Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008 Logfile Included.


  • This topic is locked This topic is locked
5 replies to this topic

#1 deathrunner

deathrunner

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 17 August 2008 - 08:27 PM

Norton won't fix it, and I can't find it. It keeps trying to get me to buy the full version by displaying a blue screen of death and doing fake reboots.

Here's my logfile: Thanks in advance:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:56 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lphc7u0j0ej01.exe
C:\Program Files\rhc3u0j0ej01\rhc3u0j0ej01.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [lphc7u0j0ej01] C:\WINDOWS\system32\lphc7u0j0ej01.exe
O4 - HKLM\..\Run: [SMrhc3u0j0ej01] C:\Program Files\rhc3u0j0ej01\rhc3u0j0ej01.exe
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Reboot.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139033881687
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170879170765
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.oberon-media.com/gameshell/...ploader_v10.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\System3r\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - http://myspace-393.vo.llnwd.net/00815/39/32/815282393_l.jpg
O24 - Desktop Component 1: (no name) - http://mall.mnshome.com/prodimg2/00005441_02.jpg
O24 - Desktop Component 10: (no name) - http://i306.photobucket.com/albums/nn256/g...ey/omjes8_3.jpg
O24 - Desktop Component 2: (no name) - http://i101.photobucket.com/albums/m72/heh...andingologo.jpg
O24 - Desktop Component 3: (no name) - http://us.f536.mail.yahoo.com/ym/us/ShowLe...pos=0&Idx=1
O24 - Desktop Component 4: (no name) - http://bestanimations.com/Humans/Sexy/Sexy-02-june.gif
O24 - Desktop Component 5: (no name) - http://www.feebleminds-gifs.com/rockman.gif
O24 - Desktop Component 6: (no name) - http://edit.81x.com/Authors/kamikaze124/dancefool.gif
O24 - Desktop Component 7: (no name) - http://vgmetal.com/imagesNEW/M.gif
O24 - Desktop Component 8: (no name) - http://i306.photobucket.com/albums/nn256/g...lley/dogs-4.jpg
O24 - Desktop Component 9: (no name) - http://i306.photobucket.com/albums/nn256/g...willey/2870.gif

--
End of file - 8088 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:33 AM

Posted 19 August 2008 - 04:02 PM

Hello Deathrunner and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, and you're notified a more current version is available, please download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 21 August 2008 - 10:26 AM

Thanks So Much, it's already looking better!



Combofix log:

ComboFix 08-08-19.06 - Lewis Vagina 2008-08-21 8:20:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1556 [GMT -7:00]
Running from: C:\Documents and Settings\Lewis Vagina\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lewis Vagina\Application Data\macromedia\Flash Player\#SharedObjects\R37T3JZB\interclick.com
C:\Documents and Settings\Lewis Vagina\Application Data\macromedia\Flash Player\#SharedObjects\R37T3JZB\interclick.com\ud.sol
C:\Documents and Settings\Lewis Vagina\Application Data\macromedia\Flash Player\#SharedObjects\R37T3JZB\www.broadcaster.com
C:\Documents and Settings\Lewis Vagina\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Lewis Vagina\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Lewis Vagina\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Lewis Vagina\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\actskn43.ocx

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 08:11 . 2008-08-21 08:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-21 08:11 . 2008-08-21 08:11 <DIR> d-------- C:\Documents and Settings\Lewis Vagina\Application Data\Malwarebytes
2008-08-21 08:11 . 2008-08-21 08:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-21 08:11 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-21 08:11 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-18 22:54 . 2008-08-18 22:54 1,160 --a------ C:\WINDOWS\mozver.dat
2008-08-17 10:33 . 2008-08-17 10:33 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-17 10:24 . 2008-08-17 11:19 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-13 23:33 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-07-31 19:46 . 2008-07-31 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-07-28 14:41 . 2008-07-28 14:41 <DIR> d-------- C:\Program Files\REGSHAVE
2008-07-28 14:39 . 2008-07-28 14:39 <DIR> d-------- C:\Program Files\USB Driver Vers. 3.2
2008-07-28 11:57 . 2008-07-28 11:57 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-07-28 11:56 . 2008-07-28 11:56 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-07-28 11:55 . 2008-07-28 11:56 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-07-28 11:54 . 2008-07-28 11:56 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-28 11:54 . 2008-07-28 11:56 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-28 11:54 . 2008-07-28 11:56 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-28 11:54 . 2008-07-28 11:56 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-21 21:26 . 2008-07-21 21:26 1,430,048 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2008-07-21 21:26 . 2008-07-21 21:27 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let
2008-07-21 21:22 . 2008-07-21 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-07-21 21:19 . 2008-07-21 21:19 392,320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-07-21 21:19 . 2008-07-21 21:19 120,992 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-07-21 21:19 . 2008-07-21 21:19 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-07-21 21:18 . 2008-07-21 22:06 <DIR> d-------- C:\Program Files\Common Files\Seagate
2008-07-21 21:16 . 2008-07-21 21:16 29,512 --a------ C:\WINDOWSSerifastd-black.otf
2008-07-21 21:16 . 2008-07-21 21:16 28,260 --a------ C:\WINDOWSSerifastd-lightitalic.otf
2008-07-21 21:16 . 2008-07-21 21:16 28,252 --a------ C:\WINDOWSSerifastd-italic.otf
2008-07-21 21:16 . 2008-07-21 21:16 27,772 --a------ C:\WINDOWSSerifastd-bold.otf
2008-07-21 21:16 . 2008-07-21 21:16 27,452 --a------ C:\WINDOWSSerifastd-roman.otf
2008-07-21 21:16 . 2008-07-21 21:16 27,440 --a------ C:\WINDOWSSerifastd-light.otf
2008-07-21 15:04 . 2007-10-04 01:14 136,260 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-21 15:02 . 2007-09-20 03:07 888,064 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2008-07-21 15:02 . 2007-07-05 00:01 356,352 -ra------ C:\WINDOWS\system32\nvusmb.exe
2008-07-21 15:02 . 2007-09-14 18:19 356,352 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-07-21 15:02 . 2007-09-20 03:07 195,072 -ra------ C:\WINDOWS\system32\fdco1.dll
2008-07-21 15:02 . 2007-09-20 03:07 53,632 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-07-21 15:02 . 2007-09-14 18:19 37,376 -ra------ C:\WINDOWS\system32\nvconrm.dll
2008-07-21 15:02 . 2007-09-20 03:07 22,016 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2008-07-21 15:02 . 2007-09-20 03:06 9,216 -ra------ C:\WINDOWS\system32\bdco1.dll
2008-07-21 15:02 . 2007-09-06 02:10 4,805 -ra------ C:\WINDOWS\system32\nvnrm.nvu
2008-07-21 15:02 . 2007-04-02 03:06 1,950 -ra------ C:\WINDOWS\system32\nvsmb.nvu
2008-07-21 14:47 . 2007-10-31 17:40 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-21 14:35 . 2007-09-20 03:07 195,072 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-07-21 14:35 . 2007-09-20 03:06 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-07-21 14:35 . 2007-05-27 05:57 1,732 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-07-21 14:27 . 2008-07-21 14:46 138,893 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-21 14:25 . 2008-07-21 14:25 <DIR> d-------- C:\WINDOWS\system32\EVGA
2008-07-21 14:17 . 2007-11-09 15:20 7,921,664 --a------ C:\WINDOWS\system32\idtsg.cpl
2008-07-21 14:17 . 2007-11-09 15:21 2,072,576 --a------ C:\WINDOWS\system32\stlang.dll
2008-07-21 14:17 . 2007-11-09 15:22 409,600 --a------ C:\WINDOWS\sttray.exe
2008-07-21 14:17 . 2007-11-09 15:24 212,992 --a------ C:\WINDOWS\system32\stacsv.exe
2008-07-21 14:16 . 2008-07-21 14:17 <DIR> d-------- C:\Program Files\IDT
2008-07-21 14:16 . 2007-11-09 15:25 1,260,744 --a------ C:\WINDOWS\system32\drivers\sthda.sys
2008-07-21 14:16 . 2007-11-09 15:23 368,640 --a------ C:\WINDOWS\system32\stacapi.dll
2008-07-21 14:16 . 2007-11-09 15:23 146,944 --a------ C:\WINDOWS\system32\staco.dll
2008-07-21 14:14 . 2006-12-26 05:31 4,864 -ra------ C:\WINDOWS\system32\drivers\PortIo.sys
2008-07-21 13:13 . 2004-08-03 22:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-07-21 13:13 . 2004-08-03 22:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-07-21 13:13 . 2004-08-03 22:07 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys
2008-07-21 13:13 . 2004-08-03 22:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 15:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-17 17:46 --------- d-----w C:\Documents and Settings\Lewis Vagina\Application Data\U3
2008-08-04 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-31 00:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-31 00:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-31 00:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-28 21:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-28 18:57 --------- d-----w C:\Documents and Settings\Lewis Vagina\Application Data\Symantec
2008-07-28 18:56 --------- d-----w C:\Program Files\Symantec
2008-07-23 07:29 --------- d-----w C:\Documents and Settings\Lewis Vagina\Application Data\Canon
2008-07-22 20:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 20:55 --------- d-----w C:\Program Files\Lavasoft
2008-07-22 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 19:50 --------- d-----w C:\Program Files\BitLord
2008-07-21 01:17 --------- d-----w C:\Program Files\ATI Technologies
2008-07-21 01:10 90,112 ----a-w C:\WINDOWS\DUMP2eb1.tmp
2008-07-20 18:43 90,112 ----a-w C:\WINDOWS\DUMP2cfb.tmp
2008-07-20 16:59 90,112 ----a-w C:\WINDOWS\DUMP2f9b.tmp
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2006-12-19 19:30 557,056 ----a-w C:\Documents and Settings\Lewis Vagina\GoToAssist_phone__317_en.exe
2004-11-14 16:13 403,968 ------w C:\Program Files\JustZIPit.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [2005-10-15 18:15 167936]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 12:52 75584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 01:14 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 01:14 81920]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 21:29 149024]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 18:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 23:49 718704]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"nwiz"="nwiz.exe" [2007-10-04 01:14 1626112 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Reboot.exe [2006-12-29 03:35:16 409088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 02:35:22 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YU12"= ATIYUV12.DLL
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"aux4"= ctwdm32.dll
"aux7"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 ATIBTCAP;ATI TV Wonder Video Capture;C:\WINDOWS\system32\drivers\atibtcap.sys [2002-11-04 22:00]
R2 ATIBTXBAR;ATI TV Wonder Video Crossbar;C:\WINDOWS\system32\drivers\atibtxbr.sys [2002-11-04 22:00]
R2 ATIVTUTW;ATI TV Wonder TV Tuner;C:\WINDOWS\system32\drivers\ativtutw.sys [2002-11-04 22:00]
R2 ATIVXSTW;ATI TV Wonder Audio Crossbar;C:\WINDOWS\system32\drivers\ativxstw.sys [2002-11-04 22:00]
R2 BCDCNDIS;Belkin Direct Connect Network Adapter;C:\WINDOWS\system32\DRIVERS\BCDCNDIS.SYS [2000-08-08 14:37]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 18:47]
R3 BCDCLINK;Belkin USB Direct Connect;C:\WINDOWS\system32\DRIVERS\BCDCLINK.SYS [2000-08-08 14:37]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\WINDOWS\system32\Drivers\GPWADrv.sys [2004-10-25 14:09]
S3 HwIOctl;HwIOctl;C:\Documents and Settings\Lewis Vagina\Desktop\amiflash\HwIOctl.sys []
S3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2002-07-15 20:39]
S3 Memctl;Memctl;C:\Documents and Settings\Lewis Vagina\Desktop\amiflash\Memctl.sys []
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-01-18 12:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e09c3b6-5128-11dd-9b62-00500c001fb2}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80ee4068-21a7-11dc-996c-00500c00bbd8}]
\Shell\AutoRun\command - H:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9c63123-eb77-11db-9917-00500c00d2a6}]
\Shell\AutoRun\command - G:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f512a6d0-2591-11db-9707-00142aa57eff}]
\Shell\AutoRun\command - H:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Lewis Vagina.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ATI Launchpad - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Lewis Vagina\Application Data\Mozilla\Firefox\Profiles\u0bv63ey.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - yahoo.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 08:22:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-21 8:23:01
ComboFix-quarantined-files.txt 2008-08-21 15:22:34

Pre-Run: 458,809,561,088 bytes free
Post-Run: 459,844,907,008 bytes free

213 --- E O F --- 2008-08-14 15:47:57



Malwarebytes Log:


Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2

8:16:06 AM 8/21/2008
mbam-log-08-21-2008 (08-16-06).txt

Scan type: Quick Scan
Objects scanned: 45470
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 15
Files Infected: 32

Memory Processes Infected:
C:\WINDOWS\system32\lphc7u0j0ej01.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc3u0j0ej01 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc7u0j0ej01 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\rhc3u0j0ej01 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\rhc3u0j0ej01\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\ginstall.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Program Files\rhc3u0j0ej01\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3u0j0ej01\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3u0j0ej01\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3u0j0ej01\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3u0j0ej01\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhc3u0j0ej01\rhc3u0j0ej01.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert\Log\2008 Aug 17 - 01_20_09 PM_890.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert\Log\2008 Aug 17 - 01_20_12 PM_796.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert\Log\2008 Aug 17 - 01_34_19 PM_343.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert\Log\2008 Aug 17 - 01_34_40 PM_562.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc7u0j0ej01.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc7u0j0ej01.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lewis Vagina\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:14 AM, on 8/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Reboot.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139033881687
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170879170765
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\System3r\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - http://myspace-393.vo.llnwd.net/00815/39/32/815282393_l.jpg
O24 - Desktop Component 1: (no name) - http://mall.mnshome.com/prodimg2/00005441_02.jpg
O24 - Desktop Component 10: (no name) - http://i306.photobucket.com/albums/nn256/g...ey/omjes8_3.jpg
O24 - Desktop Component 2: (no name) - http://i101.photobucket.com/albums/m72/heh...andingologo.jpg
O24 - Desktop Component 3: (no name) - http://us.f536.mail.yahoo.com/ym/us/ShowLe...pos=0&Idx=1
O24 - Desktop Component 4: (no name) - http://bestanimations.com/Humans/Sexy/Sexy-02-june.gif
O24 - Desktop Component 5: (no name) - http://www.feebleminds-gifs.com/rockman.gif
O24 - Desktop Component 6: (no name) - http://edit.81x.com/Authors/kamikaze124/dancefool.gif
O24 - Desktop Component 7: (no name) - http://vgmetal.com/imagesNEW/M.gif
O24 - Desktop Component 8: (no name) - http://i306.photobucket.com/albums/nn256/g...lley/dogs-4.jpg
O24 - Desktop Component 9: (no name) - http://i306.photobucket.com/albums/nn256/g...willey/2870.gif

--
End of file - 7561 bytes

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:33 AM

Posted 22 August 2008 - 07:44 AM

Hello Deathrunner,

Your logs do look better now :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 25 August 2008 - 11:03 AM

I already deleted combofix. I didn't realize that I need to reset my clock settings. Everything seems to be running fine. Did I hurt anything by just deletingt combofix?

Thanks for your help.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:33 AM

Posted 25 August 2008 - 04:54 PM

Hello Deathrunner,

That's not really a problem. :thumbsup:

It would be better however to download it again and then uninstall it as described above,
to make sure nothing is left behind and all settings are reset.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users