Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Has Taken Over My Pc


  • This topic is locked This topic is locked
21 replies to this topic

#1 Zengoalie

Zengoalie

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 06 August 2008 - 07:45 PM

Back again...my laptop was infected with this a few weeks ago, now the desktop PC is infected. I ran MalwareBytes several times and it continues to find Vundo, but even after reboot it's unable to delete the infected files. My Sophos anti-virus just stays at 1% and won't move past that in a scan. Also appears to keep disabling my Windows Update. Sorry if I didn't un-install everything I should have, not sure what my husbands got on here...

Hope you guys can help!
Thanks!

Here's my DSS:
Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-06 20:44:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:07 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Updater.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostonherald.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {77bfb394-bdd8-487e-a116-e4bd8c3867a6} - C:\WINDOWS\system32\urqQiJdc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {ac9a8b17-7bee-f5f9-e854-c0f2f74c408b} - {b804c47f-2f0c-458e-9f5f-eeb771b8a9ca} - C:\WINDOWS\system32\kqafvm.dll
O2 - BHO: (no name) - {d92672db-c927-41a4-9fa9-0c98dc2f7b1a} - C:\WINDOWS\system32\nnnoMeCr.dll (file missing)
O2 - BHO: (no name) - {fe07740c-ed9e-4041-a4f6-565ae689a3e8} - C:\WINDOWS\system32\nnnmLedB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [a8100fb5] rundll32.exe "C:\WINDOWS\system32\pevppgnr.dll",b
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Audio Kontrol 1] C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.bostonherald.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {DF85A113-76ED-4D25-9107-01E5C6F98D6A} (DRDLCtlView Class) - http://www.docurights.com/drdlctl.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Filter hijack: text/html - {ae40c940-8897-4c95-8027-a7e30488c161} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: nnnmledb - C:\WINDOWS\SYSTEM32\nnnmLedB.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) RpcSsSAVAdminService (rpcsssavadminservice) - Unknown owner - C:\WINDOWS\system32\acluif.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 11575 bytes

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 20:25:55 121472 --a------ C:\WINDOWS\system32\kqafvm.dll
2008-08-06 20:25:54 121472 --a------ C:\WINDOWS\system32\miahtowd.dll
2008-08-06 20:23:48 99712 --a------ C:\WINDOWS\system32\pevppgnr.dll
2008-08-06 20:22:51 781902 --ahs---- C:\WINDOWS\system32\cdJiQqru.ini2
2008-08-06 20:22:45 323328 --a------ C:\WINDOWS\system32\urqQiJdc.dll
2008-08-06 19:32:19 121472 --a------ C:\WINDOWS\system32\tnnnxf.dll
2008-08-06 19:32:18 121472 --a------ C:\WINDOWS\system32\ungevjvt.dll
2008-08-06 19:26:17 778409 --ahs---- C:\WINDOWS\system32\rCeMonnn.ini2
2008-08-06 12:01:55 18944 --ahs---- C:\WINDOWS\system32\12520437t.dll
2008-08-06 12:00:11 34176 -----n--- C:\WINDOWS\system32\nnnmLedB.dll
2008-08-06 12:00:10 0 d-------- C:\a8070
2008-08-06 11:59:58 0 d-------- C:\54b63
2008-08-06 11:59:36 0 d-------- C:\8615f
2008-08-06 11:58:57 278 --a-s---- C:\WINDOWS\system32\2216712837.dat
2008-08-06 11:58:47 111216 --a------ C:\WINDOWS\system32\drivers\b2e25a6.sys
2008-08-06 11:58:34 41984 -r-hs---- C:\WINDOWS\system32\acluif.exe
2008-08-06 11:58:31 2 --a------ C:\-1475342566
2008-08-06 11:58:28 65536 --a------ C:\wuon.exe
2008-08-06 11:58:27 4338 --a------ C:\WINDOWS\system32\mvx.dat
2008-07-26 22:13:57 0 d-------- C:\Program Files\iTunes
2008-07-26 22:09:52 0 d-------- C:\Program Files\Apple Software Update
2008-07-20 08:10:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 10:39:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Softland
2008-07-10 10:38:52 0 d-------- C:\Program Files\Softland
2008-07-10 10:27:35 0 d-------- C:\Program Files\Acro Software


-- Find3M Report ---------------------------------------------------------------

2008-08-06 20:40:03 0 d-------- C:\Program Files\BearShare
2008-08-06 20:19:28 0 d-------- C:\Program Files\SpywareBlaster
2008-08-06 18:23:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 19:52:10 0 d-------- C:\Program Files\Trillian
2008-07-26 22:21:30 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-26 22:14:04 0 d-------- C:\Program Files\iPod
2008-07-26 22:11:51 0 d-------- C:\Program Files\QuickTime
2008-07-23 09:31:02 5 --a------ C:\WINDOWS\system32\wincon.dat
2008-07-20 08:10:24 0 d-------- C:\Program Files\Lavasoft
2008-07-20 08:09:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-20 08:05:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-07-10 11:46:57 0 d-------- C:\Program Files\Evrsoft First Page 2006
2008-07-10 10:37:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-10 10:37:16 0 d-------- C:\Program Files\Common Files
2008-07-10 10:35:28 0 d-------- C:\Program Files\DivX
2008-07-03 07:45:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-25 11:59:03 0 d-------- C:\Program Files\Comcast Rhapsody
2008-06-25 11:59:03 870128 --a------ C:\Documents and Settings\Owner\Application Data\mcs.rma
2008-06-25 11:59:03 4 --a------ C:\Documents and Settings\Owner\Application Data\0F3A92
2008-06-25 11:56:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-06-25 11:55:54 0 d-------- C:\Program Files\Real
2008-06-18 13:59:56 0 d-------- C:\Program Files\Syberia
2008-06-17 09:55:19 0 d-------- C:\Program Files\HP
2008-06-17 09:55:12 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-17 07:39:48 0 d-------- C:\Documents and Settings\Owner\Application Data\SecondLife
2008-06-06 08:11:07 0 d-------- C:\Program Files\Google
2008-05-23 14:11:12 724992 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77bfb394-bdd8-487e-a116-e4bd8c3867a6}]
08/06/2008 08:22 PM 323328 --a------ C:\WINDOWS\system32\urqQiJdc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b804c47f-2f0c-458e-9f5f-eeb771b8a9ca}]
08/06/2008 08:25 PM 121472 --a------ C:\WINDOWS\system32\kqafvm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d92672db-c927-41a4-9fa9-0c98dc2f7b1a}]
C:\WINDOWS\system32\nnnoMeCr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fe07740c-ed9e-4041-a4f6-565ae689a3e8}]
08/06/2008 12:00 PM 34176 --------- C:\WINDOWS\system32\nnnmLedB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/02/2004 08:30 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/15/2004 11:42 AM]
"links"="links.exe" []
"iRiver Updater"="\Updater.exe" [07/01/2004 05:20 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 08:38 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [01/13/2006 08:38 PM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"a8100fb5"="C:\WINDOWS\system32\pevppgnr.dll" [08/06/2008 08:23 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [06/13/2003 06:43 AM]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe" [10/22/2002 10:55 AM]
"Simple Star PhotoShow Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" []
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [05/09/2005 07:16 PM]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"Audio Kontrol 1"="C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe" [11/30/2006 02:25 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/05/2008 08:50 AM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [6/22/2006 3:15:48 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FE07740C-ED9E-4041-A4F6-565AE689A3E8}"= C:\WINDOWS\system32\nnnmLedB.dll [08/06/2008 12:00 PM 34176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmledb]
nnnmLedB.dll 08/06/2008 12:00 PM 34176 C:\WINDOWS\system32\nnnmLedB.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MsnFixer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MsnFixer.lnk
backup=C:\WINDOWS\pss\MsnFixer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IcoSet]
c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultPrinter]
c:\hp\bin\cloaker.exe c:\windows\system32\cmd.exe /c c:\hp\bin\defaultprinter\SetDefaultPrinter.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe




-- End of Deckard's System Scanner: finished at 2008-08-06 20:44:47 ------------

BC AdBot (Login to Remove)

 


m

#2 Zengoalie

Zengoalie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 07 August 2008 - 08:29 PM

don't mean to bump, but in addition to Vundo looks like I've got that damn AntiVirus XP 2008 crap too...

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:10 PM

Posted 08 August 2008 - 11:43 PM

Hello Zengoalie,


It is not a good idea to "Bump" your post, as it will only delay
help for your log.


When selecting logs we generally use two criteria to
look for unanswered logs.

1. We started from the oldest to the most recent. That means if you
keep bumping, your log is at the top of the list, and since we do not work
from the top, it will be looked at last!! :thumbsup:

2. We look for first for posts with no replies. A bump is a reply so
you get pushed further down the response ladder.


I ran MalwareBytes several times and it continues to find Vundo, but even after reboot it's unable to delete the infected files.


Please post the MalwareBytes log.

Edited by SifuMike, 08 August 2008 - 11:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Zengoalie

Zengoalie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 09 August 2008 - 03:55 PM

Thanks, seems like it reinfects w/ each reboot, and refuses to delete the nnnmLedB.dll file.

I also followed some of the manual instructions to attempt and get rid of Antivirus XP 2008. There are two files that I unchecked on Startup using msconfig. lphcnh8j0e12l and rhcjh8j0e12l (both are still showing up, but at least they're not starting up now...) So I know there's still leftovers from that nasty bug.
Sophos continues to pop up the message that Virtum-Gen is there. When I attempt to run Ad-aware it gets about a quarter of the way into the scan and then the computer reboots and hangs.

Thanks for you help! Here's the latest Malwarebytes log:


Malwarebytes' Anti-Malware 1.24
Database version: 1035
Windows 5.1.2600 Service Pack 2

4:32:32 PM 8/9/2008
mbam-log-8-9-2008 (16-32-32).txt

Scan type: Quick Scan
Objects scanned: 44675
Time elapsed: 17 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nnnmLedB.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fe07740c-ed9e-4041-a4f6-565ae689a3e8} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{fe07740c-ed9e-4041-a4f6-565ae689a3e8} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnmledb (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fe07740c-ed9e-4041-a4f6-565ae689a3e8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmab233c29 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\nnnmLedB.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\pyfeapfv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMab233c29.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMab233c29.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by Zengoalie, 09 August 2008 - 03:56 PM.


#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:10 PM

Posted 09 August 2008 - 04:17 PM

Hi Zengoalie,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Sophos Anti-Virus before running ComboFix, as they will prevent it from running.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 09 August 2008 - 04:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Zengoalie

Zengoalie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 09 August 2008 - 08:46 PM

Thanks for you help! My machine rebooted in the middle of running ComboFix...so I hope that's not a bad sign. Here's the log:

ComboFix 08-08-09.03 - Owner 2008-08-09 21:24:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1057 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\KST59UX5\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jpavxklc.ini
C:\WINDOWS\system32\kilsabsv.ini
C:\WINDOWS\system32\kilxeyuv.ini
C:\WINDOWS\system32\mvx.dat
C:\WINDOWS\system32\rCeMonnn.ini
C:\WINDOWS\system32\rCeMonnn.ini2
C:\WINDOWS\system32\rxywbefa.ini
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\uujauikh.ini
C:\WINDOWS\system32\WFMpoUtv.ini
C:\WINDOWS\system32\WFMpoUtv.ini2
C:\WINDOWS\system32\YFeLVvut.ini
C:\WINDOWS\system32\YFeLVvut.ini2
D:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_rpcsssavadminservice
-------\Service_rpcsssavadminservice


((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-08 18:45 . 2003-10-11 08:30 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-08-08 18:45 . 2003-10-14 09:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-08 18:45 . 2003-10-11 08:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-08-08 18:45 . 2003-10-11 09:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-08-08 18:45 . 2003-10-14 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-08-08 18:45 . 2008-08-08 18:45 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-06 19:09 . 2008-08-06 19:09 <DIR> d-------- C:\Deckard
2008-08-06 19:06 . 2008-08-06 19:06 <DIR> d-------- C:\_OTMoveIt
2008-08-06 12:00 . 2008-08-06 12:00 <DIR> d-------- C:\a8070
2008-08-06 11:59 . 2008-08-06 11:59 <DIR> d-------- C:\8615f
2008-08-06 11:59 . 2008-08-06 12:00 <DIR> d-------- C:\54b63
2008-08-06 11:58 . 2008-08-09 21:34 111,216 --a------ C:\WINDOWS\system32\drivers\b2e25a6.sys
2008-08-06 11:58 . 2008-08-06 11:58 65,536 --a------ C:\wuon.exe
2008-08-06 11:58 . 2008-08-08 09:29 669 --a-s---- C:\WINDOWS\system32\2216712837.dat
2008-08-06 11:58 . 2008-08-06 11:58 2 --a------ C:\-1475342566
2008-07-26 22:13 . 2008-07-26 22:14 <DIR> d-------- C:\Program Files\iTunes
2008-07-26 22:09 . 2008-07-26 22:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-20 08:10 . 2008-07-20 08:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 09:30 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-10 10:39 . 2008-07-10 10:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Softland
2008-07-10 10:38 . 2008-07-10 10:38 <DIR> d-------- C:\Program Files\Softland
2008-07-10 10:38 . 2008-07-09 12:56 21,656 --a------ C:\WINDOWS\system32\novamnp5.dll
2008-07-10 10:38 . 2008-07-09 12:56 18,584 --a------ C:\WINDOWS\system32\novamip5.dll
2008-07-10 10:38 . 2008-03-27 15:42 7,477 --a------ C:\WINDOWS\system32\novap5.ctm
2008-07-10 10:27 . 2008-07-10 10:34 <DIR> d-------- C:\Program Files\Acro Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 01:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 20:46 --------- d-----w C:\Program Files\Trillian
2008-08-07 22:27 --------- d-----w C:\Program Files\Lavasoft
2008-08-07 22:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 00:40 --------- d-----w C:\Program Files\BearShare
2008-08-07 00:19 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-06 22:23 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 00:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 02:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-27 02:14 --------- d-----w C:\Program Files\iPod
2008-07-27 02:11 --------- d-----w C:\Program Files\QuickTime
2008-07-20 12:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-07-18 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-07-10 15:46 --------- d-----w C:\Program Files\Evrsoft First Page 2006
2008-07-10 14:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-07-10 14:35 --------- d-----w C:\Program Files\DivX
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-03 11:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-03 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 15:59 --------- d-----w C:\Program Files\Comcast Rhapsody
2008-06-25 15:55 --------- d-----w C:\Program Files\Real
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:59 --------- d-----w C:\Program Files\Syberia
2008-06-17 13:55 --------- d-----w C:\Program Files\HP
2008-06-17 13:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-17 11:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\SecondLife
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-23 18:11 724,992 ----a-w C:\WINDOWS\iun6002.exe
2006-05-20 15:15 13 ---h--w C:\Documents and Settings\All Users\Application Data\3113.sys
.

------- Sigcheck -------

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 08:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2004-08-04 02:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2003-06-13 06:43 106574]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe" [2002-10-22 10:55 159744]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 19:16 192512]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Audio Kontrol 1"="C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe" [2006-11-30 14:25 7008256]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-05 08:50 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-02 20:30 180269]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42 4112384]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20 212992]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 20:38 172032]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 15:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-05-11 20:16:03 114688]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-06-21 06:18:00 245760]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-10-11 08:42:56 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YU12"= ATIYUV12.DLL
"vidc.xvid"= xvid.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MsnFixer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MsnFixer.lnk
backup=C:\WINDOWS\pss\MsnFixer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 10:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IcoSet]
--a------ 1999-11-07 10:11 27136 c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 23:02 61440 C:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-15 11:42 4112384 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 23:28 81920 C:\WINDOWS\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 00:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-06-17 21:13 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultPrinter]
--a------ 1999-11-07 10:11 27136 c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-10-02 20:30 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 11:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2003-07-14 20:52 40960 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2004-07-15 11:42 1363968 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-09-10 08:09]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-09-10 08:08]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-10-18 18:02]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 09:47]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 09:47]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 09:47]
S0 IFP300;iRiver Internet Audio Player IFP-300;C:\WINDOWS\system32\DRIVERS\ifp300.sys []
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 ak1avs;ak1avs;C:\WINDOWS\system32\Drivers\ak1avs.sys [2006-09-20 17:34]
S3 ak1usb;ak1usb;C:\WINDOWS\system32\Drivers\ak1usb.sys [2006-09-20 17:34]
S3 idrmkl;idrmkl;C:\DOCUME~1\Owner\LOCALS~1\Temp\idrmkl.sys []
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-03-24 12:37]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\system32\drivers\MA763004.sys []
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-07-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{36c83156-3728-434e-8d21-4bcc82f0e7b9} - C:\WINDOWS\system32\wvUmjHBT.dll
BHO-{6023d3eb-0f2a-4c7d-8e07-dd15c8a5421b} - C:\WINDOWS\system32\ddcDwtuU.dll
BHO-{67d5922f-70f3-4eca-be46-4a5b3cf7f1bf} - C:\WINDOWS\system32\urqQiJdc.dll
BHO-{6b27b785-1b18-4913-a88b-9f59107f9467} - C:\WINDOWS\system32\tuvVLeFY.dll
BHO-{c2c48ae4-8c82-4922-a8a9-b82cb933623b} - C:\WINDOWS\system32\vtUopMFW.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-Simple Star PhotoShow Media Manager - C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
HKCU-Run-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-Adobe Photo Downloader - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
HKLM-Run-NapsterShell - C:\Program Files\Napster\napster.exe
HKLM-Run-links - links.exe
MSConfigStartUp-CamMonitor - c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
MSConfigStartUp-lphcnh8j0e12l - C:\WINDOWS\system32\lphcnh8j0e12l.exe
MSConfigStartUp-SMrhcjh8j0e12l - C:\Program Files\rhcjh8j0e12l\rhcjh8j0e12l.exe
MSConfigStartUp-VTTimer - VTTimer.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ttbdbehh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.goodsearch.com/Default.aspx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 21:32:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b2e25a6]
"ImagePath"="\SystemRoot\System32\drivers\b2e25a6.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Updater.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-09 21:44:10 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-10 01:43:07

Pre-Run: 44,621,877,248 bytes free
Post-Run: 44,332,658,688 bytes free

277 --- E O F --- 2008-07-09 11:21:38

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:10 PM

Posted 09 August 2008 - 10:18 PM

Hi Zengoalie,

You have some suspicious files we need to check.

You will need to see hidden files, so follow these directions:

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\novamnp5.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\novamip5.dll
C:\WINDOWS\system32\drivers\b2e25a6.sys
C:\wuon.exe
C:\-1475342566
C:\WINDOWS\system32\2216712837.dat


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

Edited by SifuMike, 09 August 2008 - 10:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Zengoalie

Zengoalie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 10 August 2008 - 08:35 AM

Here's the results for each file:


File novamnp5.dll received on 08.10.2008 15:22:12 (CET)
Result: 0/36 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.10 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.10 -
DrWeb 4.44.0.09170 2008.08.10 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.10 -
F-Prot 4.4.4.56 2008.08.10 -
F-Secure 7.60.13501.0 2008.08.10 -
Fortinet 3.14.0.0 2008.08.10 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.10 -
NOD32v2 3343 2008.08.10 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.10 -
PCTools 4.4.2.0 2008.08.10 -
Prevx1 V2 2008.08.10 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.10 -
Additional information
File size: 21656 bytes
MD5...: 8df161ba25791bfa0505ef40f0c06651
SHA1..: a770e8c4933959da7a6bc6f53b95af9764794734
SHA256: 204260e6df8a74cc50f869e50ac4abfdf407feacdb47f4d71bc9cd3632b87b56
SHA512: e5c2447a61709a568ec102c11528e0c5d94524406275e8d127e0aab63f5d5849
c699c7ce973083840b83afbc4bb9947ed8f0241681bbe8902166bf42c6d2ff8a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4036f7
timedatestamp.....: 0x487481fe (Wed Jul 09 09:16:46 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3366 0x3400 6.34 d0a38f9d51c5756db8620d3ee3702bd2
.data 0x5000 0x226c 0x200 2.03 3c66d79c71dce3897736106b11a799c4
.rsrc 0x8000 0x468 0x600 2.51 386df4886698c24874800e18b62c5077
.reloc 0x9000 0x466 0x600 3.16 0778fe472aaea57e9d604fd2fbeac76a

( 6 imports )
> msvcrt.dll: _adjust_fdiv, _amsg_exit, _initterm, malloc, _XcptFilter, __CxxFrameHandler, __3@YAXPAX@Z, memset, free, fopen, fputs, _wfopen, fclose, fread, memcpy, wcsrchr, wcsncpy
> ntdll.dll: RtlUnwind
> KERNEL32.dll: LocalAlloc, GetProcAddress, FreeLibrary, GetModuleFileNameW, GlobalAlloc, lstrcmpiW, LeaveCriticalSection, InterlockedExchange, QueryPerformanceCounter, LocalFree, LoadLibraryW, InterlockedCompareExchange, Sleep, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetVersionExW, InitializeCriticalSection, SetLastError, GetLastError, GlobalFree, DeleteCriticalSection, DisableThreadLibraryCalls, GetCurrentThreadId, EnterCriticalSection, GetTickCount
> USER32.dll: wsprintfW
> SPOOLSS.DLL: OpenPrinterW, SetJobW, ClosePrinter
> msvcp60.dll: __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ

( 1 exports )
InitializePrintMonitor2

File novamip5.dll received on 08.10.2008 15:23:45 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.10 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.10 -
DrWeb 4.44.0.09170 2008.08.10 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6019 2008.08.08 -
Ewido 4.0 2008.08.10 -
F-Prot 4.4.4.56 2008.08.10 -
F-Secure 7.60.13501.0 2008.08.10 -
Fortinet 3.14.0.0 2008.08.10 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.10 -
NOD32v2 3343 2008.08.10 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.10 -
PCTools 4.4.2.0 2008.08.10 -
Prevx1 V2 2008.08.10 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.10 -
Additional information
File size: 18584 bytes
MD5...: f0a0b7f613a98af9365fe47514fcdc65
SHA1..: 58054755e32d0112a157bdcd91953785575048af
SHA256: 64d16586fb0c9c85c4b4b9cf39989a9703b56c7c0835494d8c1b31aff8b253f2
SHA512: 02878645d9c2b3681aba29d61076d37a4c723d4fbe79e14c891a6a8aa04b2142
ae33f6b62af57f5117a15d417a5dfd9853287534b98c50122e3bd3524b62939e
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402e2a
timedatestamp.....: 0x48748200 (Wed Jul 09 09:16:48 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2888 0x2a00 6.23 15513597c9b3574749662c19931aa08c
.data 0x4000 0x214c 0x200 1.04 29575e6f32f6ffb076465408d2af0718
.rsrc 0x7000 0x408 0x600 2.26 bdd37a0501e364b2164de7a7d42b86ff
.reloc 0x8000 0x27e 0x400 3.13 8f5372d9236c113c0028b53054e6b8df

( 6 imports )
> msvcrt.dll: _XcptFilter, wcsrchr, _adjust_fdiv, _amsg_exit, _initterm, free, malloc, wcsncpy, memset, _wfopen, fclose, fread, memcpy, _vsnwprintf
> ntdll.dll: RtlUnwind
> KERNEL32.dll: GetLastError, LocalAlloc, SetLastError, GlobalFree, GetModuleFileNameW, GlobalAlloc, InterlockedCompareExchange, Sleep, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, InterlockedExchange, DisableThreadLibraryCalls, LocalFree, FormatMessageW
> USER32.dll: MessageBoxW, LoadStringW, wsprintfW
> COMCTL32.dll: -, InitCommonControlsEx
> WINSPOOL.DRV: ClosePrinter, OpenPrinterW, XcvDataW

( 1 exports )
InitializePrintMonitorUI

C:\WINDOWS\system32\drivers\b2e25a6.sys
result
0 bytes size received / Se ha recibido un archivo vacio

File wuon.exe received on 08.10.2008 15:26:43 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.10 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.10 -
DrWeb 4.44.0.09170 2008.08.10 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.10 -
F-Prot 4.4.4.56 2008.08.10 -
F-Secure 7.60.13501.0 2008.08.10 -
Fortinet 3.14.0.0 2008.08.10 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.10 -
NOD32v2 3343 2008.08.10 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.10 -
PCTools 4.4.2.0 2008.08.10 -
Prevx1 V2 2008.08.10 Malicious Software
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 Downloader
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.10 -
Additional information
File size: 65536 bytes
MD5...: e958bef0b09bf1ec7610ffefe237d28b
SHA1..: aed32ef1cdf46c03723f0aeeafeb6df9cb6083bb
SHA256: 199d4f0fc043c3c24b961b5727343528a701dbddb5cf226a7308188ef5431325
SHA512: f050f4b2779be864a08a5d7f6110e0946b7749c2d40f85e86d3664750f257add
da7e9f52cb2e4b6304bd96c57a0cdc0b23f0f6eda63feda194368149a1798b43
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4010f0
timedatestamp.....: 0x489984bd (Wed Aug 06 11:02:21 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb000 0xac00 6.55 b8243931995717808221e0db02e1327c
.data 0xc000 0x7000 0x2e00 4.99 6af91e686d9169f63d1b1c112bbcf4d1
.tls 0x13000 0x1000 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0x14000 0x1000 0x200 0.21 3fbd0d4ce4a0697c56e40c69ac825f3b
.idata 0x15000 0x1000 0x800 3.97 f2e2bf7803bed9d35b6b802f017520f8
.edata 0x16000 0x1000 0x200 1.20 da4f6cb8b6b3edccb9aae320e55bf69d
.rsrc 0x17000 0x1000 0x600 2.54 b560d759d06ec1e46e1f2f67e49a0486
.reloc 0x18000 0x1000 0xc00 6.36 cef4bd4e2a1a2ce67992b9e1c3b1ba5e

( 3 imports )
> KERNEL32.DLL: CloseHandle, CreateDirectoryA, CreateFileA, DeleteCriticalSection, EnterCriticalSection, ExitProcess, GetACP, GetCPInfo, GetCommandLineA, GetCurrentThreadId, GetEnvironmentStrings, GetFileType, GetLastError, GetLocalTime, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeW, GetTimeZoneInformation, GetVersion, GetVersionExA, GlobalMemoryStatus, HeapAlloc, HeapFree, InitializeCriticalSection, LCMapStringA, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, RaiseException, RtlUnwind, SetConsoleCtrlHandler, SetFilePointer, SetHandleCount, SetLastError, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WideCharToMultiByte, WriteFile
> WSOCK32.DLL: -, -, -, -, -, -, -, -, -, -
> USER32.DLL: EnumThreadWindows, MessageBoxA, wsprintfA

( 2 exports )
__GetExceptDLLinfo, ___CPPdebugHook
Prevx info: http://info.prevx.com/aboutprogramtext.asp...A0F36005D39F4AB


File -1475342566 received on 08.10.2008 15:29:32 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.10 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.10 -
DrWeb 4.44.0.09170 2008.08.10 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.10 -
F-Prot 4.4.4.56 2008.08.10 -
F-Secure 7.60.13501.0 2008.08.10 -
Fortinet 3.14.0.0 2008.08.10 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.10 -
NOD32v2 3343 2008.08.10 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.10 -
PCTools 4.4.2.0 2008.08.10 -
Prevx1 V2 2008.08.10 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.10 -
Additional information
File size: 2 bytes
MD5...: 444bcb3a3fcf8389296c49467f27e1d6
SHA1..: 7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
SHA256: 2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
SHA512: 9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936c
e83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570
PEiD..: -
PEInfo: -


File 2216712837.dat received on 08.10.2008 15:31:55 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.10 -
Avast 4.8.1195.0 2008.08.09 -
AVG 8.0.0.156 2008.08.09 -
BitDefender 7.2 2008.08.10 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.10 -
DrWeb 4.44.0.09170 2008.08.10 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.10 -
F-Prot 4.4.4.56 2008.08.10 -
Fortinet 3.14.0.0 2008.08.10 -
GData 2.0.7306.1023 2008.08.10 -
Ikarus T3.1.1.34.0 2008.08.10 -
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.10 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.10 -
NOD32v2 3343 2008.08.10 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.10 -
PCTools 4.4.2.0 2008.08.10 -
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.10 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.10 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.10 -
Additional information
File size: 669 bytes
MD5...: 2f5a23d1c6d8e123e29a5ac3e24b445b
SHA1..: b160de05ae9593f2172a461b14b51a40828c64b8
SHA256: fb3389d3f983c805f14b75cfc39b89d861f631c10d6f523f351f473f281b7ac4
SHA512: f3dc3ae2286aefafc530a53c5c58f7a4dc0dc43507ef8f3a0b2c04217226f871
cdfbc493dcc6d3d405bf6ddacb68e03f7272b8103edad0898a1216a8aceab4c4
PEiD..: -
PEInfo: -

Edited by Zengoalie, 10 August 2008 - 08:38 AM.


#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:10 PM

Posted 10 August 2008 - 12:54 PM

Hi Zengoalie,

We need to check for lingering malware.

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Zengoalie

Zengoalie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 10 August 2008 - 05:34 PM

Problem is that IE is not showing any images, instead I'm getting little boxes with a red square, green circle, blue triangle type gif (not an "X") I'm not sure I was able to make all the correct settings for running the scan, but here's the result I got.
One other thing to note: when I boot up down in the left hand corner (to the right of the start button) a little white square pops up and then disappears...like something is trying to launch on startup, but then fails. I'm not sure what that is...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 10, 2008 21:19:51
Records in database: 1079716
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 159971
Threat name: 4
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 02:01:26


File name / Threat name / Threats count
C:\57.tmp Infected: not-a-virus:AdWare.Win32.AdBand.f 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\5312bcd4-20160c7c Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\1c42c72e-71e85f26 Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-29405ff-56be2697.zip Infected: Trojan-Downloader.Java.Agent.f 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-3c602653-59151121.zip Infected: Trojan-Downloader.Java.Agent.f 1
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
C:\WINDOWS\system32\mac80ex.idf Infected: not-a-virus:AdWare.Win32.BargainBuddy.y 1

The selected area was scanned.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:10 PM

Posted 10 August 2008 - 06:01 PM

Hi Zengoalie,

You still have malware on your computer so lets get rid of that and see if that fixes your problem.

Please download FixPolicies.exe
and save to your Desktop.
For Windows XP ONLY. Do not run on any other Operating System.

You can ignore the warning about downloading this type of file.
Double-click FixPolicies.exe (this is a a self-extracting ZIP archive).
Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Open the FixPolicies folder and double-click on Fix_Policies.cmd.
A black box will briefly appear and then close.
Restart your computer.

This fix is used to remove certain restrictions on your system often disabled by malware and reset them to Windows default.




Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\57.tmp 
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\5312bcd4-20160c7c 
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\1c42c72e-71e85f26 
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-29405ff-56be2697.zip 
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-3c602653-59151121.zip 
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe 
C:\WINDOWS\system32\mac80ex.idf 

Driver:: 
idrmkl

DirLook:: 
C:\a8070
C:\8615f
C:\54b63


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Zengoalie

Zengoalie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 10 August 2008 - 06:52 PM

Thanks for the quick responses! Here's the latest:

ComboFix 08-08-09.03 - Owner 2008-08-10 19:30:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1047 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\57.tmp
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\5312bcd4-20160c7c
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\1c42c72e-71e85f26
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-29405ff-56be2697.zip
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-3c602653-59151121.zip
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe
C:\WINDOWS\system32\mac80ex.idf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\57.tmp
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\5312bcd4-20160c7c
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\1c42c72e-71e85f26
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-29405ff-56be2697.zip
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-3c602653-59151121.zip
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe
C:\WINDOWS\system32\mac80ex.idf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IDRMKL
-------\Service_idrmkl


((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-10 16:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-08 18:45 . 2003-10-11 08:30 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-08-08 18:45 . 2003-10-14 09:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-08 18:45 . 2003-10-11 08:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-08-08 18:45 . 2003-10-11 09:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-08-08 18:45 . 2003-10-14 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-08-08 18:45 . 2008-08-08 18:45 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-06 19:09 . 2008-08-06 19:09 <DIR> d-------- C:\Deckard
2008-08-06 19:06 . 2008-08-06 19:06 <DIR> d-------- C:\_OTMoveIt
2008-08-06 12:00 . 2008-08-06 12:00 <DIR> d-------- C:\a8070
2008-08-06 11:59 . 2008-08-06 11:59 <DIR> d-------- C:\8615f
2008-08-06 11:59 . 2008-08-06 12:00 <DIR> d-------- C:\54b63
2008-08-06 11:58 . 2008-08-10 19:41 111,216 --a------ C:\WINDOWS\system32\drivers\b2e25a6.sys
2008-08-06 11:58 . 2008-08-06 11:58 65,536 --a------ C:\wuon.exe
2008-08-06 11:58 . 2008-08-08 09:29 669 --a-s---- C:\WINDOWS\system32\2216712837.dat
2008-08-06 11:58 . 2008-08-06 11:58 2 --a------ C:\-1475342566
2008-07-26 22:13 . 2008-07-26 22:14 <DIR> d-------- C:\Program Files\iTunes
2008-07-26 22:09 . 2008-07-26 22:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-20 08:10 . 2008-07-20 08:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 09:30 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-10 10:39 . 2008-07-10 10:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Softland
2008-07-10 10:38 . 2008-07-10 10:38 <DIR> d-------- C:\Program Files\Softland
2008-07-10 10:38 . 2008-07-09 12:56 21,656 --a------ C:\WINDOWS\system32\novamnp5.dll
2008-07-10 10:38 . 2008-07-09 12:56 18,584 --a------ C:\WINDOWS\system32\novamip5.dll
2008-07-10 10:38 . 2008-03-27 15:42 7,477 --a------ C:\WINDOWS\system32\novap5.ctm
2008-07-10 10:27 . 2008-07-10 10:34 <DIR> d-------- C:\Program Files\Acro Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 23:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-10 23:02 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-10 20:01 --------- d-----w C:\Program Files\Java
2008-08-09 20:46 --------- d-----w C:\Program Files\Trillian
2008-08-07 22:27 --------- d-----w C:\Program Files\Lavasoft
2008-08-07 22:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 00:40 --------- d-----w C:\Program Files\BearShare
2008-08-06 22:23 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 00:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 02:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-27 02:14 --------- d-----w C:\Program Files\iPod
2008-07-27 02:11 --------- d-----w C:\Program Files\QuickTime
2008-07-20 12:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-07-18 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-07-10 15:46 --------- d-----w C:\Program Files\Evrsoft First Page 2006
2008-07-10 14:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-07-10 14:35 --------- d-----w C:\Program Files\DivX
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-03 11:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-03 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 15:59 --------- d-----w C:\Program Files\Comcast Rhapsody
2008-06-25 15:55 --------- d-----w C:\Program Files\Real
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:59 --------- d-----w C:\Program Files\Syberia
2008-06-17 13:55 --------- d-----w C:\Program Files\HP
2008-06-17 13:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-17 11:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\SecondLife
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-23 18:11 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2006-05-20 15:15 13 ---h--w C:\Documents and Settings\All Users\Application Data\3113.sys
1998-08-24 16:09 10,000 -c--a-w C:\WINDOWS\inf\unregpn.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\54b63 ----


---- Directory of C:\8615f ----


---- Directory of C:\a8070 ----



------- Sigcheck -------

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 08:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2004-08-04 02:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-08-09_21.42.41.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-02-23 02:52:42 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-02-23 02:52:44 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2003-06-13 06:43 106574]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe" [2002-10-22 10:55 159744]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 19:16 192512]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Audio Kontrol 1"="C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe" [2006-11-30 14:25 7008256]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-05 08:50 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-02 20:30 180269]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42 4112384]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20 212992]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 20:38 172032]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 15:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-05-11 20:16:03 114688]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-06-21 06:18:00 245760]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-10-11 08:42:56 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YU12"= ATIYUV12.DLL
"vidc.xvid"= xvid.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MsnFixer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MsnFixer.lnk
backup=C:\WINDOWS\pss\MsnFixer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 10:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IcoSet]
--a------ 1999-11-07 10:11 27136 c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 23:02 61440 C:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-15 11:42 4112384 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 23:28 81920 C:\WINDOWS\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 00:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-06-17 21:13 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultPrinter]
--a------ 1999-11-07 10:11 27136 c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-10-02 20:30 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 11:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2003-07-14 20:52 40960 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2004-07-15 11:42 1363968 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-09-10 08:09]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-09-10 08:08]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-10-18 18:02]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 09:47]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 09:47]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 09:47]
S0 IFP300;iRiver Internet Audio Player IFP-300;C:\WINDOWS\system32\DRIVERS\ifp300.sys []
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 ak1avs;ak1avs;C:\WINDOWS\system32\Drivers\ak1avs.sys [2006-09-20 17:34]
S3 ak1usb;ak1usb;C:\WINDOWS\system32\Drivers\ak1usb.sys [2006-09-20 17:34]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-03-24 12:37]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\system32\drivers\MA763004.sys []
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-07-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 19:38:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\idrmkl]
"ImagePath"="\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\idrmkl.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\b2e25a6]
"ImagePath"="\SystemRoot\System32\drivers\b2e25a6.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Updater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-10 19:50:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 23:48:58
ComboFix2.txt 2008-08-10 01:44:11

Pre-Run: 44,009,496,576 bytes free
Post-Run: 44,162,478,080 bytes free

270 --- E O F --- 2008-07-09 11:21:38


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:35 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Updater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostonherald.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Audio Kontrol 1] C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O15 - Trusted Zone: http://www.bostonherald.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {DF85A113-76ED-4D25-9107-01E5C6F98D6A} (DRDLCtlView Class) - http://www.docurights.com/drdlctl.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (savadminservice) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (savservice) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 10271 bytes

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:10 PM

Posted 11 August 2008 - 11:53 AM

Hi Zengoalie,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\a8070
C:\8615f
C:\54b63


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Zengoalie

Zengoalie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 11 August 2008 - 07:11 PM

Thanks,
here's the logs:

ComboFix 08-08-10.06 - Owner 2008-08-11 20:00:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1045 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\54b63
C:\8615f
C:\a8070

.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-10 16:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-08 18:45 . 2003-10-11 08:30 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-08-08 18:45 . 2003-10-14 09:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-08 18:45 . 2003-10-11 08:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-08-08 18:45 . 2003-10-11 09:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-08-08 18:45 . 2003-10-14 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-08-08 18:45 . 2008-08-08 18:45 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-06 19:09 . 2008-08-06 19:09 <DIR> d-------- C:\Deckard
2008-08-06 19:06 . 2008-08-06 19:06 <DIR> d-------- C:\_OTMoveIt
2008-08-06 11:58 . 2008-08-11 20:06 111,216 --a------ C:\WINDOWS\system32\drivers\b2e25a6.sys
2008-08-06 11:58 . 2008-08-06 11:58 65,536 --a------ C:\wuon.exe
2008-08-06 11:58 . 2008-08-08 09:29 669 --a-s---- C:\WINDOWS\system32\2216712837.dat
2008-08-06 11:58 . 2008-08-06 11:58 2 --a------ C:\-1475342566
2008-07-26 22:13 . 2008-07-26 22:14 <DIR> d-------- C:\Program Files\iTunes
2008-07-26 22:09 . 2008-07-26 22:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-20 08:10 . 2008-07-20 08:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 09:30 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 23:53 --------- d-----w C:\Program Files\Trillian
2008-08-11 23:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-10 23:02 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-10 20:01 --------- d-----w C:\Program Files\Java
2008-08-07 22:27 --------- d-----w C:\Program Files\Lavasoft
2008-08-07 22:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 00:40 --------- d-----w C:\Program Files\BearShare
2008-08-06 22:23 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 00:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 02:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-07-27 02:14 --------- d-----w C:\Program Files\iPod
2008-07-27 02:11 --------- d-----w C:\Program Files\QuickTime
2008-07-20 12:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-07-18 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-07-10 15:46 --------- d-----w C:\Program Files\Evrsoft First Page 2006
2008-07-10 14:39 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Softland
2008-07-10 14:38 --------- d-----w C:\Program Files\Softland
2008-07-10 14:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-07-10 14:35 --------- d-----w C:\Program Files\DivX
2008-07-10 14:34 --------- d-----w C:\Program Files\Acro Software
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-09 16:56 21,656 ----a-w C:\WINDOWS\system32\novamnp5.dll
2008-07-09 16:56 18,584 ----a-w C:\WINDOWS\system32\novamip5.dll
2008-07-03 11:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-03 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 15:59 --------- d-----w C:\Program Files\Comcast Rhapsody
2008-06-25 15:55 --------- d-----w C:\Program Files\Real
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:59 --------- d-----w C:\Program Files\Syberia
2008-06-17 13:55 --------- d-----w C:\Program Files\HP
2008-06-17 13:55 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-17 11:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\SecondLife
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-23 18:11 724,992 ----a-w C:\WINDOWS\iun6002.exe
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2006-05-20 15:15 13 ---h--w C:\Documents and Settings\All Users\Application Data\3113›.sys
1998-08-24 16:09 10,000 -c--a-w C:\WINDOWS\inf\unregpn.exe
.

------- Sigcheck -------

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 07:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-08-29 08:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2004-08-04 02:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-08-09_21.42.41.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-02-23 02:52:42 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-02-23 02:52:44 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2003-06-13 06:43 106574]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe" [2002-10-22 10:55 159744]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" [2005-05-09 19:16 192512]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Audio Kontrol 1"="C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe" [2006-11-30 14:25 7008256]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-05 08:50 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-02 20:30 180269]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42 4112384]
"iRiver Updater"="\Updater.exe" [2004-07-01 17:20 212992]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 20:38 172032]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 15:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-05-11 20:16:03 114688]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-06-21 06:18:00 245760]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-10-11 08:42:56 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YU12"= ATIYUV12.DLL
"vidc.xvid"= xvid.dll
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MsnFixer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MsnFixer.lnk
backup=C:\WINDOWS\pss\MsnFixer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-04-07 10:07 114688 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IcoSet]
--a------ 1999-11-07 10:11 27136 c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 23:02 61440 C:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-15 11:42 4112384 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-07-31 23:28 81920 C:\WINDOWS\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 00:42 212992 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-06-17 21:13 118784 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultPrinter]
--a------ 1999-11-07 10:11 27136 c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-10-02 20:30 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 11:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2003-07-14 20:52 40960 C:\WINDOWS\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2004-07-15 11:42 1363968 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-15 11:42 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-09-10 08:09]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-09-10 08:08]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-10-18 18:02]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2003-04-08 09:47]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2003-04-08 09:47]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2003-04-08 09:47]
S0 IFP300;iRiver Internet Audio Player IFP-300;C:\WINDOWS\system32\DRIVERS\ifp300.sys []
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 ak1avs;ak1avs;C:\WINDOWS\system32\Drivers\ak1avs.sys [2006-09-20 17:34]
S3 ak1usb;ak1usb;C:\WINDOWS\system32\Drivers\ak1usb.sys [2006-09-20 17:34]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-03-24 12:37]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\system32\drivers\MA763004.sys []
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys []

*Newly Created Service* - catchme
.
Contents of the 'Scheduled Tasks' folder

2008-07-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 20:05:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\b2e25a6]
"ImagePath"="\SystemRoot\System32\drivers\b2e25a6.sys"
.
Completion time: 2008-08-11 20:10:18
ComboFix-quarantined-files.txt 2008-08-12 00:09:46
ComboFix2.txt 2008-08-10 23:50:03
ComboFix3.txt 2008-08-10 01:44:11

Pre-Run: 43,954,102,272 bytes free
Post-Run: 44,008,062,976 bytes free

229 --- E O F --- 2008-07-09 11:21:38

AND HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:36 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Updater.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostonherald.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Audio Kontrol 1] C:\Program Files\Native Instruments\Audio Kontrol 1\Audio Kontrol 1.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O15 - Trusted Zone: http://www.bostonherald.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {DF85A113-76ED-4D25-9107-01E5C6F98D6A} (DRDLCtlView Class) - http://www.docurights.com/drdlctl.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (savadminservice) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (savservice) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 10225 bytes

Edited by Zengoalie, 11 August 2008 - 07:12 PM.


#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:10 PM

Posted 11 August 2008 - 11:46 PM

Hi Zengoalie,

Your logs look clean of malware. :thumbsup: How is the computer running?

We still have to do the program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users