Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad Infection Of Some Kind


  • This topic is locked This topic is locked
10 replies to this topic

#1 street9009

street9009

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 01 July 2008 - 06:35 PM

Not really sure what this computer has been into, but it's got something bad, at least, so far as I can tell.

Spybot doesn't find much and what it does find it cleans. It cleaned out some cookies and a Virtuomode.dll (pardon my spelling if I got that wrong), but that's it.

I'm posting a HJT log from a clean laptop. I don't want the infected desktop on the internet if I can help it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:18 PM, on 7/1/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MFP Network Adapter\PS_MFPUtil.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Vista & XP Virtual Desktops\Virtual Desktops.exe
C:\wamp\wampmanager.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {4E3E60F5-F691-475F-AFBA-CF9FCAB47C15} - C:\Windows\system32\fccbYsqQ.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {64dadac6-6ca4-9c49-4074-3dbcfa0ee688} - {886ee0af-cbd3-4704-94c9-4ac66cadad46} - C:\Windows\system32\kciljp.dll
O2 - BHO: (no name) - {FC0B0790-6E9E-494D-88C8-69A3D39AA89F} - C:\Windows\system32\ssqomLfG.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS_MFPUtil] "C:\Program Files\MFP Network Adapter\PS_MFPUtil.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\fccbYsqQ.dll,#1
O4 - HKLM\..\Run: [60a234dd] rundll32.exe "C:\Windows\system32\uoovyodq.dll",b
O4 - HKLM\..\Run: [BM63910741] Rundll32.exe "C:\Windows\system32\spabufvq.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5890] command /c del "C:\Windows\System32\ssqomLfG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8704] cmd /c del "C:\Windows\System32\ssqomLfG.dll_old"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Startup: Vista & XP Virtual Desktops.lnk = ?
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.adobe.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC3C09C3-7E04-4F0D-A173-94948B095BEE}: NameServer = 68.87.73.242,68.87.71.226
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7934 bytes

BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,786 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:58 AM

Posted 01 July 2008 - 07:01 PM

Hi, street9009 :thumbsup:

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 street9009

street9009
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 02 July 2008 - 06:44 AM

Thanks for the quick reply. I appreciate the assist.

Here's the ComboFix log:

ComboFix 08-06-30.2 - Stephen 2008-07-02 7:18:46.1 - NTFSx86
Microsoft® Windows Vista™ Enterprise 6.0.6001.1.1252.1.1033.18.1029 [GMT -4:00]
Running from: C:\Users\Stephen\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\cyunndhy.dll
C:\Windows\system32\fccbYsqQ.dll
C:\Windows\System32\GfLmoqss.ini
C:\Windows\System32\GfLmoqss.ini2
C:\Windows\system32\kciljp.dll
C:\Windows\System32\qdoyvoou.ini
C:\Windows\system32\smnrtqfp.ini
C:\Windows\system32\spabufvq.dll
C:\Windows\system32\uoovyodq.dll
C:\Windows\System32\WyGjPqru.ini
C:\Windows\System32\WyGjPqru.ini2
C:\Windows\system32\yceinlun.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 19:44 . 2008-07-01 19:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-01 19:43 . 2008-07-01 19:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 19:31 . 2008-07-01 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-01 19:31 . 2008-07-01 19:31 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-07-01 06:41 . 2008-07-01 23:26 4,958,588 --a------ C:\Windows\{00000000-00000000-0000000A-00001102-00000008-10011102}.BAK
2008-06-30 22:44 . 2008-07-01 07:38 211 --a------ C:\Windows\wininit.ini
2008-06-30 22:29 . 2008-07-01 19:44 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-06-30 22:29 . 2008-07-01 19:44 <DIR> d-------- C:\ProgramData\Lavasoft
2008-06-30 21:29 . 2008-07-01 06:44 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-06-30 21:29 . 2008-07-01 06:44 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-06-30 21:29 . 2008-06-30 21:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-30 13:41 . 2008-06-30 13:41 167,536 --ah----- C:\Windows\System32\mlfcache.dat
2008-06-29 22:51 . 2008-06-29 23:09 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\LimeWire
2008-06-29 22:50 . 2008-06-29 22:50 <DIR> d-------- C:\Program Files\LimeWire
2008-06-26 17:56 . 2008-06-29 17:01 <DIR> d-------- C:\Program Files\mIRC
2008-06-23 22:29 . 2008-06-23 22:54 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\Notepad++
2008-06-23 22:29 . 2008-06-23 22:29 <DIR> d-------- C:\Program Files\Notepad++
2008-06-23 22:21 . 2008-06-30 18:28 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\mIRC
2008-06-21 22:26 . 2008-06-21 22:29 <DIR> d-------- C:\wamp
2008-06-21 17:39 . 2003-10-28 06:02 20,016 --------- C:\Windows\System32\drivers\pxhelp20.sys
2008-06-21 17:38 . 2008-06-21 17:39 <DIR> d-------- C:\Program Files\Winamp
2008-06-21 17:38 . 2008-06-21 17:39 39 --a------ C:\Windows\winamp.ini
2008-06-18 18:59 . 2008-06-18 18:59 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\Mozilla - Copy
2008-06-13 19:47 . 2008-06-13 19:47 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\DivX
2008-06-13 19:47 . 2008-06-13 19:47 <DIR> d-------- C:\Program Files\DivX
2008-06-13 19:47 . 2008-06-13 19:47 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-13 19:42 . 2008-06-13 19:42 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-06-13 19:42 . 2008-06-13 19:42 <DIR> d-------- C:\ProgramData\NVIDIA
2008-06-11 18:05 . 2006-12-07 21:07 356,352 --a------ C:\Windows\System32\NVUNINST.EXE
2008-06-11 17:35 . 2008-04-24 22:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-11 17:35 . 2008-04-26 04:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-11 17:35 . 2008-04-25 00:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-11 17:35 . 2008-05-09 21:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-09 07:03 . 2006-12-29 14:16 14,336 --a------ C:\Windows\System32\drivers\nusbcmp.sys
2008-06-09 07:01 . 2006-12-29 14:16 14,336 --a------ C:\Windows\System32\nusbcmp.sys
2008-06-09 07:01 . 2006-12-29 14:26 1,372 --a------ C:\Windows\System32\nusbcmp.inf
2008-06-09 06:57 . 2008-06-09 07:03 <DIR> d-------- C:\Program Files\MFP Network Adapter
2008-06-09 06:57 . 2006-12-29 14:18 35,840 --a------ C:\Windows\System32\nusbhub.sys
2008-06-09 06:57 . 2006-12-29 14:18 35,840 --a------ C:\Windows\System32\drivers\nusbhub.sys
2008-06-09 06:57 . 2006-12-29 14:18 13,824 --a------ C:\Windows\System32\drivers\nusbhst.sys
2008-06-09 06:57 . 2006-12-29 14:27 1,350 --a------ C:\Windows\System32\nusbhub.inf
2008-06-09 06:56 . 2008-06-09 06:56 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\InstallShield
2008-06-07 21:28 . 2008-06-07 21:29 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\RealVNC
2008-06-07 21:23 . 2008-06-07 21:23 <DIR> d-------- C:\Program Files\RealVNC
2008-06-07 21:23 . 2008-05-06 10:43 20,992 --a------ C:\Windows\System32\vncmirror.dll
2008-06-07 21:23 . 2008-05-06 10:43 4,608 --a------ C:\Windows\System32\drivers\vncmirror.sys
2008-06-07 21:16 . 2008-06-29 22:50 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\Azureus
2008-06-07 21:16 . 2008-06-07 21:16 <DIR> d-------- C:\Users\All Users\Azureus
2008-06-07 21:16 . 2008-06-07 21:16 <DIR> d-------- C:\ProgramData\Azureus
2008-06-07 21:15 . 2008-06-20 22:35 <DIR> d-------- C:\Program Files\Azureus
2008-06-07 21:12 . 2008-06-07 21:12 97 --a------ C:\Windows\System32\'
2008-06-07 21:11 . 2004-06-26 13:22 6,016 --a------ C:\Windows\System32\drivers\vnccom.SYS
2008-06-07 21:09 . 2005-06-10 22:02 12,800 --a------ C:\Windows\System32\vncdrv.dll
2008-06-07 21:09 . 2004-06-26 13:21 5,760 --a------ C:\Windows\System32\vnchelp.dll
2008-06-07 21:09 . 2004-06-26 13:22 4,736 --a------ C:\Windows\System32\drivers\vncdrv.sys
2008-06-07 15:22 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-06-07 15:18 . 2008-06-07 15:18 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-07 15:15 . 2008-06-07 15:15 <DIR> d-------- C:\Windows\PCHEALTH
2008-06-07 15:15 . 2008-06-07 15:15 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-07 15:10 . 2008-06-07 15:10 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-06-07 15:08 . 2008-06-07 17:42 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-06-07 15:08 . 2008-06-07 17:42 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-06-07 15:06 . 2008-06-07 15:06 <DIR> dr-h----- C:\MSOCache
2008-06-07 15:02 . 2008-06-07 15:02 <DIR> d-------- C:\Windows\PrimoPDF4
2008-06-07 15:02 . 2008-06-07 15:02 <DIR> d-------- C:\Program Files\activePDF
2008-06-07 15:02 . 2006-12-11 16:12 176,235 --a------ C:\Windows\System32\Primomonnt.dll
2008-06-07 14:53 . 2008-06-07 14:53 1,160 --a------ C:\Windows\mozver.dat
2008-06-07 14:39 . 2008-06-07 14:39 <DIR> d-------- C:\Program Files\Vista & XP Virtual Desktops
2008-06-07 14:22 . 2008-06-11 06:51 <DIR> d-------- C:\Drivers
2008-06-07 14:15 . 2008-06-07 14:15 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\Talkback
2008-06-07 14:14 . 2008-06-07 14:14 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\Thunderbird
2008-06-07 14:14 . 2008-06-13 19:47 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-06-07 14:13 . 2008-06-07 14:13 0 --a------ C:\Windows\nsreg.dat
2008-06-07 00:34 . 2008-06-07 00:34 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-06-07 00:28 . 2008-06-07 00:34 <DIR> d-------- C:\WFDB
2008-06-07 00:28 . 2008-06-07 00:29 <DIR> d-------- C:\Program Files\WinFast
2008-06-07 00:28 . 2008-06-09 06:57 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-07 00:27 . 2008-06-07 00:27 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-07 00:19 . 2008-06-07 00:19 <DIR> d-------- C:\Windows\Sun
2008-06-06 23:17 . 2008-06-06 23:18 <DIR> d-------- C:\Program Files\Java
2008-06-06 23:16 . 2008-06-06 23:16 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-06 23:15 . 2008-06-06 23:15 <DIR> d-------- C:\Program Files\CCleaner
2008-06-06 23:12 . 2008-06-06 22:16 <DIR> d-------- C:\Windows\Panther
2008-06-06 23:11 . 2008-06-06 23:13 <DIR> d-------- C:\Windows\System32\Adobe
2008-06-06 23:11 . 2008-06-06 23:11 <DIR> d--hs---- C:\Boot
2008-06-06 23:11 . 2008-01-20 22:24 333,203 -rahs---- C:\bootmgr
2008-06-06 23:11 . 2007-10-25 21:56 185,352 --a------ C:\Windows\System32\drivers\fttxr5_O.sys
2008-06-06 23:11 . 2008-06-06 23:11 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-06-06 22:47 . 2008-06-06 22:47 136,496 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2008-06-06 22:47 . 2007-12-18 19:06 91,008 --a------ C:\Windows\System32\drivers\SysPlant.sys
2008-06-06 22:47 . 2008-06-06 22:47 10,652 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT
2008-06-06 22:47 . 2008-06-06 22:47 806 --a------ C:\Windows\System32\drivers\SYMEVENT.INF
2008-06-06 22:46 . 2008-06-06 22:48 <DIR> d-------- C:\Users\All Users\Symantec
2008-06-06 22:46 . 2008-06-06 22:48 <DIR> d-------- C:\ProgramData\Symantec
2008-06-06 22:46 . 2008-06-06 22:47 <DIR> d-------- C:\Program Files\Symantec
2008-06-06 22:46 . 2008-06-06 22:50 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-06 22:46 . 2007-03-21 20:39 1,060,864 --a------ C:\Windows\System32\MFC71.DLL
2008-06-06 22:46 . 2007-03-21 20:33 503,808 --a------ C:\Windows\System32\MSVCP71.DLL
2008-06-06 22:46 . 2007-03-21 20:33 348,160 --a------ C:\Windows\System32\MSVCR71.DLL
2008-06-06 22:44 . 2008-06-30 23:01 <DIR> d-------- C:\Windows\Debug
2008-06-06 22:37 . 2008-06-06 22:37 <DIR> d-------- C:\Windows\System32\Macromed
2008-06-06 22:26 . 2008-06-06 22:27 <DIR> d-------- C:\Users\All Users\Adobe
2008-06-06 22:26 . 2008-06-06 22:26 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-06 22:22 . 2008-06-30 22:15 <DIR> d-------- C:\Users\Stephen\AppData\Roaming\.purple
2008-06-06 22:22 . 2008-06-06 22:22 <DIR> d-------- C:\Program Files\Aspell
2008-06-06 22:21 . 2008-06-06 22:22 <DIR> d-------- C:\Program Files\Pidgin
2008-06-06 22:21 . 2008-06-06 22:21 <DIR> d-------- C:\Program Files\Common Files\GTK
2008-06-06 22:15 . 2008-06-06 22:15 0 --a------ C:\Windows\System32\atiicdxx.dat
2008-06-06 21:33 . 2008-06-06 21:33 <DIR> d-------- C:\Windows\TweakVI
2008-06-06 21:33 . 2008-06-06 23:14 <DIR> d-------- C:\Program Files\TweakVI
2008-06-06 21:33 . 2008-06-06 21:33 0 --a------ C:\Windows\System32\tviresource.val
2008-06-06 20:51 . 2008-03-12 16:21 678,408 --a------ C:\Windows\System32\gpprefcl.dll
2008-06-06 20:50 . 2008-07-01 19:45 <DIR> d--hs---- C:\Windows\Installer
2008-06-06 20:50 . 2008-06-06 20:50 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-06 19:44 . 2008-06-06 19:44 <DIR> dr------- C:\Windows\System32\config\systemprofile\Contacts
2008-06-06 17:44 . 2008-07-02 07:23 30,624 --a------ C:\Windows\System32\BMXStateBkp-{00000000-00000000-0000000A-00001102-00000008-10011102}.rfx
2008-06-06 17:44 . 2008-07-02 07:23 30,624 --a------ C:\Windows\System32\BMXState-{00000000-00000000-0000000A-00001102-00000008-10011102}.rfx
2008-06-06 17:44 . 2008-07-02 07:23 29,772 --a------ C:\Windows\System32\BMXCtrlState-{00000000-00000000-0000000A-00001102-00000008-10011102}.rfx
2008-06-06 17:44 . 2008-07-02 07:23 29,772 --a------ C:\Windows\System32\BMXBkpCtrlState-{00000000-00000000-0000000A-00001102-00000008-10011102}.rfx
2008-06-06 17:44 . 2008-07-02 07:23 11,564 --a------ C:\Windows\System32\DVCState-{00000000-00000000-0000000A-00001102-00000008-10011102}.rfx
2008-06-06 17:36 . 2008-07-01 23:26 4,958,588 --a------ C:\Windows\{00000000-00000000-0000000A-00001102-00000008-10011102}.CDF
2008-06-06 17:36 . 2008-06-06 17:36 409,600 --a------ C:\Windows\System32\wrap_oal.dll
2008-06-06 17:36 . 2008-06-06 17:36 114,688 --a------ C:\Windows\System32\OpenAL32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 21:41 --------- d-----w C:\Program Files\Windows Mail
2008-06-07 19:17 --------- d-----w C:\Program Files\MSBuild
2008-06-07 04:35 720,896 ----a-w C:\Windows\System32\a3d.dll
2008-06-07 04:35 578,368 ----a-w C:\Windows\system32\drivers\smwdm.sys
2008-06-07 04:35 4,816 ----a-w C:\Windows\system32\drivers\aeaudio.sys
2008-06-07 04:35 3,744 ----a-w C:\Windows\system32\drivers\smsens.sys
2008-06-07 04:21 50,816 ----a-w C:\Windows\system32\drivers\cx88tune.sys
2008-05-30 17:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-30 17:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-30 17:19 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-13 14:40 43,520 ----a-w C:\Windows\system32\drivers\fetnd6v.sys
2008-01-21 02:42 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-20 22:23 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 15:15 115560]
"PS_MFPUtil"="C:\Program Files\MFP Network Adapter\PS_MFPUtil.exe" [2007-06-15 12:04 352256]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-07 20:25 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-07 20:25 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-07 20:25 81920]
"CTHelper"="CTHELPER.EXE" [2007-04-09 12:32 19456 C:\Windows\System32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 12:32 19968 C:\Windows\System32\Ctxfihlp.exe]

C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Vista & XP Virtual Desktops.lnk - C:\Users\Stephen\AppData\Roaming\Microsoft\Installer\{176190EF-2826-4806-A043-ABE6065175AF}\MainIcon.ico [2008-06-07 14:39:23 106023]
WampServer.lnk - C:\wamp\wampmanager.exe [2007-02-18 17:07:00 1141760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
--a------ 2007-12-19 16:09 2846720 C:\Program Files\WinFast\WFDTV\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFastDTV]
--a------ 2007-12-21 13:34 90112 C:\Program Files\WinFast\WFDTV\DTVSchdl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3529158903-266706602-2413121514-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7BF9AE33-6B2B-4D72-9606-C58C7794D2B8}"= UDP:C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{2471E164-1440-4232-A9A5-60720B55860A}"= TCP:C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{5C48DCBD-8179-4102-B579-EF89508A0353}"= UDP:C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{CE88B407-8CC3-40D1-8E7C-BA14EEF15D1E}"= TCP:C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{04767514-A8E3-49F6-9F70-C976CF62718B}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{1275DFCA-76CB-4A47-B5D6-03F94514B684}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{4EB19F56-00F5-4783-8FA6-C74381DB211E}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{DAB0F8E4-EB3A-473A-A24D-6B273396213E}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D5245763-DD3F-4F1A-889D-FBDB797400F4}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9C711BB9-D359-4B33-B30A-71A975486B99}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69C996B0-3D49-4FED-99F4-A2AFC8423A2B}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{16A757F7-7B5F-4EC3-BBE1-8D2BBC41ED08}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{F00E38E5-D6A3-4792-8D97-1779C2FD2CD6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{BE7A3872-30DA-4D97-862A-58D7F065B33A}"= UDP:C:\Program Files\RealVNC\VNC4\winvnc4.exe:VNC Server
"{844AFADC-C48E-4041-8A46-2C1676F9DFC2}"= TCP:C:\Program Files\RealVNC\VNC4\winvnc4.exe:VNC Server
"TCP Query User{C2E50858-2075-4F05-AC1C-CF32347E3661}C:\\wamp\\apache2\\bin\\httpd.exe"= UDP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server
"UDP Query User{454179AA-84A7-4C6C-B819-54EA91E72452}C:\\wamp\\apache2\\bin\\httpd.exe"= TCP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server
"TCP Query User{F496B26C-8226-49ED-B174-14860CC54B2C}C:\\program files\\mirc\\mirc.exe"= UDP:C:\program files\mirc\mirc.exe:mIRC
"UDP Query User{E0AC2EE8-82E1-4A01-80ED-48F3A9300482}C:\\program files\\mirc\\mirc.exe"= TCP:C:\program files\mirc\mirc.exe:mIRC
"TCP Query User{71995985-11C4-4051-81BF-45853624096B}C:\\academybot\\mirc.exe"= UDP:C:\academybot\mirc.exe:mIRC
"UDP Query User{65ACCD5C-F8AF-44D3-9044-69724D947BEA}C:\\academybot\\mirc.exe"= TCP:C:\academybot\mirc.exe:mIRC

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
GPSvcGroup REG_MULTI_SZ GPSvc

.
- - - - ORPHANS REMOVED - - - -

BHO-{FC0B0790-6E9E-494D-88C8-69A3D39AA89F} - C:\Windows\system32\ssqomLfG.dll
HKLM-Run-60a234dd - C:\Windows\system32\uoovyodq.dll
HKLM-Run-BM63910741 - C:\Windows\system32\spabufvq.dll
HKU-Default-Run-DevconDefaultDB - C:\Windows\system32\READREG


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 07:26:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\wamp\Apache2\bin\httpd.exe
C:\wamp\mysql\bin\mysqld-nt.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\wamp\Apache2\bin\httpd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Vista & XP Virtual Desktops\Virtual Desktops.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-02 7:29:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 11:28:52

Pre-Run: 632,921,800,704 bytes free
Post-Run: 633,271,758,848 bytes free

274 --- E O F --- 2008-06-11 21:40:51



And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:45 AM, on 7/2/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MFP Network Adapter\PS_MFPUtil.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Vista & XP Virtual Desktops\Virtual Desktops.exe
C:\wamp\wampmanager.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS_MFPUtil] "C:\Program Files\MFP Network Adapter\PS_MFPUtil.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Vista & XP Virtual Desktops.lnk = ?
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.adobe.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC3C09C3-7E04-4F0D-A173-94948B095BEE}: NameServer = 68.87.73.242,68.87.71.226
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5813 bytes

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,786 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:58 AM

Posted 02 July 2008 - 12:51 PM

Lets check for remnants:

Posted Image Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 street9009

street9009
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 02 July 2008 - 09:25 PM

I'd love to oblige, but I have a weird problem with this computer now and I can't figure it out. Was wondering if maybe something we did caused this, but I can't see how.

When I ran ComboFix, it ran Spybot automatically. I let this finish and cleaned what it found. I then agreed to the Combofix agreements and let it run. That's when I posted the log (this morning) for you. This afternoon when I got home I tried to connect this computer back to the internet (I haven't had any network cables plugged into it for the last 2 days) and it will get local access (meaning I can access the router) but something isn't letting it get to the full internet. I can't even connect to the VNC server via the local IP address.

Any ideas? Once I get it connected to the internet, I'll download, update, and run the above.


UPDATE: Nevermind, I got it. I'm running the Malwarebytes scan now. It wouldn't update on any of the update servers, so I'm just running with what I've got. Will probably have to post the results in the morning. Thanks again for the help.

Edited by street9009, 02 July 2008 - 10:11 PM.


#6 street9009

street9009
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 02 July 2008 - 10:29 PM

It never would update (I tried all three update servers... it just sits on "Looking for ____" and never does anything.

However, the "unupdated" scan found nothing:

Malwarebytes' Anti-Malware 1.19
Database version: 899
Windows 6.0.6001 Service Pack 1

11:13:36 PM 7/2/2008
mbam-log-7-2-2008 (23-13-36).txt

Scan type: Quick Scan
Objects scanned: 34809
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,786 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:58 AM

Posted 03 July 2008 - 10:03 AM

Every log looks clear. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 street9009

street9009
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 03 July 2008 - 10:34 AM

Seems to be running just fine now. I'm not getting any popups or anything and I actually think the Adaware thing (finding over 5000 infections in under 30 seconds) was a fluke. I uninstalled 2008 and reinstalled 2007 and it doesn't find anything except tracking cookies. Must've been a bug of some kind or maybe the infection I had was throwing off the latest version.

But anyway, like I said, seems to be good to go now.

Thanks again for the assist.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,786 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:58 AM

Posted 03 July 2008 - 05:15 PM

Hi, street9009. :thumbsup:

Congratulations.Posted Image

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START (Vista button).
  • Now type Combofix /u in the search box. Do NOT hit ENTER. Instead hit CTRL+SHIFT+ENTER. . Note the space between the X and the U, it needs to be there.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html .
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes! Posted Image

Edited by JSntgRvr, 03 July 2008 - 05:20 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 street9009

street9009
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 04 July 2008 - 04:04 PM

Thanks again.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,786 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:58 AM

Posted 11 July 2008 - 08:35 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users