdgutki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\uninstall_nmon.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\Terms.rtf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\FF.dll (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\slNew\gpedire1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\drdicyie.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk (Malware.Trace) -> Delete on reboot.
C:\Documents and Settings\Eric Leithliter\g2mdlhlpx.exe (Trojan.Agent) -> Quarantined and deleted successfully.


COMBOFIX

ComboFix 08-04-22.5 - Eric Leithliter 2008-04-23 16:17:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.249 [GMT -7:00]
Running from: C:\Documents and Settings\Eric Leithliter\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\Documents and Settings\Eric Leithliter\Application Data\Malwarebytes
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 12:23 . 2008-04-23 12:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-22 21:10 . 2008-04-22 21:10 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-04-22 18:37 . 2008-04-22 18:37 <DIR> d-------- C:\Deckard
2008-04-22 16:52 . 2008-04-22 16:52 410,976 --a------ C:\WINDOWS\SYSTEM32\deploytk.dll
2008-04-22 16:52 . 2008-04-22 16:52 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-22 14:01 . 2008-04-22 14:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-22 14:01 . 2003-03-18 13:20 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2008-04-22 12:37 . 2008-04-22 14:11 1,541,097 ---hs---- C:\WINDOWS\SYSTEM32\ajafultc.ini
2008-04-22 12:35 . 2008-04-23 14:59 109,747 --a------ C:\WINDOWS\BM73cec8f6.xml
2008-04-22 12:25 . 2008-04-22 15:35 <DIR> d--hs---- C:\WINDOWS\VGhvbWFzIEJhcnJvbg
2008-04-22 12:25 . 2008-04-22 12:25 <DIR> d-------- C:\Temp\berDrv11
2008-04-22 12:25 . 2008-04-23 15:53 <DIR> d-------- C:\Temp
2008-04-22 12:25 . 2008-04-22 12:25 167,545 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-03-31 17:38 . 2008-03-31 17:38 <DIR> d-------- C:\Documents and Settings\Eric Leithliter\Application Data\Logitech
2008-03-31 17:37 . 2008-03-31 17:37 <DIR> d-------- C:\Program Files\Common Files\LogiShared
2008-03-31 17:37 . 2008-03-31 17:37 <DIR> d-------- C:\Documents and Settings\Eric Leithliter\Application Data\Leadertech
2008-03-31 17:35 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\SYSTEM32\kemutb.dll
2008-03-31 17:35 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\SYSTEM32\KemUtil.dll
2008-03-31 17:35 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\SYSTEM32\KemWnd.dll
2008-03-31 17:35 . 2007-04-11 15:33 79,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\LMouKE.Sys
2008-03-31 17:35 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\SYSTEM32\KemXML.dll
2008-03-31 17:35 . 2007-04-11 15:32 63,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\L8042mou.Sys
2008-03-31 17:35 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-03-31 17:35 . 2007-04-11 15:32 20,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\L8042Kbd.sys
2008-03-31 17:34 . 2008-03-31 17:35 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-03-31 17:34 . 2008-03-31 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 17:33 . 2008-03-31 17:33 <DIR> d-------- C:\Program Files\Logitech
2008-03-31 17:33 . 2008-03-31 17:33 <DIR> d-------- C:\Documents and Settings\Eric Leithliter\Application Data\InstallShield
2008-03-31 17:33 . 2008-03-31 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 23:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 23:56 --------- d-----w C:\Program Files\2007 E-File Magic
2008-04-22 23:51 --------- d-----w C:\Program Files\Java
2008-04-17 19:25 --------- d-----w C:\Program Files\MtgCoach
2008-04-01 00:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 19:45 --------- d-----w C:\Program Files\Encompass
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-14 15:52 --------- d-----w C:\Program Files\Windows Live
2008-03-14 15:50 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-14 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-27 00:02 25,192 ----a-w C:\Documents and Settings\Eric Leithliter\Application Data\GDIPFONTCACHEV1.DAT
2008-02-26 17:18 --------- d-----w C:\Program Files\PDFCreator
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-02-11 16:39 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
2008-02-11 16:39 237,568 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
2008-02-08 20:53 110,592 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
2008-02-05 15:48 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_16.09.01.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 22:57:49 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-23 23:12:19 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-23 23:12:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1d0.dat
+ 2008-04-23 23:12:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-04-22 16:52 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-04-22 16:52 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Ncao"="C:\WINDOWS\STEM32~1\explorer.exe" [ ]
"Disnxch"="C:\Documents and Settings\Eric Leithliter\My Documents\S?mantec\??ool32.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-11-17 17:49 71280]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05 323584]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2004-12-07 09:44 95456]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-04-22 16:52 148888]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-31 17:35:10 692224]
Start Delivery Services.lnk - C:\Program Files\RDS\DdsLaunch.exe [2004-08-11 10:37:02 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Leithliter^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Eric Leithliter\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 18:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-07-01 13:15 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 17:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
--a------ 2003-12-11 19:35 70800 C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{DF-FB-BC-C5-DW}]
C:\WINDOWS\system32\trcTMP\kmdmns2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"SOption"=2 (0x2)
"ScanRouterDriverV2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
R2 RsiSvc;Ridoc Server Information Service;C:\Program Files\RDS\RsiSvc.exe [2000-11-30 22:34]
S2 Crypto;Crypto;C:\WINDOWS\system32\Drivers\Crypto.sys []
S2 DdsSched;Dds Scheduler Deamon;C:\Program Files\RDS\ddsschednt.exe [2002-11-20 16:53]
S4 ScanRouterDriverV2;ScanRouterDriverV2;C:\Program Files\RDS\srscandr.exe [2003-10-20 11:51]
S4 SOption;SOption;C:\Program Files\RDS\SOption.exe [2002-07-31 10:43]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 16:14:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-20 18:17:46 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Eric Leithliter.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task:
"2005-05-05 16:06:34 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2004-07-28 00:39:20 C:\WINDOWS\Tasks\{6B2A6CA7-3BCA-421E-AD31-0B5BCBC71858}_ERIC_Eric Leithliter.job"
- C:\WINDOWS\system32\MOBSYNC.EXEI /Schedule=
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 16:21:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 4

**************************************************************************
.
Completion time: 2008-04-23 16:25:38
ComboFix-quarantined-files.txt 2008-04-23 23:24:46
ComboFix2.txt 2008-04-23 23:09:33

Pre-Run: 21,102,600,192 bytes free
Post-Run: 21,089,054,720 bytes free

185 --- E O F --- 2008-04-12 10:07:37



HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:50, on 2008-04-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\STEM32~1\explorer.exe" -vt ndrv
O4 - HKCU\..\Run: [Disnxch] "C:\Documents and Settings\Eric Leithliter\My Documents\S?mantec\??ool32.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Start Delivery Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: www.chase.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://banking.norpacloans.com/rptviewer/ActiveXViewer.cab
O16 - DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} (XLosCtrl Class) - https://net1.creditworkbench.com/cab/xPoint50.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} (PtClickLoanWF Control) - https://ilnet.wellsfargo.com/ilonline/hmUpl...clickloanwf.cab
O16 - DPF: {9EB5CD98-D52D-4C75-84DF-B22520DB6941} (XLosCtrl Class) - https://net1.creditworkbench.com/cab/xPoint40.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1...PtClickLoan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC20D165-588D-428C-B27A-8DB95F43BC6B}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{AC20D165-588D-428C-B27A-8DB95F43BC6B}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: (no name) - https://net1.creditworkbench.com/nImages/blue3-6.jpg
O24 - Desktop Component 1: 41_Overlook.jpg cognitivedistortion.com - http://www.cognitivedistortion.com/?cd=ad&...sz=800&sb=1

--
End of file - 10773 bytes


Thanks again for your help.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:29 PM

Posted 24 April 2008 - 08:12 AM

Hello Eric,

I suspect Avast! may be interfering somewhat with ComboFix.

Before continuing cleanup, I'd like to know what antivirus program you'd like to keep :
avast! antivirus 4.8.1169 or Norton AntiVirus v2004,
to keep both besides each other is not a good idea !! :thumbsup:

Removing Norton however can be somewhat tricky,
so let me know before you proceed. :blink:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 ejleithliter

ejleithliter
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 24 April 2008 - 09:54 AM

I would like to use avast! and I have disabled Norton and tried to get rid of it in the past, but I am not sure how to do so.

I removed all Norton Programs that I could find from Add/Remove in the control panel. Here is a new HJT log. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47, on 2008-04-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\STEM32~1\explorer.exe" -vt ndrv
O4 - HKCU\..\Run: [Disnxch] "C:\Documents and Settings\Eric Leithliter\My Documents\S?mantec\??ool32.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Start Delivery Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: www.chase.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://banking.norpacloans.com/rptviewer/ActiveXViewer.cab
O16 - DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} (XLosCtrl Class) - https://net1.creditworkbench.com/cab/xPoint50.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} (PtClickLoanWF Control) - https://ilnet.wellsfargo.com/ilonline/hmUpl...clickloanwf.cab
O16 - DPF: {9EB5CD98-D52D-4C75-84DF-B22520DB6941} (XLosCtrl Class) - https://net1.creditworkbench.com/cab/xPoint40.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1...PtClickLoan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC20D165-588D-428C-B27A-8DB95F43BC6B}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{AC20D165-588D-428C-B27A-8DB95F43BC6B}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O24 - Desktop Component 0: (no name) - https://net1.creditworkbench.com/nImages/blue3-6.jpg
O24 - Desktop Component 1: 41_Overlook.jpg cognitivedistortion.com - http://www.cognitivedistortion.com/?cd=ad&...sz=800&sb=1

--
End of file - 8606 bytes

Edited by ejleithliter, 24 April 2008 - 12:49 PM.


#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:29 PM

Posted 25 April 2008 - 02:41 AM

Hello Eric,

1. Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
Apparently nothing will happen, but that's OK.

2. Now let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\WINDOWS\SYSTEM32\ajafultc.ini
Folder::
C:\WINDOWS\VGhvbWFzIEJhcnJvbg
C:\Temp\berDrv11
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"=-
"Disnxch"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply.

3. Go to Start > Control Panel > Software > Add/remove programs and uninstall LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Symantec Script Blocking Installer
Viewpoint Manager (Remove Only)
Viewpoint Toolbar (Remove Only)

Reboot your PC and run the Symantec Removal Tool to remove leftovers from Norton.
Reboot again and post a fresh HijackThis log as well please.

Are you still having problems ?

Greetings,
Thunder

Edited by Thunder, 26 April 2008 - 05:38 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 ejleithliter

ejleithliter
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 25 April 2008 - 11:12 AM

Thanks Thunder. I have not done your new steps as I am working from home today, but I noticed that the link for the Symantec Removal Tool does not work. Do you mind sending that link again? When I left work yesterday, mostly everything was working well. My clock is messed up and I am having difficulty linking our company's server. Thanks again.

Eric

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:29 PM

Posted 26 April 2008 - 05:40 AM

Hello Erik,

This link should work : Symantec Removal Tool :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 ejleithliter

ejleithliter
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 28 April 2008 - 11:47 AM

Thanks Thunder. I did all the steps you asked of me. When I ran combofix, i got the blue screen again after the log was saved and I had to manually pull it up. The only thing that I see different is my clock setting are on military time and the dates are in European format. I cannot figure out how to get it back to my original settings. Here are my logs:

COMBO FIX

ComboFix 08-04-22.5 - Eric Leithliter 2008-04-28 8:58:26.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT -7:00]
Running from: C:\Documents and Settings\Eric Leithliter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eric Leithliter\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\SYSTEM32\ajafultc.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\berDrv11
C:\Temp\berDrv11\fxpNbu.log
C:\WINDOWS\SYSTEM32\ajafultc.ini
C:\WINDOWS\VGhvbWFzIEJhcnJvbg

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-24 10:30 . 2008-04-24 10:30 28,352 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys
2008-04-24 10:13 . 2008-04-24 10:13 176 --a------ C:\WINDOWS\wininit.ini
2008-04-24 10:11 . 2008-04-24 10:22 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-23 16:50 . 2008-04-23 16:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\Documents and Settings\Eric Leithliter\Application Data\Malwarebytes
2008-04-23 15:20 . 2008-04-23 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 12:23 . 2008-04-23 12:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-22 21:10 . 2008-04-22 21:10 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-04-22 18:37 . 2008-04-22 18:37 <DIR> d-------- C:\Deckard
2008-04-22 16:52 . 2008-04-22 16:52 410,976 --a------ C:\WINDOWS\SYSTEM32\deploytk.dll
2008-04-22 16:52 . 2008-04-22 16:52 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-22 14:01 . 2008-04-22 14:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-22 14:01 . 2003-03-18 13:20 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2008-04-22 12:35 . 2008-04-23 14:59 109,747 --a------ C:\WINDOWS\BM73cec8f6.xml
2008-04-22 12:25 . 2008-04-28 08:59 <DIR> d-------- C:\Temp
2008-04-22 12:25 . 2008-04-22 12:25 167,545 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-03-31 17:38 . 2008-03-31 17:38 <DIR> d-------- C:\Documents and Settings\Eric Leithliter\Application Data\Logitech
2008-03-31 17:37 . 2008-03-31 17:37 <DIR> d-------- C:\Program Files\Common Files\LogiShared
2008-03-31 17:37 . 2008-03-31 17:37 <DIR> d-------- C:\Documents and Settings\Eric Leithliter\Application Data\Leadertech
2008-03-31 17:35 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\SYSTEM32\kemutb.dll
2008-03-31 17:35 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\SYSTEM32\KemUtil.dll
2008-03-31 17:35 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\SYSTEM32\KemWnd.dll
2008-03-31 17:35 . 2007-04-11 15:33 79,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\LMouKE.Sys
2008-03-31 17:35 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\SYSTEM32\KemXML.dll
2008-03-31 17:35 . 2007-04-11 15:32 63,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\L8042mou.Sys
2008-03-31 17:35 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-03-31 17:35 . 2007-04-11 15:32 20,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\L8042Kbd.sys
2008-03-31 17:34 . 2008-03-31 17:35 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-03-31 17:34 . 2008-03-31 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 17:33 . 2008-03-31 17:33 <DIR> d-------- C:\Program Files\Logitech
2008-03-31 17:33 . 2008-03-31 17:33 <DIR> d-------- C:\Documents and Settings\Eric Leithliter\Application Data\InstallShield
2008-03-31 17:33 . 2008-03-31 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 17:29 --------- d-----w C:\Program Files\Viewpoint
2008-04-24 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-24 17:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-24 17:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-24 17:13 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-22 23:51 --------- d-----w C:\Program Files\Java
2008-04-17 19:25 --------- d-----w C:\Program Files\MtgCoach
2008-04-01 00:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 19:45 --------- d-----w C:\Program Files\Encompass
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-14 15:52 --------- d-----w C:\Program Files\Windows Live
2008-03-14 15:50 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-14 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-02 01:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-02-27 00:02 25,192 ----a-w C:\Documents and Settings\Eric Leithliter\Application Data\GDIPFONTCACHEV1.DAT
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-02-11 16:39 253,952 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
2008-02-11 16:39 237,568 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
2008-02-08 20:53 110,592 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll
2008-02-05 15:48 77,824 ----a-w C:\WINDOWS\SYSTEM32\OnlineScannerUninstaller.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_16.09.01.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-23 22:57:49 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-25 00:58:40 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-24 17:38:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5a4.dat
- 2008-04-23 22:57:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_744.dat
+ 2008-04-25 00:59:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_744.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-04-22 16:52 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-04-22 16:52 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05 323584]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-04-22 16:52 148888]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-01 13:15 53248]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-31 17:35:10 692224]
Start Delivery Services.lnk - C:\Program Files\RDS\DdsLaunch.exe [2004-08-11 10:37:02 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Leithliter^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Eric Leithliter\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 18:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-07-01 13:15 53248 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 17:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{DF-FB-BC-C5-DW}]
C:\WINDOWS\system32\trcTMP\kmdmns2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"SOption"=2 (0x2)
"ScanRouterDriverV2"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
R2 RsiSvc;Ridoc Server Information Service;C:\Program Files\RDS\RsiSvc.exe [2000-11-30 22:34]
S2 Crypto;Crypto;C:\WINDOWS\system32\Drivers\Crypto.sys []
S2 DdsSched;Dds Scheduler Deamon;C:\Program Files\RDS\ddsschednt.exe [2002-11-20 16:53]
S4 ScanRouterDriverV2;ScanRouterDriverV2;C:\Program Files\RDS\srscandr.exe [2003-10-20 11:51]
S4 SOption;SOption;C:\Program Files\RDS\SOption.exe [2002-07-31 10:43]

.
Contents of the 'Scheduled Tasks' folder
"2005-05-05 16:06:34 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2004-07-28 00:39:20 C:\WINDOWS\Tasks\{6B2A6CA7-3BCA-421E-AD31-0B5BCBC71858}_ERIC_Eric Leithliter.job"
- C:\WINDOWS\system32\MOBSYNC.EXEI /Schedule=
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 09:02:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 4

**************************************************************************
.
Completion time: 2008-04-28 9:06:10
ComboFix-quarantined-files.txt 2008-04-28 16:05:57
ComboFix2.txt 2008-04-25 00:16:31
ComboFix3.txt 2008-04-23 23:25:39
ComboFix4.txt 2008-04-23 23:09:33

Pre-Run: 21,198,352,384 bytes free
Post-Run: 21,186,293,760 bytes free

186 --- E O F --- 2008-04-12 10:07:37


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:41, on 2008-04-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\RDS\RsiSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bloomberg.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Start Delivery Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://banking.norpacloans.com/rptviewer/ActiveXViewer.cab
O16 - DPF: {34C2EB81-F806-41B1-BCE2-E6CA37322DBF} (XLosCtrl Class) - https://net1.creditworkbench.com/cab/xPoint50.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} (PtClickLoanWF Control) - https://ilnet.wellsfargo.com/ilonline/hmUpl...clickloanwf.cab
O16 - DPF: {9EB5CD98-D52D-4C75-84DF-B22520DB6941} (XLosCtrl Class) - https://net1.creditworkbench.com/cab/xPoint40.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1...PtClickLoan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC20D165-588D-428C-B27A-8DB95F43BC6B}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{AC20D165-588D-428C-B27A-8DB95F43BC6B}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O24 - Desktop Component 0: (no name) - https://net1.creditworkbench.com/nImages/blue3-6.jpg
O24 - Desktop Component 1: 41_Overlook.jpg cognitivedistortion.com - http://www.cognitivedistortion.com/?cd=ad&...sz=800&sb=1

--
End of file - 7446 bytes

Thanks again for your help.

- Eric

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:29 PM

Posted 28 April 2008 - 03:12 PM

Hello Eric,

Once we're done, we'll remove ComboFix which should restore your original settings. :thumbsup:

First I'd like you to check something :

Please go to VirusTotal,
copy and paste :C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
in the input window and submit the file for a scan.
Post the results in your next reply please.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 ejleithliter

ejleithliter
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 28 April 2008 - 08:20 PM

Thunder,

I ran the program and it looks like I amy be clean. Here is the report:

File core.cache.dsk received on 04.29.2008 03:07:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.29.0 2008.04.28 -
AntiVir 7.8.0.10 2008.04.28 -
Authentium 4.93.8 2008.04.27 -
Avast 4.8.1169.0 2008.04.28 -
AVG 7.5.0.516 2008.04.28 -
BitDefender 7.2 2008.04.29 -
CAT-QuickHeal 9.50 2008.04.28 -
ClamAV 0.92.1 2008.04.29 -
DrWeb 4.44.0.09170 2008.04.29 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5743 2008.04.29 -
Ewido 4.0 2008.04.28 -
F-Prot 4.4.2.54 2008.04.28 -
F-Secure 6.70.13260.0 2008.04.29 -
FileAdvisor 1 2008.04.29 -
Fortinet 3.14.0.0 2008.04.28 -
Ikarus T3.1.1.26 2008.04.29 -
Kaspersky 7.0.0.125 2008.04.29 -
McAfee 5283 2008.04.28 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3061 2008.04.28 -
Norman 5.80.02 2008.04.28 -
Panda 9.0.0.4 2008.04.27 -
Prevx1 V2 2008.04.29 -
Rising 20.42.02.00 2008.04.28 -
Sophos 4.28.0 2008.04.29 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.29 -
TheHacker 6.2.92.296 2008.04.29 -
VBA32 3.12.6.5 2008.04.28 -
VirusBuster 4.3.26:9 2008.04.28 -
Webwasher-Gateway 6.6.2 2008.04.28 -
Additional information
File size: 167545 bytes
MD5...: 85835d7c8295d0955c04cdb0dcb99b8d
SHA1..: d55a209f863833018023ff7af7cbf2976516753d
SHA256: 6d0e208a22f51426dff5d8c80917d00e73bb06100b16db71b3372a6bb89e20bd
SHA512: 6f68b4e3a90df360047ed6f50bd16f73a5449a61cb7e011d18a3de49f06021ca
1bc3d4e2e6047a19755a47b4f1f9558c3c49a4fa7d2cec22943ae45721ee4042
PEiD..: -

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:29 PM

Posted 29 April 2008 - 02:19 AM

Well done, Eric :thumbsup:

You can remove all tools we used and all folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 ejleithliter

ejleithliter
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 29 April 2008 - 11:59 AM

Word!!! Everything is back to normal and running smoothly. Thunder, thank you so much for your help. I will definitely send over a donation later today. You rock.

- Eric

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:29 PM

Posted 29 April 2008 - 12:26 PM

Glad we could help, Eric :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users