Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Coolwww, Smitfraud, Toolbarcc, Other


  • This topic is locked This topic is locked
15 replies to this topic

#1 Flare613

Flare613

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 24 July 2008 - 05:29 PM

I tried using Spybot search and destroy repeatedly but it reinstalls itself right away. Toolbar is disabled, went to regedit to fix but when i update it is immediately overwritten again. specific files that are giving me problems are: winself.exe and 27990.exe which is located within my doc and settings/app/microsoft file.

popups from security center for coolwww and from icon in tray that says warning infected. tray popup is definitely more spyware.

Had a problem running Kaspersky's online scanner. Tried using killbox on some apps but was unable to. Without access to task manager can't do much more myself.

Hijack this main and extra logs following:

Deckard's System Scanner v20071014.68
Run by Bruce Lee on 2008-07-24 15:10:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
16: 2008-07-24 22:10:32 UTC - RP17 - Deckard's System Scanner Restore Point
15: 2008-07-24 17:19:16 UTC - RP16 - Installed Norton AntiVirus Corporate Edition
14: 2008-07-24 05:32:39 UTC - RP15 - System Checkpoint
13: 2008-07-23 05:19:05 UTC - RP14 - Windows Defender Checkpoint
12: 2008-07-23 04:44:44 UTC - RP13 - System Checkpoint


-- First Restore Point --
1: 2008-07-17 23:55:16 UTC - RP2 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Bruce Lee.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:12 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\winself.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\uoyzsydz.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\27990.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\27990.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\ABBYY Lingvo 10 First Step\Lingvo.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bruce Lee\Desktop\dss.exe
D:\Security\HIJACK~1\Bruce Lee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {497A55FE-90E1-44DC-AF6F-BA425E4007A6} - C:\WINDOWS\system32\efcYOigg.dll (file missing)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {EAB15366-0E81-476D-83CC-1052FDF017C8} - C:\WINDOWS\system32\hgGvvwXp.dll (file missing)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SMrhcvwtj0ev2g] C:\Program Files\rhcvwtj0ev2g\rhcvwtj0ev2g.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA8912] command /c del "C:\WINDOWS\winajbm.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1617] cmd /c del "C:\WINDOWS\winajbm.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6725] command /c del "C:\WINDOWS\mtwirl32.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5037] cmd /c del "C:\WINDOWS\mtwirl32.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9668] command /c del "C:\WINDOWS\mtwirl32.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7100] cmd /c del "C:\WINDOWS\mtwirl32.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA666] command /c del "C:\WINDOWS\avpcc.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3241] cmd /c del "C:\WINDOWS\avpcc.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4669] command /c del "C:\WINDOWS\iexplorer.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5741] cmd /c del "C:\WINDOWS\iexplorer.exe_tobedeleted"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\27990.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: hgGvvwXp - hgGvvwXp.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 11226 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>
R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\winself.exe service
R2 nSvcLog (ForceWare user log service) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvclog.exe <Not Verified; NVIDIA; NVIDIA nSvcLog>
R2 PlugPlayRPC (Plug and Play (RPC)) - c:\windows\portsv.exe service
R2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_197B&DEV_2360&SUBSYS_82081043&REV_02\4&268339C6&0&0038
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_197B&DEV_2360&SUBSYS_82081043&REV_02\4&268339C6&0&0038
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\122A4E01E8C00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\122A4E01E8C00
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-07-24 02:10:00 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-07-14 11:06:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-24 15:06:12 25344 --a------ C:\WINDOWS\mssys.exe
2008-07-24 12:32:05 25088 --a------ C:\WINDOWS\notepad32.exe
2008-07-24 12:32:05 29440 --a------ C:\WINDOWS\mtwirl32.dll
2008-07-24 12:32:04 21760 --a------ C:\WINDOWS\msupdate.exe
2008-07-24 12:32:04 18944 --a------ C:\WINDOWS\loader.exe
2008-07-24 12:32:04 24064 --a------ C:\WINDOWS\iedll.exe
2008-07-24 12:32:03 20736 --a------ C:\WINDOWS\clrssn.exe
2008-07-24 12:21:53 23808 --a------ C:\WINDOWS\funniest.exe
2008-07-24 12:09:49 15360 --a------ C:\WINDOWS\y.exe
2008-07-24 12:09:49 24320 --a------ C:\WINDOWS\winmgnt.exe
2008-07-24 12:09:48 17408 --a------ C:\WINDOWS\window.exe
2008-07-24 12:09:48 12800 --a------ C:\WINDOWS\winajbm.dll
2008-07-24 12:09:47 23808 --a------ C:\WINDOWS\win64.exe
2008-07-24 12:09:47 20224 --a------ C:\WINDOWS\waol.exe
2008-07-24 12:09:47 32512 --a------ C:\WINDOWS\users32.exe
2008-07-24 12:09:46 22016 --a------ C:\WINDOWS\systemcritical.exe
2008-07-24 12:09:45 12288 --a------ C:\WINDOWS\systeem.exe
2008-07-24 12:09:45 15872 --a------ C:\WINDOWS\olehelp.exe
2008-07-24 12:09:45 24576 --a------ C:\WINDOWS\iexplorer.exe
2008-07-24 12:09:45 15104 --a------ C:\WINDOWS\avpcc.dll
2008-07-24 12:09:44 19200 --a------ C:\WINDOWS\accesss.exe
2008-07-24 10:29:00 0 d-------- C:\!Submit
2008-07-24 10:19:23 4032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-07-24 10:19:23 36864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-07-24 10:19:23 57696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS <Not Verified; Symantec Corporation; SYMEVENT>
2008-07-24 10:19:20 0 d-------- C:\WINDOWS\system32\CBA
2008-07-24 10:19:19 0 d-------- C:\Program Files\Symantec
2008-07-24 10:19:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-24 10:19:17 0 d-------- C:\Program Files\NavNT
2008-07-24 10:19:17 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-18 02:35:24 8192 --a------ C:\WINDOWS\xplugin.dll
2008-07-18 02:35:24 13056 --a------ C:\WINDOWS\x.exe
2008-07-17 20:38:48 8960 --a------ C:\WINDOWS\win32e.exe
2008-07-17 20:38:47 18688 --a------ C:\WINDOWS\time.exe
2008-07-17 20:38:47 17920 --a------ C:\WINDOWS\svcinit.exe
2008-07-17 20:38:47 19200 --a------ C:\WINDOWS\svchost32.exe
2008-07-17 20:38:47 14080 --a------ C:\WINDOWS\sistem.exe
2008-07-17 20:38:47 14848 --a------ C:\WINDOWS\searchword.dll
2008-07-17 20:38:47 25856 --a------ C:\WINDOWS\rundll16.exe
2008-07-17 20:38:46 11776 --a------ C:\WINDOWS\quicken.exe
2008-07-17 20:38:46 8960 --a------ C:\WINDOWS\qttasks.exe
2008-07-17 20:38:46 12800 --a------ C:\WINDOWS\mswsc20.dll
2008-07-17 20:38:46 24832 --a------ C:\WINDOWS\mswsc10.dll
2008-07-17 20:38:46 25344 --a------ C:\WINDOWS\msspi.dll
2008-07-17 20:38:46 26368 --a------ C:\WINDOWS\msconfd.dll
2008-07-17 20:38:45 21504 --a------ C:\WINDOWS\internet.exe
2008-07-17 20:38:45 32256 --a------ C:\WINDOWS\inetinf.exe
2008-07-17 20:38:45 20736 --a------ C:\WINDOWS\helpcvs.exe
2008-07-17 20:38:45 8960 --a------ C:\WINDOWS\gfmnaaa.dll
2008-07-17 20:38:44 20992 --a------ C:\WINDOWS\funny.exe
2008-07-17 20:38:44 12800 --a------ C:\WINDOWS\explorer32.exe
2008-07-17 20:38:44 12544 --a------ C:\WINDOWS\explore.exe
2008-07-17 20:38:44 11264 --a------ C:\WINDOWS\editpad.exe
2008-07-17 20:38:44 14336 --a------ C:\WINDOWS\dnsrelay.dll
2008-07-17 20:38:44 8960 --a------ C:\WINDOWS\directx32.exe
2008-07-17 20:38:44 26880 --a------ C:\WINDOWS\ctrlpan.dll
2008-07-17 20:38:44 30464 --a------ C:\WINDOWS\ctfmon32.exe
2008-07-17 20:38:44 12032 --a------ C:\WINDOWS\cpan.dll
2008-07-17 20:23:50 0 d-------- C:\WINDOWS\system32\5583
2008-07-17 20:23:41 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-07-17 20:23:41 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-17 20:23:37 89561 --a------ C:\WINDOWS\system32\uoyzsydz.exe <Not Verified; Microsoft; XML Media>
2008-07-17 20:23:37 89561 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-07-17 20:23:36 55808 --a------ C:\WINDOWS\portsv.exe
2008-07-17 16:55:05 52709 --ahs---- C:\WINDOWS\system32\ggiOYcfe.ini2
2008-07-17 16:09:08 0 d-------- C:\WINDOWS\system32\aumsDK06
2008-07-17 16:08:48 23048 -----n--- C:\WINDOWS\winself.exe
2008-07-16 23:12:10 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\SPORE Creature Creator
2008-07-11 10:57:08 0 d-------- C:\Program Files\uTorrent
2008-07-10 22:47:34 156 --a------ C:\WINDOWS\system32\Monitored3.dat
2008-07-10 22:47:32 52224 --a------ C:\WINDOWS\system32\ftps.exe
2008-07-10 22:47:32 10 --a------ C:\WINDOWS\system32\ciadvss.exe
2008-07-10 22:47:32 10 --a------ C:\WINDOWS\system32\ciadvs.exe
2008-07-10 22:47:32 7680 --a------ C:\WINDOWS\system32\chkdskss.exe
2008-07-10 22:47:32 7680 --a------ C:\WINDOWS\system32\chkdsks.exe
2008-07-10 22:47:18 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-09 13:33:28 0 d-------- C:\Program Files\PKWARE
2008-07-09 13:33:28 0 d-------- C:\Program Files\Common Files\PKWARE
2008-07-09 13:33:15 0 d-------- C:\WINDOWS\Downloaded Installations
2008-07-09 11:48:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Launcher
2008-07-07 23:20:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-07-07 23:19:10 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\MozillaControl
2008-07-07 23:18:59 0 d-------- C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-07-07 23:18:53 0 d-------- C:\Program Files\VideoLAN
2008-07-07 23:18:53 0 d-------- C:\Program Files\Graboid
2008-07-05 14:03:32 0 d-------- C:\Program Files\QuickTime
2008-07-05 14:03:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-05 14:02:42 0 d-------- C:\Program Files\Apple Software Update
2008-07-05 14:02:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-27 11:49:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-27 11:49:02 0 d-------- C:\Program Files\Common Files\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-07-24 10:19:17 0 d-------- C:\Program Files\Common Files
2008-07-16 23:11:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-13 01:28:17 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\GigaTribe
2008-07-08 13:58:29 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-06-30 23:30:45 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\AdobeUM
2008-06-27 11:42:35 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\Adobe
2008-06-22 18:42:38 0 d-------- C:\Program Files\Windows Defender
2008-06-22 17:46:01 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\Lavasoft
2008-06-22 17:23:30 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\rhcvwtj0ev2g
2008-06-18 00:19:48 0 d-------- C:\Program Files\DivX
2008-06-18 00:18:06 0 d-------- C:\Program Files\Xvid
2008-06-15 22:11:34 0 d-------- C:\Program Files\LG Electronics
2008-06-15 22:11:21 0 d-------- C:\Program Files\Verizon Wireless
2008-06-02 23:40:32 0 d-------- C:\Program Files\BitZipper
2008-06-02 23:40:32 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\BitZipper
2008-05-30 10:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 10:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 10:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 10:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 10:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-27 02:37:17 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\Corel
2008-05-27 02:27:53 5330 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-12 11:24:05 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-12 11:02:05 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-12 10:40:38 8 -r-hs---- C:\WINDOWS\system32\FF8751EDFA.sys
2008-05-12 10:29:04 717 --a------ C:\WINDOWS\PowerReg.dat
2008-05-12 10:13:27 22 --a------ C:\WINDOWS\FileName
2008-05-12 01:03:02 0 -rahs---- C:\MSDOS.SYS
2008-05-12 01:03:02 0 -rahs---- C:\IO.SYS
2008-05-12 01:03:02 0 --a------ C:\CONFIG.SYS
2008-05-12 01:03:02 0 --a------ C:\AUTOEXEC.BAT
2008-05-12 01:00:02 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-11 17:44:15 62 --ahs---- C:\Documents and Settings\Bruce Lee\Application Data\desktop.ini
2008-04-27 10:35:28 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 10:33:36 765952 --a------ C:\WINDOWS\system32\xvidcore.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{497A55FE-90E1-44DC-AF6F-BA425E4007A6}]
C:\WINDOWS\system32\efcYOigg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAB15366-0E81-476D-83CC-1052FDF017C8}]
C:\WINDOWS\system32\hgGvvwXp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [11/14/2006 02:21 AM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 03:04 AM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 03:43 AM C:\WINDOWS\Alcmtr.exe]
"nwiz"="nwiz.exe" [05/11/2007 06:03 AM C:\WINDOWS\system32\nwiz.exe]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [02/17/2006 10:40 AM]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [08/05/2002 01:37 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"@"="" []
"Lingvo Launcher"="C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" [02/15/2005 01:55 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/09/2007 07:53 PM]
"SMrhcvwtj0ev2g"="C:\Program Files\rhcvwtj0ev2g\rhcvwtj0ev2g.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/2001 07:59 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 05:00 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [03/12/2007 02:49 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"Microsoft Windows Installer"="C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\27990.exe" [07/11/2008 04:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA8912"=command /c del "C:\WINDOWS\winajbm.dll_tobedeleted"
"SpybotDeletingC1617"=cmd /c del "C:\WINDOWS\winajbm.dll_tobedeleted"
"SpybotDeletingA6725"=command /c del "C:\WINDOWS\mtwirl32.dll_tobedeleted"
"SpybotDeletingC5037"=cmd /c del "C:\WINDOWS\mtwirl32.dll_tobedeleted"
"SpybotDeletingA9668"=command /c del "C:\WINDOWS\mtwirl32.dll_tobedeleted"
"SpybotDeletingC7100"=cmd /c del "C:\WINDOWS\mtwirl32.dll_tobedeleted"
"SpybotDeletingA666"=command /c del "C:\WINDOWS\avpcc.dll_tobedeleted"
"SpybotDeletingC3241"=cmd /c del "C:\WINDOWS\avpcc.dll_tobedeleted"
"SpybotDeletingA4669"=command /c del "C:\WINDOWS\iexplorer.exe_tobedeleted"
"SpybotDeletingC5741"=cmd /c del "C:\WINDOWS\iexplorer.exe_tobedeleted"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Bruce Lee\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [6/15/2008 10:11:21 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [5/13/2008 2:55:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"NT Printing Services"=ftps.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EAB15366-0E81-476D-83CC-1052FDF017C8}"= C:\WINDOWS\system32\hgGvvwXp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGvvwXp]
hgGvvwXp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\efcYOigg

*Newly Created Service* - DEFWATCH
*Newly Created Service* - NAVAP
*Newly Created Service* - NAVAPEL
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
*Newly Created Service* - NORTON_ANTIVIRUS_SERVER
*Newly Created Service* - SYMEVENT



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8744 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-24 15:14:57 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Quad CPU @ 2.40GHz
CPU 1: Intel® Core™2 Quad CPU @ 2.40GHz
CPU 2: Intel® Core™2 Quad CPU @ 2.40GHz
CPU 3: Intel® Core™2 Quad CPU @ 2.40GHz
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 2046.48 MiB / 1236.56 MiB
Pagefile Memory (total/avail): 3939.36 MiB / 3327.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.56 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 200 GiB total, 180.45 GiB free.
D: is Fixed (NTFS) - 300 GiB total, 212.59 GiB free.
E: is Fixed (NTFS) - 431.51 GiB total, 405.21 GiB free.
F: is CDROM (CDFS)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR STM31000340AS - 931.51 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 200 GiB - C:
\PARTITION1 - Extended Partition - 731.51 GiB - D: - E:

\\.\PHYSICALDRIVE1 - EPSON SP 925 Storage USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: ActiveArmor Firewall v1.0 (NVIDIA Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\\Download_Apps\\GigaTribe\\gigatribe.exe"="D:\\Download_Apps\\GigaTribe\\gigatribe.exe:*:Enabled:gigatribe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Download_Apps\\Limewire\\LimeWire.exe"="D:\\Download_Apps\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Programs\\Mirc\\Mirc\\Mirc2\\MIRC.EXE"="D:\\Programs\\Mirc\\Mirc\\Mirc2\\MIRC.EXE:*:Enabled:mIRC"
"D:\\Programs\\Mirc\\Mirc\\MIRC.EXE"="D:\\Programs\\Mirc\\Mirc\\MIRC.EXE:*:Enabled:mIRC"
"D:\\Programs\\Mirc\\Mirc\\Mirc3\\MIRC.EXE"="D:\\Programs\\Mirc\\Mirc\\Mirc3\\MIRC.EXE:*:Enabled:mIRC"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Disabled:Apache HTTP Server"
"F:\\Drivers\\E_reg\\EPSONREG.exe"="F:\\Drivers\\E_reg\\EPSONREG.exe:*:Disabled:Epson Registration"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bruce Lee\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SLARTIBARTFAST
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bruce Lee
LOGONSERVER=\\SLARTIBARTFAST
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE16~1.0_0\bin;C:\PROGRA~1\Java\JRE16~1.0_0\bin;C:\Program Files\Mozilla Firefox;C:\Program Files\Microsoft Office\OFFICE11\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f07
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\BRUCEL~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\BRUCEL~1\LOCALS~1\Temp
USERDOMAIN=SLARTIBARTFAST
USERNAME=Bruce Lee
USERPROFILE=C:\Documents and Settings\Bruce Lee
WecVersionForRosebud.F48=2
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bruce Lee (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY Lingvo 10 First Step (En-Ru-En) --> MsiExec.exe /I{4183F2C2-CD6B-4E77-9EFC-410FE491AC01}
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ASUSUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\setup.exe" -l0x9
BitZipper 5.0.4 --> "C:\Program Files\BitZipper\unins000.exe"
Corel Snapfire DVD Maker --> MsiExec.exe /X{17E14D89-3A9F-4706-9F9B-C2DFC7ABE94B}
Corel Snapfire Plus --> MsiExec.exe /X{7ADE3A47-B425-45E9-8FF6-11BE2B775645}
Creative DVD Audio Plugin for Audigy Series --> "C:\Program Files\Creative\CTDPlugin\CTUIDVD.exe " -u
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON Online Reference Guide --> C:\Program Files\epson\guide\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
EVGA Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\Setup.exe" -l0x9 -removeonly
Film Factory --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EPSON Software\Film Factory\Uninst.isu"
Free Video to Mp3 Converter version 3.1 --> "D:\Download_Apps\DVDVideoSoft\Free Video to Mp3 Converter\unins000.exe"
Free YouTube Download 2.2 --> "D:\Download_Apps\DVDVideoSoft\Free YouTube Download\unins000.exe"
Graboid Video 1.2 --> C:\Program Files\Graboid\uninst.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "D:\Security\Hijack This\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Ink Monitor --> C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
InterVideo WinDVD 5 --> "C:\Program Files\InstallShield Installation Information\{1B399A41-C1D0-40A2-9E4F-095868EFAF01}\setup.exe" REMOVEALL
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LG USB Modem driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9 LG
LimeWire 4.16.7 --> "D:\Download_Apps\Limewire\uninstall.exe"
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Magic Online III --> C:\Program Files\InstallShield Installation Information\{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Office Publisher 2003 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIRC --> "D:\Programs\Mirc\Mirc\Mirc2\MIRC.EXE" -uninstall
Mozilla ActiveX Control v1.7.12 --> C:\Program Files\Mozilla ActiveX Control v1.7.12\uninst.exe
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Essentials --> MsiExec.exe /I{779C40FF-9211-427B-A5C4-2026B85A1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuide.exe UninstallGUI
NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
SPORE™ Creature Creator Trial Edition --> "C:\Program Files\InstallShield Installation Information\{ECEE0279-785F-4CB3-9F28-E69813234BF8}\setup.exe" -runfromtemp -l0x0009 -removeonly
Uninstall 1.0.0.1 --> "C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
V CAST Music Manager --> C:\PROGRA~1\VERIZO~1\VCASTM~1\Setup.exe /remove /q0
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
ZIP Reader 8.00.0018 --> MsiExec.exe /I{856C155E-4A74-4041-B026-04F96FFD1BCD}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1154 / Error
Event Submitted/Written: 07/24/2008 03:14:21 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Downloader in File: C:\WINDOWS\winself.exe by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied

Event Record #/Type1153 / Error
Event Submitted/Written: 07/24/2008 03:14:16 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Downloader in File: C:\WINDOWS\winself.exe by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied

Event Record #/Type1152 / Error
Event Submitted/Written: 07/24/2008 03:14:10 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Downloader in File: C:\WINDOWS\winself.exe by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied

Event Record #/Type1151 / Error
Event Submitted/Written: 07/24/2008 03:08:50 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.Ditsec in File: C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\27990.exe by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied

Event Record #/Type1150 / Error
Event Submitted/Written: 07/24/2008 03:08:48 PM
Event ID/Source: 5 / Norton AntiVirus
Event Description:
Virus Found!Virus name: Trojan.Ditsec in File: C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\27990.exe by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2767 / Warning
Event Submitted/Written: 07/24/2008 03:14:21 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SLARTIBARTFAST27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SLARTIBARTFAST27 can't undo changes that you allow.

For more information please see the following:
%SLARTIBARTFAST275

Scan ID: {94ABDE22-7D9E-4014-BAC9-7B8735402509}

User: SLARTIBARTFAST\Bruce Lee

Name: %SLARTIBARTFAST271

ID: %SLARTIBARTFAST272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SLARTIBARTFAST276

Alert Type: %SLARTIBARTFAST278

Detection Type: 1.1.1593.02

Event Record #/Type2766 / Warning
Event Submitted/Written: 07/24/2008 03:14:21 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SLARTIBARTFAST27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SLARTIBARTFAST27 can't undo changes that you allow.

For more information please see the following:
%SLARTIBARTFAST275

Scan ID: {51C0A51D-1046-40D8-84DC-AD1D10DCD0A2}

User: SLARTIBARTFAST\Bruce Lee

Name: %SLARTIBARTFAST271

ID: %SLARTIBARTFAST272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SLARTIBARTFAST276

Alert Type: %SLARTIBARTFAST278

Detection Type: 1.1.1593.02

Event Record #/Type2765 / Warning
Event Submitted/Written: 07/24/2008 03:14:21 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SLARTIBARTFAST27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SLARTIBARTFAST27 can't undo changes that you allow.

For more information please see the following:
%SLARTIBARTFAST275

Scan ID: {963B648D-4DB8-458E-8458-FB2E7C03FD9C}

User: SLARTIBARTFAST\Bruce Lee

Name: %SLARTIBARTFAST271

ID: %SLARTIBARTFAST272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SLARTIBARTFAST276

Alert Type: %SLARTIBARTFAST278

Detection Type: 1.1.1593.02

Event Record #/Type2764 / Warning
Event Submitted/Written: 07/24/2008 03:14:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SLARTIBARTFAST27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SLARTIBARTFAST27 can't undo changes that you allow.

For more information please see the following:
%SLARTIBARTFAST275

Scan ID: {FF4FFB3C-85C5-488A-8185-F6C8CBFDEBD0}

User: SLARTIBARTFAST\Bruce Lee

Name: %SLARTIBARTFAST271

ID: %SLARTIBARTFAST272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SLARTIBARTFAST276

Alert Type: %SLARTIBARTFAST278

Detection Type: 1.1.1593.02

Event Record #/Type2763 / Warning
Event Submitted/Written: 07/24/2008 03:14:18 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SLARTIBARTFAST27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SLARTIBARTFAST27 can't undo changes that you allow.

For more information please see the following:
%SLARTIBARTFAST275

Scan ID: {1F861EAF-7FA1-40AA-AAD3-65A8320FE82C}

User: SLARTIBARTFAST\Bruce Lee

Name: %SLARTIBARTFAST271

ID: %SLARTIBARTFAST272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SLARTIBARTFAST276

Alert Type: %SLARTIBARTFAST278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-07-24 15:14:57 ------------

Edited by Flare613, 24 July 2008 - 05:31 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 AM

Posted 24 July 2008 - 06:38 PM

Hello Flare613

Welcome to BleepingComputer :thumbsup:
========================
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Flare613

Flare613
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 25 July 2008 - 12:37 AM

Hi,

Thanks for responding so quickly. I do not know how to enable the windows recovery console. I looked around a bit online but found no clear explanation.

I was able to run the Kaspersky online scanner finally, although I am not entirely sure if it completed. I will post that anyway incase it helps. That log was taken prior to the combofix fixes and reboot along with the new hijackthis log.

I just had one quick question too. I am trying to understand how some of this works better. What does it mean orphans removed which I saw in the combofix log and pertained to one file that gave me a lot of problems?

Kaspersky:

KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 24, 2008 22:06:03
Records in database: 1004803
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\

Scan statistics:
Files scanned: 129042
Threat name: 9
Infected objects: 25
Suspicious objects: 0
Duration of the scan: 04:13:23


File name / Threat name / Threats count
C:\WINDOWS\system32\uoyzsydz.exe//PE_Patch.UPX//UPX/C:\WINDOWS\system32\uoyzsydz.exe//PE_Patch.UPX//UPX Infected: Hoax.Win32.Renos.vaoc 1
C:\WINDOWS\portsv.exe/C:\WINDOWS\portsv.exe Infected: Trojan.Win32.Agent.vgd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C940000.VBN Infected: Trojan-Downloader.Win32.Agent.vgl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C940001.VBN Infected: Trojan-Downloader.Win32.Agent.vgl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C940002.VBN Infected: Trojan-Downloader.Win32.Agent.vgl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C940005.VBN Infected: Trojan.Win32.Pakes.dfs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C940006.VBN Infected: Trojan.Win32.Pakes.dfs 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C940007.VBN Infected: Trojan-Clicker.Win32.Agent.tg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C940008.VBN Infected: Trojan-Clicker.Win32.Agent.tg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C940009.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C94000A.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C94000B.VBN Infected: Trojan-Downloader.Win32.VB.epp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C94000C.VBN Infected: Trojan-Downloader.Win32.VB.epp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F4C0000.VBN Infected: Trojan-Downloader.Win32.VB.epp 1
C:\Documents and Settings\Bruce Lee\Local Settings\Temporary Internet Files\Content.IE5\ODQVOHEB\newcim[1].exe Infected: Trojan-Downloader.Win32.VB.epp 1
C:\Documents and Settings\Bruce Lee\My Documents\My Music\LimeWire\Saved\down in willow garden tim.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Documents and Settings\Bruce Lee\My Documents\My Music\LimeWire\Saved\Flobots-Happy Together.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\WINDOWS\lfn.exe Infected: Hoax.Win32.Renos.vaoc 1
C:\WINDOWS\portsv.exe Infected: Trojan.Win32.Agent.vgd 1
C:\WINDOWS\system32\uoyzsydz.exe Infected: Hoax.Win32.Renos.vaoc 1
D:\Programs\Mirc\Mirc\MIRC.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
D:\Programs\Mirc\Mirc\Mirc2\MIRC.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
D:\Programs\Mirc\Mirc\Mirc3\MIRC.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
D:\Programs\Mirc\Mirc\Mirc4\MIRC.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
D:\Security\pass\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.28 1

The selected area was scanned.

Combofix:

ComboFix 08-07-24.1 - Bruce Lee 2008-07-24 22:16:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1218 [GMT -7:00]
Running from: C:\Documents and Settings\Bruce Lee\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc
C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\27990.exe
C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\Bruce Lee\Application Data\rhcvwtj0ev2g
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\ggiOYcfe.ini
C:\WINDOWS\system32\ggiOYcfe.ini2
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\joeywiqv.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\uoyzsydz.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

----- BITS: Possible infected sites -----

http://www.graboid.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4
-------\Legacy_PlugPlayRPC
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-24 15:10 . 2008-07-24 15:10 <DIR> d-------- C:\Deckard
2008-07-24 11:00 . 2008-07-24 11:00 0 --a------ C:\WINDOWS\VPC32.INI
2008-07-24 10:29 . 2008-07-24 10:53 <DIR> d-------- C:\!Submit
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\WINDOWS\system32\CBA
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Program Files\Symantec
2008-07-24 10:19 . 2008-07-24 15:14 <DIR> d-------- C:\Program Files\NavNT
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-24 10:19 . 2001-09-24 07:59 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-07-24 10:19 . 2001-09-24 07:59 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-24 10:19 . 2001-09-24 07:59 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-24 10:19 . 2001-09-24 07:59 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2008-07-18 02:11 . 2008-07-24 12:30 581 --a------ C:\WINDOWS\wininit.ini
2008-07-17 20:23 . 2008-07-22 21:29 <DIR> d-------- C:\WINDOWS\system32\5583
2008-07-17 16:56 . 2008-07-17 16:56 110,415 --a------ C:\WINDOWS\BMa32ccacf.xml
2008-07-17 16:09 . 2008-07-24 10:32 <DIR> d-------- C:\WINDOWS\system32\aumsDK06
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Temp\zpv201
2008-07-16 23:12 . 2008-07-18 01:53 <DIR> d-------- C:\Documents and Settings\Bruce Lee\Application Data\SPORE Creature Creator
2008-07-16 23:12 . 2008-07-16 23:12 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-11 10:57 . 2008-07-11 10:57 <DIR> d-------- C:\Program Files\uTorrent
2008-07-10 22:47 . 2008-07-10 23:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-10 22:47 . 2008-07-10 22:47 52,224 --a------ C:\WINDOWS\system32\ftps.exe
2008-07-10 22:47 . 2008-07-10 22:47 7,680 --a------ C:\WINDOWS\system32\chkdskss.exe
2008-07-10 22:47 . 2008-07-10 22:47 7,680 --a------ C:\WINDOWS\system32\chkdsks.exe
2008-07-10 22:47 . 2008-07-24 22:18 97 --a------ C:\WINDOWS\system32\Monitored3.dat
2008-07-10 22:47 . 2008-07-10 22:47 10 --a------ C:\WINDOWS\system32\ciadvss.exe
2008-07-10 22:47 . 2008-07-10 22:47 10 --a------ C:\WINDOWS\system32\ciadvs.exe
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\Program Files\PKWARE
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\Program Files\Common Files\PKWARE
2008-07-09 11:48 . 2008-07-09 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Launcher
2008-07-07 23:20 . 2008-07-07 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-07-07 23:19 . 2008-07-07 23:19 <DIR> d-------- C:\Documents and Settings\Bruce Lee\Application Data\MozillaControl
2008-07-07 23:18 . 2008-07-07 23:18 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-07 23:18 . 2008-07-07 23:19 <DIR> d-------- C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-07-07 23:18 . 2008-07-07 23:19 <DIR> d-------- C:\Program Files\Graboid
2008-07-05 14:03 . 2008-07-05 14:03 <DIR> d-------- C:\Program Files\QuickTime
2008-07-05 14:03 . 2008-07-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-05 14:02 . 2008-07-05 14:02 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 14:02 . 2008-07-05 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 02:51 . 2008-07-04 02:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 02:51 . 2008-07-04 02:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-27 11:49 . 2008-06-27 11:49 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 06:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 08:28 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\GigaTribe
2008-07-08 20:58 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-01 06:30 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\AdobeUM
2008-06-23 01:42 --------- d-----w C:\Program Files\Windows Defender
2008-06-23 00:46 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\Lavasoft
2008-06-23 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 07:19 --------- d-----w C:\Program Files\DivX
2008-06-18 07:18 --------- d-----w C:\Program Files\Xvid
2008-06-16 05:11 --------- d-----w C:\Program Files\Verizon Wireless
2008-06-16 05:11 --------- d-----w C:\Program Files\LG Electronics
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 06:40 --------- d-----w C:\Program Files\BitZipper
2008-06-03 06:40 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\BitZipper
2008-05-27 09:37 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\Corel
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 14:49 153136]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 10:40 270336]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2002-08-05 01:37 258116]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Lingvo Launcher"="C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" [2005-02-15 13:55 118784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 19:53 153136]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 06:03 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 02:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NT Printing Services"="ftps.exe" [2008-07-10 22:47 52224 C:\WINDOWS\system32\ftps.exe]

C:\Documents and Settings\Bruce Lee\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-06-15 22:11:21 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-05-13 14:55:10 184320]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Download_Apps\\GigaTribe\\gigatribe.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Download_Apps\\Limewire\\LimeWire.exe"=
"D:\\Programs\\Mirc\\Mirc\\Mirc2\\MIRC.EXE"=
"D:\\Programs\\Mirc\\Mirc\\MIRC.EXE"=
"D:\\Programs\\Mirc\\Mirc\\Mirc3\\MIRC.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 18:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-24 09:10:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{497A55FE-90E1-44DC-AF6F-BA425E4007A6} - C:\WINDOWS\system32\efcYOigg.dll
HKCU-Run-Microsoft Windows Installer - C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\dtsc\27990.exe
HKLM-Run-SMrhcvwtj0ev2g - C:\Program Files\rhcvwtj0ev2g\rhcvwtj0ev2g.exe
Notify-hgGvvwXp - hgGvvwXp.dll


.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 22:20:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\MSGSYS.EXE
.
**************************************************************************
.
Completion time: 2008-07-24 22:21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-25 05:21:35

Pre-Run: 193,658,068,992 bytes free
Post-Run: 193,633,468,416 bytes free

250 --- E O F --- 2008-07-16 09:16:32


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:33 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Security\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7057 bytes

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 AM

Posted 25 July 2008 - 04:51 AM

Orphans Removed means that once a file is deleted Combofix automatically removes the orphaned registry entry associated with theat file name.
The instructions for the REcovery COnsole are on the page with the Combpfix instructions.
=========================================================
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose no, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Flare613

Flare613
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 25 July 2008 - 06:19 AM

Apparently I can't follow simple directions. I clicked yes when it prompted to scan for infected files. I tried rerunning but it would not allow stating that windows recovery console is already installed. It then dropped my internet connection. So I am posting the file it generated since I clicked yes instead of no. If you need me to do something else let me know. I don't know how to rerun the recovery console through combofix now.

ComboFix 08-07-24.1 - Bruce Lee 2008-07-25 4:04:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.976 [GMT -7:00]
Running from: C:\Documents and Settings\Bruce Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bruce Lee\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-24 15:10 . 2008-07-24 15:10 <DIR> d-------- C:\Deckard
2008-07-24 11:00 . 2008-07-24 11:00 0 --a------ C:\WINDOWS\VPC32.INI
2008-07-24 10:29 . 2008-07-24 10:53 <DIR> d-------- C:\!Submit
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\WINDOWS\system32\CBA
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Program Files\Symantec
2008-07-24 10:19 . 2008-07-24 15:14 <DIR> d-------- C:\Program Files\NavNT
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-24 10:19 . 2001-09-24 07:59 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-07-24 10:19 . 2001-09-24 07:59 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-24 10:19 . 2001-09-24 07:59 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-24 10:19 . 2001-09-24 07:59 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2008-07-18 02:11 . 2008-07-24 12:30 581 --a------ C:\WINDOWS\wininit.ini
2008-07-17 20:23 . 2008-07-22 21:29 <DIR> d-------- C:\WINDOWS\system32\5583
2008-07-17 16:56 . 2008-07-17 16:56 110,415 --a------ C:\WINDOWS\BMa32ccacf.xml
2008-07-17 16:09 . 2008-07-24 10:32 <DIR> d-------- C:\WINDOWS\system32\aumsDK06
2008-07-17 16:09 . 2008-07-17 16:09 <DIR> d-------- C:\Temp\zpv201
2008-07-16 23:12 . 2008-07-18 01:53 <DIR> d-------- C:\Documents and Settings\Bruce Lee\Application Data\SPORE Creature Creator
2008-07-16 23:12 . 2008-07-16 23:12 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-11 10:57 . 2008-07-11 10:57 <DIR> d-------- C:\Program Files\uTorrent
2008-07-10 22:47 . 2008-07-10 23:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-10 22:47 . 2008-07-10 22:47 52,224 --a------ C:\WINDOWS\system32\ftps.exe
2008-07-10 22:47 . 2008-07-10 22:47 7,680 --a------ C:\WINDOWS\system32\chkdskss.exe
2008-07-10 22:47 . 2008-07-10 22:47 7,680 --a------ C:\WINDOWS\system32\chkdsks.exe
2008-07-10 22:47 . 2008-07-25 04:05 97 --a------ C:\WINDOWS\system32\Monitored3.dat
2008-07-10 22:47 . 2008-07-10 22:47 10 --a------ C:\WINDOWS\system32\ciadvss.exe
2008-07-10 22:47 . 2008-07-10 22:47 10 --a------ C:\WINDOWS\system32\ciadvs.exe
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\Program Files\PKWARE
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\Program Files\Common Files\PKWARE
2008-07-09 11:48 . 2008-07-09 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Launcher
2008-07-07 23:20 . 2008-07-07 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-07-07 23:19 . 2008-07-07 23:19 <DIR> d-------- C:\Documents and Settings\Bruce Lee\Application Data\MozillaControl
2008-07-07 23:18 . 2008-07-07 23:18 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-07 23:18 . 2008-07-07 23:19 <DIR> d-------- C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-07-07 23:18 . 2008-07-07 23:19 <DIR> d-------- C:\Program Files\Graboid
2008-07-05 14:03 . 2008-07-05 14:03 <DIR> d-------- C:\Program Files\QuickTime
2008-07-05 14:03 . 2008-07-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-05 14:02 . 2008-07-05 14:02 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 14:02 . 2008-07-05 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 02:51 . 2008-07-04 02:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 02:51 . 2008-07-04 02:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-27 11:49 . 2008-06-27 11:49 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 06:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 08:28 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\GigaTribe
2008-07-08 20:58 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-01 06:30 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\AdobeUM
2008-06-23 01:42 --------- d-----w C:\Program Files\Windows Defender
2008-06-23 00:46 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\Lavasoft
2008-06-23 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 07:19 --------- d-----w C:\Program Files\DivX
2008-06-18 07:18 --------- d-----w C:\Program Files\Xvid
2008-06-16 05:11 --------- d-----w C:\Program Files\Verizon Wireless
2008-06-16 05:11 --------- d-----w C:\Program Files\LG Electronics
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 06:40 --------- d-----w C:\Program Files\BitZipper
2008-06-03 06:40 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\BitZipper
2008-05-30 17:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-30 17:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 17:19 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-27 09:37 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\Corel
2008-05-27 09:27 5,330 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-27 17:35 180,224 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 17:33 765,952 ----a-w C:\WINDOWS\system32\xvidcore.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-24_22.21.26.34 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 14:49 153136]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 10:40 270336]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2002-08-05 01:37 258116]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Lingvo Launcher"="C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" [2005-02-15 13:55 118784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 19:53 153136]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 06:03 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 02:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NT Printing Services"="ftps.exe" [2008-07-10 22:47 52224 C:\WINDOWS\system32\ftps.exe]

C:\Documents and Settings\Bruce Lee\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-06-15 22:11:21 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-05-13 14:55:10 184320]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Download_Apps\\GigaTribe\\gigatribe.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Download_Apps\\Limewire\\LimeWire.exe"=
"D:\\Programs\\Mirc\\Mirc\\Mirc2\\MIRC.EXE"=
"D:\\Programs\\Mirc\\Mirc\\MIRC.EXE"=
"D:\\Programs\\Mirc\\Mirc\\Mirc3\\MIRC.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 18:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-25 08:43:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 04:05:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-07-25 4:06:20
ComboFix-quarantined-files.txt 2008-07-25 11:06:16

Pre-Run: 193,583,443,968 bytes free
Post-Run: 193,552,310,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

164 --- E O F --- 2008-07-16 09:16:32

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 AM

Posted 25 July 2008 - 11:13 AM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\BMa32ccacf.xml
C:\WINDOWS\system32\ftps.exe
C:\WINDOWS\system32\chkdskss.exe
C:\WINDOWS\system32\chkdsks.exe
C:\WINDOWS\system32\Monitored3.dat
C:\WINDOWS\system32\ciadvss.exe
C:\WINDOWS\system32\ciadvs.exe
C:\WINDOWS\VPC32.INI
Folder::
C:\WINDOWS\system32\aumsDK06
C:\Temp\zpv201
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NT Printing Services"=-
Dirlook::
C:\WINDOWS\system32\5583
C:\!Submit


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Flare613

Flare613
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 25 July 2008 - 03:04 PM

OK done. Btw, ty so far!

I have a few questions also. Do you happen to know which thing it is that infected my system in the first place? I kind of have it narrowed to only a few things as I haven't downloaded a great deal recently. Also, I have like over 40 processes running on startup. I would like to streamline that. How much is really necessary? Should I really have 6 svchost.exe? Maybe you could refer me to a place that would help me eliminate unneeded processes in startup.

Here's the combofix and hijackthis logs.

ComboFix 08-07-24.1 - Bruce Lee 2008-07-25 12:53:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1027 [GMT -7:00]
Running from: C:\Documents and Settings\Bruce Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bruce Lee\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMa32ccacf.xml
C:\WINDOWS\system32\chkdsks.exe
C:\WINDOWS\system32\chkdskss.exe
C:\WINDOWS\system32\ciadvs.exe
C:\WINDOWS\system32\ciadvss.exe
C:\WINDOWS\system32\ftps.exe
C:\WINDOWS\system32\Monitored3.dat
C:\WINDOWS\VPC32.INI
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\zpv201
C:\WINDOWS\BMa32ccacf.xml
C:\WINDOWS\system32\aumsDK06
C:\WINDOWS\system32\chkdsks.exe
C:\WINDOWS\system32\chkdskss.exe
C:\WINDOWS\system32\ciadvs.exe
C:\WINDOWS\system32\ciadvss.exe
C:\WINDOWS\system32\ftps.exe
C:\WINDOWS\system32\Monitored3.dat
C:\WINDOWS\VPC32.INI

.
((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-24 15:10 . 2008-07-24 15:10 <DIR> d-------- C:\Deckard
2008-07-24 10:29 . 2008-07-24 10:53 <DIR> d-------- C:\!Submit
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\WINDOWS\system32\CBA
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Program Files\Symantec
2008-07-24 10:19 . 2008-07-24 15:14 <DIR> d-------- C:\Program Files\NavNT
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-24 10:19 . 2008-07-24 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-24 10:19 . 2001-09-24 07:59 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-07-24 10:19 . 2001-09-24 07:59 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-24 10:19 . 2001-09-24 07:59 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-24 10:19 . 2001-09-24 07:59 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2008-07-18 02:11 . 2008-07-24 12:30 581 --a------ C:\WINDOWS\wininit.ini
2008-07-17 20:23 . 2008-07-22 21:29 <DIR> d-------- C:\WINDOWS\system32\5583
2008-07-16 23:12 . 2008-07-25 04:44 <DIR> d-------- C:\Documents and Settings\Bruce Lee\Application Data\SPORE Creature Creator
2008-07-16 23:12 . 2008-07-16 23:12 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-11 10:57 . 2008-07-11 10:57 <DIR> d-------- C:\Program Files\uTorrent
2008-07-10 22:47 . 2008-07-10 23:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\Program Files\PKWARE
2008-07-09 13:33 . 2008-07-09 13:33 <DIR> d-------- C:\Program Files\Common Files\PKWARE
2008-07-09 11:48 . 2008-07-09 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Launcher
2008-07-07 23:20 . 2008-07-07 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-07-07 23:19 . 2008-07-07 23:19 <DIR> d-------- C:\Documents and Settings\Bruce Lee\Application Data\MozillaControl
2008-07-07 23:18 . 2008-07-07 23:18 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-07 23:18 . 2008-07-07 23:19 <DIR> d-------- C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-07-07 23:18 . 2008-07-07 23:19 <DIR> d-------- C:\Program Files\Graboid
2008-07-05 14:03 . 2008-07-05 14:03 <DIR> d-------- C:\Program Files\QuickTime
2008-07-05 14:03 . 2008-07-05 14:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-05 14:02 . 2008-07-05 14:02 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 14:02 . 2008-07-05 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 02:51 . 2008-07-04 02:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 02:51 . 2008-07-04 02:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-27 11:49 . 2008-06-27 11:49 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 06:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-13 08:28 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\GigaTribe
2008-07-08 20:58 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-01 06:30 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\AdobeUM
2008-06-23 01:42 --------- d-----w C:\Program Files\Windows Defender
2008-06-23 00:46 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\Lavasoft
2008-06-23 00:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 07:19 --------- d-----w C:\Program Files\DivX
2008-06-18 07:18 --------- d-----w C:\Program Files\Xvid
2008-06-16 05:11 --------- d-----w C:\Program Files\Verizon Wireless
2008-06-16 05:11 --------- d-----w C:\Program Files\LG Electronics
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 06:40 --------- d-----w C:\Program Files\BitZipper
2008-06-03 06:40 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\BitZipper
2008-05-27 09:37 --------- d-----w C:\Documents and Settings\Bruce Lee\Application Data\Corel
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\!Submit ----

2008-07-24 10:29 50 --a------ C:\!Submit\s
2008-07-22 21:39 65536 --a------ C:\!Submit\~DFE71.tmp

---- Directory of C:\WINDOWS\system32\5583 ----

2008-07-22 21:29 476 -r-hs---- C:\WINDOWS\system32\5583\~!2279p.spt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 14:49 153136]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 10:40 270336]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2002-08-05 01:37 258116]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Lingvo Launcher"="C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" [2005-02-15 13:55 118784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 19:53 153136]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 07:59 73728]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 06:03 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 02:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\Bruce Lee\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-06-15 22:11:21 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-05-13 14:55:10 184320]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Download_Apps\\GigaTribe\\gigatribe.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Download_Apps\\Limewire\\LimeWire.exe"=
"D:\\Programs\\Mirc\\Mirc\\Mirc2\\MIRC.EXE"=
"D:\\Programs\\Mirc\\Mirc\\MIRC.EXE"=
"D:\\Programs\\Mirc\\Mirc\\Mirc3\\MIRC.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 18:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-25 08:43:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 12:55:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MSGSYS.EXE
.
**************************************************************************
.
Completion time: 2008-07-25 12:57:18 - machine was rebooted [Bruce Lee]
ComboFix-quarantined-files.txt 2008-07-25 19:57:13
ComboFix2.txt 2008-07-25 11:06:21

Pre-Run: 193,513,775,104 bytes free
Post-Run: 193,502,740,480 bytes free

179 --- E O F --- 2008-07-16 09:16:32


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:47 PM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Security\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7028 bytes

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 AM

Posted 25 July 2008 - 03:39 PM

Not sure where it started and I will help you with those process issues.
For now though let's get you completly clean then we will go from there.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Flare613

Flare613
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 25 July 2008 - 04:29 PM

Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

2:28:25 PM 7/25/2008
mbam-log-7-25-2008 (14-28-25).txt

Scan type: Quick Scan
Objects scanned: 38809
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhcvwtj0ev2g (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Bruce Lee\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\BMa32ccacf.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 AM

Posted 25 July 2008 - 06:39 PM

Ok looks good please post another dss log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Flare613

Flare613
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 25 July 2008 - 07:13 PM

Deckard's System Scanner v20071014.68
Run by Bruce Lee on 2008-07-25 17:12:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Bruce Lee.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:34 PM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Games\MTGO\MTGO_NET.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Security\dss.exe
D:\Security\HIJACK~1\BRUCEL~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7138 bytes

-- Files created between 2008-06-25 and 2008-07-25 -----------------------------

2008-07-25 14:18:24 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\Malwarebytes
2008-07-25 14:18:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 04:04:27 0 d-------- C:\cmdcons
2008-07-24 22:13:05 68096 --a------ C:\WINDOWS\zip.exe
2008-07-24 22:13:05 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-24 22:13:05 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-24 22:13:05 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-24 22:13:05 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-24 22:13:05 98816 --a------ C:\WINDOWS\sed.exe
2008-07-24 22:13:05 80412 --a------ C:\WINDOWS\grep.exe
2008-07-24 22:13:05 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-24 10:29:00 0 d-------- C:\!Submit
2008-07-24 10:19:23 4032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-07-24 10:19:23 36864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL <Not Verified; Symantec Corporation; SYMEVENT>
2008-07-24 10:19:23 57696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS <Not Verified; Symantec Corporation; SYMEVENT>
2008-07-24 10:19:20 0 d-------- C:\WINDOWS\system32\CBA
2008-07-24 10:19:19 0 d-------- C:\Program Files\Symantec
2008-07-24 10:19:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-24 10:19:17 0 d-------- C:\Program Files\NavNT
2008-07-24 10:19:17 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-17 20:23:50 0 d-------- C:\WINDOWS\system32\5583
2008-07-17 20:23:41 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-16 23:12:10 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\SPORE Creature Creator
2008-07-11 10:57:08 0 d-------- C:\Program Files\uTorrent
2008-07-10 22:47:18 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-09 13:33:28 0 d-------- C:\Program Files\PKWARE
2008-07-09 13:33:28 0 d-------- C:\Program Files\Common Files\PKWARE
2008-07-09 13:33:15 0 d-------- C:\WINDOWS\Downloaded Installations
2008-07-09 11:48:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Launcher
2008-07-07 23:20:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-07-07 23:19:10 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\MozillaControl
2008-07-07 23:18:59 0 d-------- C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-07-07 23:18:53 0 d-------- C:\Program Files\VideoLAN
2008-07-07 23:18:53 0 d-------- C:\Program Files\Graboid
2008-07-05 14:03:32 0 d-------- C:\Program Files\QuickTime
2008-07-05 14:03:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-05 14:02:42 0 d-------- C:\Program Files\Apple Software Update
2008-07-05 14:02:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-27 11:49:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-27 11:49:02 0 d-------- C:\Program Files\Common Files\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-07-25 12:54:05 0 d-------- C:\Program Files\Common Files
2008-07-16 23:11:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-13 01:28:17 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\GigaTribe
2008-07-08 13:58:29 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-06-30 23:30:45 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\AdobeUM
2008-06-27 11:42:35 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\Adobe
2008-06-22 18:42:38 0 d-------- C:\Program Files\Windows Defender
2008-06-22 17:46:01 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\Lavasoft
2008-06-18 00:19:48 0 d-------- C:\Program Files\DivX
2008-06-18 00:18:06 0 d-------- C:\Program Files\Xvid
2008-06-15 22:11:34 0 d-------- C:\Program Files\LG Electronics
2008-06-15 22:11:21 0 d-------- C:\Program Files\Verizon Wireless
2008-06-02 23:40:32 0 d-------- C:\Program Files\BitZipper
2008-06-02 23:40:32 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\BitZipper
2008-05-30 10:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 10:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 10:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 10:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 10:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 10:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-27 02:37:17 0 d-------- C:\Documents and Settings\Bruce Lee\Application Data\Corel
2008-05-27 02:27:53 5330 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-12 11:24:05 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-12 11:02:05 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-12 10:40:38 8 -r-hs---- C:\WINDOWS\system32\FF8751EDFA.sys
2008-05-12 10:29:04 717 --a------ C:\WINDOWS\PowerReg.dat
2008-05-12 10:13:27 22 --a------ C:\WINDOWS\FileName
2008-05-12 01:03:02 0 -rahs---- C:\MSDOS.SYS
2008-05-12 01:03:02 0 -rahs---- C:\IO.SYS
2008-05-12 01:03:02 0 --a------ C:\CONFIG.SYS
2008-05-12 01:03:02 0 --a------ C:\AUTOEXEC.BAT
2008-05-12 01:00:02 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-11 17:44:15 62 --ahs---- C:\Documents and Settings\Bruce Lee\Application Data\desktop.ini
2008-04-27 10:35:28 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-27 10:33:36 765952 --a------ C:\WINDOWS\system32\xvidcore.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [11/14/2006 02:21 AM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [05/16/2006 03:04 AM C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [05/11/2007 06:03 AM C:\WINDOWS\system32\nwiz.exe]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [02/17/2006 10:40 AM]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [08/05/2002 01:37 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Lingvo Launcher"="C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" [02/15/2005 01:55 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/09/2007 07:53 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/2001 07:59 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/11/2007 06:03 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 05:00 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [03/12/2007 02:49 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Bruce Lee\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [6/15/2008 10:11:21 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [5/13/2008 2:55:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

*Newly Created Service* - CATCHME
*Newly Created Service* - MBAMSWISSARMY



-- End of Deckard's System Scanner: finished at 2008-07-25 17:12:53 ------------

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 AM

Posted 25 July 2008 - 08:53 PM

Please empty the Norton Quarantine.
========================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    D:\Security\pass\Cain\Cain.exe
    C:\Documents and Settings\Bruce Lee\Local Settings\Temporary Internet Files\Content.IE5\ODQVOHEB\newcim[1].exe 
    C:\Documents and Settings\Bruce Lee\My Documents\My Music\LimeWire\Saved\down in willow garden tim.mp3 
    C:\Documents and Settings\Bruce Lee\My Documents\My Music\LimeWire\Saved\Flobots-Happy Together.mp3
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================
PLease then post that log and a new Hijackthis log and we will wrap it up.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Flare613

Flare613
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 25 July 2008 - 10:55 PM

I'm assuming by clearing the quarantined items from Norton you meant delete them which I did.

here are the logs:

D:\Security\pass\Cain\Cain.exe moved successfully.
< C:\Documents and Settings\Bruce Lee\Local Settings\Temporary Internet Files\Content.IE5\ODQVOHEB\newcim[1].exe >
File/Folder C:\Documents and Settings\Bruce Lee\Local Settings\Temporary Internet Files\Content.IE5\ODQVOHEB\newcim[1].exe not found.
C:\Documents and Settings\Bruce Lee\My Documents\My Music\LimeWire\Saved\down in willow garden tim.mp3 moved successfully.
C:\Documents and Settings\Bruce Lee\My Documents\My Music\LimeWire\Saved\Flobots-Happy Together.mp3 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07252008_204629


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:25 PM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Games\MTGO\MTGO_NET.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\svchost.exe
D:\Security\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7155 bytes

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 AM

Posted 25 July 2008 - 11:26 PM

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe



Now click on Fix Checked and then close Hijackthis.
==================================================
These are all non essential to running at startup.
All of these can be restored in the future or started manually if needed.
============================================================================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Flare613

Flare613
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 26 July 2008 - 04:47 AM

Thank you very much for all your help! :thumbsup:

I am just curious, how is it that you have come about doing what you do? I would like to at least learn some more so that maybe at some point I would be able to fix my own problems if nothing else. hehe.

Also, what do you think of Kaspersky anti-virus. Currently I only use an old corp. ed. of norton but i heard kaspersky was good, and up to date. I was thinking of actually purchasing it.

Also regarding these programs, which do you use or recommend using? I want to protect my computer but I also want to have the least amount of programs running if possible.

Spyware Blaster
Spywareguard
IE-SPYAD

Thanks again for all your help.

Justin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users