Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde I think but maybe more


  • This topic is locked This topic is locked
13 replies to this topic

#1 bwmfsu

bwmfsu

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 28 November 2008 - 04:05 PM

A few days ago I ran an install for a program that I thought was something else but it turns out it unleashed malware throughout my system. I have run HouseCall, scanned locally with Avast, ran SpyBot Search and Destroy, and Ad-Aware but I still have an infection. I ran HiJackThis and posted my log below. I don't know if this also has to do with the malware but directly after my machine was infected on startup I started receiving the message "C:\Windows\System32\gantusirhmaijtrec.dll Module could not be found."

Thanks in advance for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:03 PM, on 11/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{2bb7d599-f15d-8b1d-24e9-50cf1a93127e}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gantusirhmaijtrec.dll" DllStart
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [gadcom] "C:\Documents and Settings\NetworkService\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [gadcom] "C:\Documents and Settings\NetworkService\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Converter 3.0\IEShellExt.dll /100
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://66.133.171.86/VMRCActiveXClient.cab
O16 - DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} (PortDetector Control) - http://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: iodkku.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10841 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 29 November 2008 - 06:39 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



NEXT


Download DDS and save it to your desktop.

Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
-----------------------------------------------------

Please include the following logs in your thread:
  • Contents of the DDS.txt posted as text in your reply
  • Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.


Please post these logs in your next reply..

1. Malwarebytes'
2. DDS.txt
3. Attach.txt

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 bwmfsu

bwmfsu
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 29 November 2008 - 05:20 PM

It appears that everything has been removed. I no longer receive the "C:\Windows\System32\gantusirhmaijtrec.dll Module could not be found." error message on startup and I am not being redirected to a random site everytime I click on a link in my browser. Below you will find the Malwarebytes log and the contents of DDS.txt. Attached to this post is Attach.txt from DDS.

I really appreciate all of the help.

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.30
Database version: 1435
Windows 5.1.2600 Service Pack 2

11/29/2008 4:15:27 PM
mbam-log-2008-11-29 (16-15-27).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 159161
Time elapsed: 55 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 27
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 49

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\difywpkj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wvUmKBuU.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iifcYQiJ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lwywfw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vvgghu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{455c35be-c0de-4b8e-9e6a-f4f64d0450f5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{455c35be-c0de-4b8e-9e6a-f4f64d0450f5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifcyqij (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ac063de-ce36-432e-bb9c-ea9f22fcf769} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8ac063de-ce36-432e-bb9c-ea9f22fcf769} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92305639-fc6b-43d8-ac75-bcd1f668d2bd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{92305639-fc6b-43d8-ac75-bcd1f668d2bd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92305639-fc6b-43d8-ac75-bcd1f668d2bd} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{455c35be-c0de-4b8e-9e6a-f4f64d0450f5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8ac063de-ce36-432e-bb9c-ea9f22fcf769} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\agadoo (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4fe5ea0 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2bb7d599-f15d-8b1d-24e9-50cf1a93127e} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvumkbuu -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvumkbuu -> Delete on reboot.

Folders Infected:
C:\Program Files\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\snapsnet (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brendan\Start Menu\Programs\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wvUmKBuU.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\UuBKmUvw.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\UuBKmUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifcYQiJ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vvgghu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lwywfw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\difywpkj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkpwyfid.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brendan\Local Settings\Temporary Internet Files\Content.IE5\4ZEJNAE3\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brendan\Local Settings\Temporary Internet Files\Content.IE5\71A008II\kb435[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brendan\Local Settings\Temporary Internet Files\Content.IE5\8PYZ8H2Z\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brendan\Local Settings\Temporary Internet Files\Content.IE5\Q0U1ZLOK\rkkhlmmzax[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brendan\My Documents\Downloads\PowerISO.v3.4\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058119.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058445.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058464.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EA08C926-9DBF-45C3-A844-86480350E43B}\RP650\A0058546.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EA08C926-9DBF-45C3-A844-86480350E43B}\RP650\A0058590.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EA08C926-9DBF-45C3-A844-86480350E43B}\RP650\A0058596.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EA08C926-9DBF-45C3-A844-86480350E43B}\RP650\A0058597.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\llgddpcf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmdl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\getfn32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxghuc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qntroknu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSScfmm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSocun.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vjlroscynfofexabw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vmdclyvs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wertyu.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuyrhdar.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ccssav.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jyrciuww.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AI\nIE65FR.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xin\btkey10T.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\homeview\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brendan\Start Menu\Programs\homeview\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cont_globaladsolution-remove.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5lVi64PT.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsglobaladsolution.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxcp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSqqon.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSwrhd.log (Trojan.TDSS) -> Quarantined and deleted successfully.


Here is the contents of DDS.txt


DDS (Version 1.0) - NTFSx86
Run by Brendan at 16:26:48.84 on Sat 11/29/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1521 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brendan\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {099518c7-6f5b-4290-b2c6-e24b49fdf019} - c:\windows\system32\bvnncp.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {b7cac429-c94e-4c52-9f90-dbb99f6f65ce} - c:\windows\system32\gcgefm.dll
BHO: {CC7E636D-39AA-49b6-B511-65413DA137A1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [OLPSYNCH] c:\program files\offline course player\OlpSynch.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF3 Registry Controller] "c:\program files\scansoft\pdf converter 3.0\\RegistryController.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [gadcom] "c:\documents and settings\networkservice\application data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\pdf converter 3.0\IEShellExt.dll /100
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
AppInit_DLLs: bvnncp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-21 110160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-21 20560]
R3 NWADI;NWADI Bus Enumerator;c:\windows\system32\drivers\NWADIenum.sys [2006-3-27 74752]
S4 hpt3xx;hpt3xx; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 [2005-9-23 2799808]

=============== Created Last 30 ================

2008-11-29 16:12 129,024 a------- c:\windows\system32\jubyydxw.dll
2008-11-29 16:12 129,024 a------- c:\windows\system32\bvnncp.dll
2008-11-29 16:12 129,024 a------- c:\windows\system32\rmynpz.dll
2008-11-29 16:12 129,024 a------- c:\windows\system32\koahkcuk.dll
2008-11-29 16:09 75,776 a------- c:\windows\system32\pwphviwi.dll
2008-11-29 16:09 75,776 a------- c:\windows\system32\gcgefm.dll
2008-11-29 16:06 1,342,962 ---sh--- c:\windows\system32\mfkopevl.ini
2008-11-29 16:06 72,704 a------- c:\windows\system32\lvepokfm.dll
2008-11-29 15:07 <DIR> --d----- c:\docume~1\brendan\applic~1\Malwarebytes
2008-11-29 15:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-29 15:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 15:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 15:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-28 15:33 <DIR> --d----- c:\program files\Trend Micro
2008-11-28 14:50 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-28 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-28 00:25 <DIR> --d----- C:\Sysclean
2008-11-27 23:47 72,704 a------- c:\windows\system32\etwrrlfq.dll
2008-11-27 23:44 129,024 a------- c:\windows\system32\iodkku.dll
2008-11-27 23:44 129,024 a------- c:\windows\system32\aebkgnmg.dll
2008-11-27 23:01 <DIR> --d----- c:\program files\Malware Removal Tool
2008-11-26 22:26 <DIR> --d----- c:\program files\SpywareBlaster
2008-11-26 21:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2008-11-26 19:33 74 a------- c:\windows\st_affiliate.ini
2008-11-26 17:36 <DIR> --d----- c:\program files\Lavasoft
2008-11-26 17:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-11-26 17:36 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-26 00:32 590 a------- C:\Deewoo.lnk
2008-11-26 00:31 <DIR> --dsh--- c:\windows\QnJlbmRhbg
2008-11-26 00:30 <DIR> --d----- c:\temp\tn3
2008-11-26 00:30 <DIR> --d----- c:\temp\FT62
2008-11-26 00:30 <DIR> --d----- c:\windows\system32\xin
2008-11-26 00:30 <DIR> --d----- c:\windows\system32\oca
2008-11-26 00:30 <DIR> --d----- c:\windows\system32\jec
2008-11-26 00:30 <DIR> --d----- c:\windows\system32\GN
2008-11-26 00:30 <DIR> --d----- c:\windows\system32\DEC
2008-11-26 00:30 <DIR> --d----- c:\windows\system32\AI
2008-11-26 00:21 527 a------- c:\windows\system32\TDSSmtve.dat
2008-11-26 00:06 29,184 a------- c:\windows\system32\MSINET.oca
2008-11-26 00:06 2,407 a------- c:\windows\system32\MSINET.DEP
2008-11-25 19:17 38,490 a------- c:\windows\system32\drivers\seneka.sys
2008-11-25 19:17 3,224 a------- c:\windows\gu58826.exe
2008-11-25 19:16 7,680 a------- c:\windows\o255.exe
2008-11-25 19:16 0 a------- c:\windows\system32\cmdl.lock
2008-11-25 19:16 <DIR> --d----- c:\program files\ppcbooster
2008-11-25 19:16 3,228 a------- c:\windows\system32\cnf.dat
2008-11-25 19:16 44 a------- C:\p2hhr.bat
2008-11-25 19:16 2 a------- C:\-1258398193
2008-11-25 19:16 527 a------- c:\windows\system32\TDSSwupe.dat
2008-11-25 19:15 <DIR> --d----- c:\windows\Easy Decrypter
2008-11-25 19:15 <DIR> --d----- c:\program files\Easy Decrypter
2008-11-25 19:14 <DIR> --d----- c:\windows\HDTVXviD Codec
2008-11-22 15:10 <DIR> --d----- c:\program files\iPod
2008-11-22 15:10 <DIR> --d----- c:\program files\iTunes
2008-11-22 15:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 14:58 <DIR> --d----- c:\program files\Windows Installer Clean Up
2008-11-16 18:37 <DIR> --d----- c:\docume~1\brendan\applic~1\Move Networks
2008-11-15 12:35 664 a------- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2008-11-25 20:10 <DIR> --d----- c:\docume~1\brendan\applic~1\uTorrent
2008-11-22 14:58 <DIR> --d----- c:\program files\MSECache
2008-10-28 21:07 <DIR> --d----- c:\program files\Microsoft SQL Server
2008-10-28 21:07 <DIR> --d----- c:\program files\Microsoft Visual Studio 9.0
2008-10-28 21:07 <DIR> --d----- c:\program files\Microsoft Synchronization Services
2008-10-28 21:07 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2008-10-28 21:03 <DIR> --d----- c:\program files\Microsoft SDKs
2008-10-28 12:02 173,056 a------- c:\windows\system32\qvqksbxxgmcpy.dll
2008-10-28 11:21 555,008 a------- c:\windows\system32\nso2A5.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-04 11:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-07-31 01:28 <DIR> --d----- c:\docume~1\brendan\applic~1\MSN6
2008-07-31 01:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2008-07-17 21:57 <DIR> --d----- c:\docume~1\brendan\applic~1\iPhoneRingToneMaker
2008-06-18 20:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2008-03-11 08:49 <DIR> --d----- c:\docume~1\brendan\applic~1\Snapfish
2007-12-17 17:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2007-12-17 17:30 <DIR> --d----- c:\docume~1\brendan\applic~1\Viewpoint
2007-12-06 22:00 <DIR> --d----- c:\docume~1\brendan\applic~1\mIRC
2007-04-19 00:41 <DIR> --d----- c:\docume~1\brendan\applic~1\vlc
2007-02-02 00:21 <DIR> --d----- c:\docume~1\brendan\applic~1\Intuit
2007-02-02 00:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-12-02 17:46 <DIR> --d----- c:\docume~1\brendan\applic~1\.gaim
2006-09-25 00:32 <DIR> --d----- c:\docume~1\brendan\applic~1\Intel
2006-09-25 00:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intel
2006-09-25 00:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Novatel Wireless

============= FINISH: 16:27:38.15 ===============

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 29 November 2008 - 07:01 PM

We're not done yet :thumbsup:



Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



NEXT


Please visit below webpage for instructions for downloading and running ComboFix. Make sure you download and save ComboFix DIRECTLY to your Desktop

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.



Post me these logs in your next reply..

1. SDFix
2. ComboFix
3. A fresh HijackThis log

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 bwmfsu

bwmfsu
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 30 November 2008 - 11:29 AM

I have followed all of the steps that you listed.

This post contains the following logs:
1. SDFix
2. ComboFix
3. Fresh HijackThis

Thanks


1. SDFix Log

SDFix: Version 1.240
Run by Brendan on Sun 11/30/2008 at 09:43 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSpqlt.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Resetting SecurityProviders Value

Rebooting


Checking Files :

Trojan Files Found:

C:\-12583~1 - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP10.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP11.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP12.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP13.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP14.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP16.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP19.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP1A.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP1B.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP1C.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP1D.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP1E.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP1F.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP21.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP22.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP23.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP24.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP25.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP2A.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP2C.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP2F.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP31.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP34.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP35.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP8.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMP9.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMPA.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMPB.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMPD.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMPE.tmp - Deleted
C:\DOCUME~1\Brendan\LOCALS~1\Temp\TMPF.tmp - Deleted
C:\WINDOWS\system32\drivers\TDSSpqlt.sys - Deleted
C:\WINDOWS\SYSTEM32\TDSSMTVE.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSWUPE.dat - Deleted



Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 10:09:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cffe7302]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cffe7302]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Documents and Settings\\Brendan\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Brendan\\Desktop\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe"="C:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe:*:Enabled:Virtual PC 2004"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Documents and Settings\\Brendan\\My Documents\\download\\holdfastpirate\\mIRC 6.3 + keygen\\mIRC 6.3 + keygen\\mIRC - English.exe"="C:\\Documents and Settings\\Brendan\\My Documents\\download\\holdfastpirate\\mIRC 6.3 + keygen\\mIRC 6.3 + keygen\\mIRC - English.exe:*:Enabled:mIRC"
"C:\\Program Files\\mIRC\\mIRC - English.exe"="C:\\Program Files\\mIRC\\mIRC - English.exe:*:Enabled:mIRC"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\WinSCP\\WinSCP.exe"="C:\\Program Files\\WinSCP\\WinSCP.exe:*:Enabled:Windows SFTP, FTP and SCP client"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 10 Feb 2005 152,296 ...H. --- "C:\Program Files\Microsoft Virtual PC\updatedvmm.sys"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 7 Feb 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 8 Apr 2008 30,208 ...H. --- "C:\Documents and Settings\Brendan\Desktop\~WRL1423.tmp"
Mon 5 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 16 Nov 2006 3,995,136 ...H. --- "C:\Documents and Settings\Brendan\My Documents\heather's goodies\~WRL2145.tmp"
Tue 6 May 2008 49,152 A..H. --- "C:\Documents and Settings\Brendan\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Brendan\Application Data\U3\temp\Launchpad Removal.exe"
Tue 20 May 2008 6,358,528 ...H. --- "C:\Documents and Settings\Brendan\My Documents\heather's goodies\Grad School Stuff\Exhibit\~WRL1850.tmp"
Sun 2 Mar 2008 6,359,040 ...H. --- "C:\Documents and Settings\Brendan\My Documents\heather's goodies\Grad School Stuff\Exhibit\~WRL2314.tmp"

Finished!


2. ComboFix Log

ComboFix 08-11-29.03 - Brendan 2008-11-30 10:46:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1448 [GMT -5:00]
Running from: c:\documents and settings\Brendan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brendan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brendan\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\ppcbooster
c:\program files\ppcbooster\ppcbu_32.exe
c:\windows\system32\aebkgnmg.dll
c:\windows\system32\bvnncp.dll
c:\windows\system32\Cache
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\etwrrlfq.dll
c:\windows\system32\gcgefm.dll
c:\windows\system32\iodkku.dll
c:\windows\system32\jubyydxw.dll
c:\windows\system32\koahkcuk.dll
c:\windows\system32\lvepokfm.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\mfkopevl.ini
c:\windows\system32\pwphviwi.dll
c:\windows\system32\qvqksbxxgmcpy.dll
c:\windows\Tasks\lkzacwbt.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 09:36 . 2008-11-30 09:36 <DIR> d-------- c:\windows\ERUNT
2008-11-30 09:30 . 2008-11-30 10:14 <DIR> d-------- C:\SDFix
2008-11-29 16:12 . 2008-11-29 16:12 129,024 --a------ c:\windows\system32\rmynpz.dll
2008-11-29 15:07 . 2008-11-29 15:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 15:07 . 2008-11-29 15:07 <DIR> d-------- c:\documents and settings\Brendan\Application Data\Malwarebytes
2008-11-29 15:07 . 2008-11-29 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-29 15:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 15:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 17:14 . 2008-11-28 17:14 <DIR> d-------- C:\rsit
2008-11-28 15:33 . 2008-11-28 15:33 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 14:50 . 2008-11-28 15:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-28 14:50 . 2008-11-28 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 00:25 . 2008-11-28 14:38 <DIR> d-------- C:\Sysclean
2008-11-27 23:01 . 2008-11-27 23:02 <DIR> d-------- c:\program files\Malware Removal Tool
2008-11-26 22:26 . 2008-11-26 22:26 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-26 22:26 . 2008-11-26 22:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-26 21:25 . 2008-11-28 00:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-26 19:33 . 2008-11-26 19:33 74 --a------ c:\windows\st_affiliate.ini
2008-11-26 17:36 . 2008-11-26 17:36 <DIR> d-------- c:\program files\Lavasoft
2008-11-26 17:36 . 2008-11-26 17:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-26 17:36 . 2008-11-26 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-26 00:35 . 2008-11-26 00:35 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\IUpd721
2008-11-26 00:32 . 2008-11-26 00:32 590 --a------ C:\Deewoo.lnk
2008-11-26 00:31 . 2008-11-26 07:52 <DIR> d--hs---- c:\windows\QnJlbmRhbg
2008-11-26 00:30 . 2008-11-29 16:15 <DIR> d-------- c:\windows\system32\xin
2008-11-26 00:30 . 2008-11-27 08:16 <DIR> d-------- c:\windows\system32\oca
2008-11-26 00:30 . 2008-11-26 07:58 <DIR> d-------- c:\windows\system32\jec
2008-11-26 00:30 . 2008-11-26 00:31 <DIR> d-------- c:\windows\system32\GN
2008-11-26 00:30 . 2008-11-26 07:56 <DIR> d-------- c:\windows\system32\DEC
2008-11-26 00:30 . 2008-11-29 16:15 <DIR> d-------- c:\windows\system32\AI
2008-11-26 00:30 . 2008-11-26 00:30 <DIR> d-------- c:\temp\FT62
2008-11-26 00:06 . 2008-11-26 00:30 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-26 00:06 . 2008-11-26 00:30 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-25 19:17 . 2008-11-25 19:17 3,224 --a------ c:\windows\gu58826.exe
2008-11-25 19:16 . 2008-11-25 19:16 7,680 --a------ c:\windows\o255.exe
2008-11-25 19:16 . 2008-11-25 19:16 3,228 --a------ c:\windows\system32\cnf.dat
2008-11-25 19:16 . 2008-11-25 19:16 44 --a------ C:\p2hhr.bat
2008-11-25 19:16 . 2008-11-25 19:16 0 --a------ c:\windows\system32\cmdl.lock
2008-11-25 19:15 . 2008-11-25 19:15 <DIR> d-------- c:\windows\Easy Decrypter
2008-11-25 19:15 . 2008-11-25 19:15 <DIR> d-------- c:\program files\Easy Decrypter
2008-11-25 19:14 . 2008-11-25 19:14 <DIR> d-------- c:\windows\HDTVXviD Codec
2008-11-22 15:10 . 2008-11-22 15:11 <DIR> d-------- c:\program files\iTunes
2008-11-22 15:10 . 2008-11-22 15:10 <DIR> d-------- c:\program files\iPod
2008-11-22 15:10 . 2008-11-22 15:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 14:58 . 2008-11-22 14:58 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-16 18:37 . 2008-11-24 21:36 <DIR> d-------- c:\documents and settings\Brendan\Application Data\Move Networks
2008-11-15 12:35 . 2008-11-15 12:35 664 --a------ c:\windows\system32\d3d9caps.dat
2008-10-28 21:07 . 2008-10-28 21:07 <DIR> d-------- c:\program files\Microsoft Synchronization Services
2008-10-28 21:07 . 2008-10-28 21:07 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2008-10-28 21:07 . 2008-10-28 21:07 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-10-28 21:04 . 2008-10-28 21:07 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2008-10-28 21:03 . 2008-10-28 21:03 <DIR> d-------- c:\program files\Microsoft SDKs
2008-10-28 21:02 . 2008-10-28 21:02 <DIR> d-------- c:\windows\system32\XPSViewer
2008-10-28 21:01 . 2008-10-28 21:01 <DIR> d-------- c:\program files\Reference Assemblies
2008-10-28 21:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-10-28 21:01 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2008-10-28 21:01 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-10-28 21:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-10-28 21:01 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2008-10-28 21:01 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-10-28 21:01 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-10-28 21:00 . 2008-11-12 03:09 <DIR> d-------- c:\windows\SxsCaPendDel
2008-10-28 11:21 . 2008-10-28 11:21 555,008 --a------ c:\windows\system32\nso2A5.dll
2008-10-18 14:41 . 2008-10-18 14:41 <DIR> d--hs---- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 01:10 --------- d-----w c:\documents and settings\Brendan\Application Data\uTorrent
2008-11-22 20:08 --------- d-----w c:\program files\QuickTime
2008-11-22 20:07 --------- d-----w c:\program files\Apple Software Update
2008-11-22 19:58 --------- d-----w c:\program files\MSECache
2008-11-12 08:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:07 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-30 02:56 --------- d-----w c:\program files\MSBuild
2008-09-30 02:56 --------- d-----w c:\program files\Microsoft Works
2008-09-30 02:52 --------- d-----w c:\program files\Microsoft Visual Studio 8
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"OLPSYNCH"="c:\program files\Offline Course Player\OlpSynch.exe" [2007-01-24 42544]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"PDF3 Registry Controller"="c:\program files\ScanSoft\PDF Converter 3.0\\RegistryController.exe" [2005-04-12 106496]
"VX1000"="c:\windows\vVX1000.exe" [2006-06-29 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2006-05-01 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-05-01 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bvnncp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2004-02-28 12:12 144896 c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe"=
"c:\\Program Files\\mIRC\\mIRC - English.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-21 110160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-21 20560]
R3 NWADI;NWADI Bus Enumerator;c:\windows\system32\DRIVERS\NWADIenum.sys [2006-03-27 74752]
S4 hpt3xx;hpt3xx; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00a7e0f6-924b-11dd-aa0f-0018de221297}]
\Shell\AutoRun\command - f:\__stickydrive\StickyDrive.exe
\Shell\StickyDrive\Command - f:\__stickydrive\StickyDrive.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02576f34-7f93-11dd-aa0c-0018de221297}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{545c29e4-66e1-11db-a9cd-0018de221297}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6069bde5-4c32-11db-9719-c529ffafc6bc}]
\Shell\AutoRun\command - F:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2007-03-23 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1166376228.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{099518c7-6f5b-4290-b2c6-e24b49fdf019} - c:\windows\system32\bvnncp.dll
BHO-{b7cac429-c94e-4c52-9f90-dbb99f6f65ce} - c:\windows\system32\gcgefm.dll
HKU-Default-Run-gadcom - c:\documents and settings\NetworkService\Application Data\gadcom\gadcom.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Brendan\Application Data\Mozilla\Firefox\Profiles\4gwtqzzt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com/ig
FF -: plugin - c:\documents and settings\Brendan\Application Data\Mozilla\Firefox\Profiles\4gwtqzzt.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\documents and settings\Brendan\Application Data\Mozilla\plugins\NPAbacheck.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPOlp32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 11:11:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2008-11-30 11:17:13 - machine was rebooted [Brendan]
ComboFix-quarantined-files.txt 2008-11-30 16:16:24

Pre-Run: 34,163,769,344 bytes free
Post-Run: 34,255,552,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

271 --- E O F --- 2008-11-12 08:03:20


3. Fresh HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:34 AM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Converter 3.0\IEShellExt.dll /100
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://66.133.171.86/VMRCActiveXClient.cab
O16 - DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} (PortDetector Control) - http://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: bvnncp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10804 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 30 November 2008 - 01:05 PM

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.



NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\rmynpz.dll
c:\windows\system32\MSINET.oca
c:\windows\system32\MSINET.DEP
c:\windows\gu58826.exe
c:\windows\o255.exe
c:\windows\system32\cnf.dat
C:\p2hhr.bat
c:\windows\system32\cmdl.lock
c:\windows\system32\nso2A5.dll

Folder::
c:\documents and settings\NetworkService\Application Data\IUpd721
c:\windows\QnJlbmRhbg
c:\windows\system32\xin
c:\windows\system32\oca
c:\windows\system32\jec
c:\windows\system32\GN
c:\windows\system32\DEC
c:\windows\system32\AI
c:\temp\FT62
c:\windows\Easy Decrypter
c:\program files\Easy Decrypter
f:\__stickydrive

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00a7e0f6-924b-11dd-aa0f-0018de221297}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02576f34-7f93-11dd-aa0c-0018de221297}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

SysRst::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 bwmfsu

bwmfsu
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 30 November 2008 - 04:38 PM

I removed the entries that you mentioned in HijackThis and ran ComboFix using the script that you provided. Here are the new ComboFix and HijackThis logs.

Thanks.

1. HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:38 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Offline Course Player\OlpSynch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Converter 3.0\IEShellExt.dll /100
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://66.133.171.86/VMRCActiveXClient.cab
O16 - DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} (PortDetector Control) - http://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10210 bytes


2. ComboFix Log

ComboFix 08-11-30.01 - Brendan 2008-11-30 16:15:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534 [GMT -5:00]
Running from: c:\documents and settings\Brendan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brendan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\p2hhr.bat
c:\windows\gu58826.exe
c:\windows\o255.exe
c:\windows\system32\cmdl.lock
c:\windows\system32\cnf.dat
c:\windows\system32\MSINET.DEP
c:\windows\system32\MSINET.oca
c:\windows\system32\nso2A5.dll
c:\windows\system32\rmynpz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\IUpd721
c:\documents and settings\NetworkService\Application Data\IUpd721\Logs\scns.log
C:\p2hhr.bat
c:\program files\Easy Decrypter
c:\program files\Easy Decrypter\AnalogTVFrequency.reg
c:\program files\Easy Decrypter\AnalogTVStandard.INI
c:\program files\Easy Decrypter\applog.dll
c:\program files\Easy Decrypter\ATSCFrequencyList.ini
c:\program files\Easy Decrypter\EasyDecrypter.exe
c:\program files\Easy Decrypter\icon.ico
c:\program files\Easy Decrypter\License.txt
c:\program files\Easy Decrypter\SkinScrollBar.dll
c:\program files\Easy Decrypter\SndErr.exe
c:\program files\Easy Decrypter\SndErr.ini
c:\program files\Easy Decrypter\ucm.dll
c:\program files\Easy Decrypter\Uninstall\IRIMG1.BMP
c:\program files\Easy Decrypter\Uninstall\IRIMG2.BMP
c:\program files\Easy Decrypter\Uninstall\uninstall.dat
c:\program files\Easy Decrypter\Uninstall\uninstall.xml
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\windows\Easy Decrypter
c:\windows\Easy Decrypter\uninstall.exe
c:\windows\gu58826.exe
c:\windows\o255.exe
c:\windows\QnJlbmRhbg
c:\windows\system32\AI
c:\windows\system32\cmdl.lock
c:\windows\system32\cnf.dat
c:\windows\system32\DEC
c:\windows\system32\GN
c:\windows\system32\jec
c:\windows\system32\MSINET.DEP
c:\windows\system32\MSINET.oca
c:\windows\system32\nso2A5.dll
c:\windows\system32\oca
c:\windows\system32\rmynpz.dll
c:\windows\system32\xin

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 09:36 . 2008-11-30 09:36 <DIR> d-------- c:\windows\ERUNT
2008-11-30 09:30 . 2008-11-30 10:14 <DIR> d-------- C:\SDFix
2008-11-29 15:07 . 2008-11-29 15:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 15:07 . 2008-11-29 15:07 <DIR> d-------- c:\documents and settings\Brendan\Application Data\Malwarebytes
2008-11-29 15:07 . 2008-11-29 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-29 15:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 15:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 17:14 . 2008-11-28 17:14 <DIR> d-------- C:\rsit
2008-11-28 15:33 . 2008-11-28 15:33 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 14:50 . 2008-11-28 15:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-28 14:50 . 2008-11-28 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 00:25 . 2008-11-28 14:38 <DIR> d-------- C:\Sysclean
2008-11-27 23:01 . 2008-11-27 23:02 <DIR> d-------- c:\program files\Malware Removal Tool
2008-11-26 22:26 . 2008-11-26 22:26 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-26 22:26 . 2008-11-26 22:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-26 21:25 . 2008-11-28 00:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-26 19:33 . 2008-11-26 19:33 74 --a------ c:\windows\st_affiliate.ini
2008-11-26 17:36 . 2008-11-26 17:36 <DIR> d-------- c:\program files\Lavasoft
2008-11-26 17:36 . 2008-11-26 17:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-26 17:36 . 2008-11-26 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-26 00:32 . 2008-11-26 00:32 590 --a------ C:\Deewoo.lnk
2008-11-25 19:14 . 2008-11-25 19:14 <DIR> d-------- c:\windows\HDTVXviD Codec
2008-11-22 15:10 . 2008-11-22 15:11 <DIR> d-------- c:\program files\iTunes
2008-11-22 15:10 . 2008-11-22 15:10 <DIR> d-------- c:\program files\iPod
2008-11-22 15:10 . 2008-11-22 15:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 14:58 . 2008-11-22 14:58 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-16 18:37 . 2008-11-24 21:36 <DIR> d-------- c:\documents and settings\Brendan\Application Data\Move Networks
2008-11-15 12:35 . 2008-11-15 12:35 664 --a------ c:\windows\system32\d3d9caps.dat
2008-10-28 21:07 . 2008-10-28 21:07 <DIR> d-------- c:\program files\Microsoft Synchronization Services
2008-10-28 21:07 . 2008-10-28 21:07 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2008-10-28 21:07 . 2008-10-28 21:07 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-10-28 21:04 . 2008-10-28 21:07 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2008-10-28 21:03 . 2008-10-28 21:03 <DIR> d-------- c:\program files\Microsoft SDKs
2008-10-28 21:02 . 2008-10-28 21:02 <DIR> d-------- c:\windows\system32\XPSViewer
2008-10-28 21:01 . 2008-10-28 21:01 <DIR> d-------- c:\program files\Reference Assemblies
2008-10-28 21:01 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-10-28 21:01 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2008-10-28 21:01 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-10-28 21:01 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-10-28 21:01 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2008-10-28 21:01 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-10-28 21:01 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-10-28 21:00 . 2008-11-12 03:09 <DIR> d-------- c:\windows\SxsCaPendDel
2008-10-18 14:41 . 2008-10-18 14:41 <DIR> d--hs---- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 01:10 --------- d-----w c:\documents and settings\Brendan\Application Data\uTorrent
2008-11-22 20:08 --------- d-----w c:\program files\QuickTime
2008-11-22 20:07 --------- d-----w c:\program files\Apple Software Update
2008-11-22 19:58 --------- d-----w c:\program files\MSECache
2008-11-12 08:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:07 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-30 02:56 --------- d-----w c:\program files\MSBuild
2008-09-30 02:56 --------- d-----w c:\program files\Microsoft Works
2008-09-30 02:52 --------- d-----w c:\program files\Microsoft Visual Studio 8
.

((((((((((((((((((((((((((((( snapshot@2008-11-30_11.15.52.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-30 15:48:57 226,485 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-11-30 21:21:46 226,489 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2008-11-30 15:53:01 85,786 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-30 21:12:54 85,786 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-30 15:53:01 485,906 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-30 21:12:54 485,906 ----a-w c:\windows\system32\perfh009.dat
- 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-11-30 21:21:25 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_164.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\avenger\iifcYQiJ.dll
2008-11-26 00:21 32768 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP651\A0058690.dll

c:\avenger\lwywfw.dll
2008-11-28 16:11 129024 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP651\A0058691.dll

c:\avenger\vvgghu.dll
2008-11-28 16:08 75776 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP651\A0058693.dll

c:\avenger\wvUmKBuU.dll
2008-11-26 00:26 318464 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP651\A0058694.dll

c:\documents and settings\Brendan\Application Data\gadcom\gadcom.exe
{EA08C926-9DBF-45C3-A844-86480350E43B}\RP650\A0058596.exe

c:\documents and settings\Brendan\Local Settings\Application Data\CyberDefender\cdinstx.exe
2008-11-26 19:29 1582408 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP650\A0058543.exe

c:\documents and settings\Brendan\Local Settings\Application Data\CyberDefender\cdmyidd.dll
2008-11-26 19:29 3958088 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP650\A0058536.dll

c:\documents and settings\Brendan\Local Settings\Application Data\Temporary Projects\WpfApplication1\bin\Debug\WpfApplication1.vshost.exe
2008-11-23 15:45 14328 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058461.exe

c:\documents and settings\Brendan\Local Settings\Application Data\Temporary Projects\WpfApplication1\bin\Release\WpfApplication1.exe
2008-11-23 16:07 8192 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058460.exe

c:\documents and settings\Brendan\Local Settings\Application Data\Temporary Projects\WpfApplication1\obj\Release\TempPE\Properties.Resources.Designer.cs.dll
2008-11-23 15:46 4608 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058459.dll

c:\documents and settings\Brendan\Local Settings\Application Data\Temporary Projects\WpfApplication1\obj\Release\WpfApplication1.exe
2008-11-23 16:07 8192 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058458.exe

2004-08-03 23:56 25600 c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2004-08-03 23:56 25600 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP568\A0052012.dll

c:\documents and settings\NetworkService\Application Data\gadcom\gadcom.exe
{EA08C926-9DBF-45C3-A844-86480350E43B}\RP650\A0058597.exe

C:\jcwg.exe
{EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058449.exe

C:\p2hhr.bat
2008-11-25 19:16 44 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP655\A0059027.bat

2008-11-18 12:35 225280 c:\program files\Alwil Software\Avast4\Aavm4h.dll
2008-03-29 13:25 212992 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058350.dll

2008-11-18 12:39 188416 c:\program files\Alwil Software\Avast4\AavmGuih.dll
2008-03-29 13:37 188416 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058351.dll

2008-11-18 12:35 20992 c:\program files\Alwil Software\Avast4\AavmRpch.dll
2008-03-29 13:25 20480 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058352.dll

2008-11-18 12:35 35840 c:\program files\Alwil Software\Avast4\AhResMai.dll
2008-03-29 13:26 35840 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058353.dll

2008-11-18 12:37 32768 c:\program files\Alwil Software\Avast4\ahResMes.dll
2008-03-29 13:29 32768 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058354.dll

2008-11-18 12:36 53248 c:\program files\Alwil Software\Avast4\AhResNS.dll
2008-03-29 13:28 31744 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058355.dll

2008-11-18 12:38 29696 c:\program files\Alwil Software\Avast4\AhResOut.dll
2008-03-29 13:36 29696 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058356.dll

2008-11-18 12:37 33280 c:\program files\Alwil Software\Avast4\ahResP2P.dll
2008-03-29 13:29 32768 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058357.dll

2008-11-18 12:39 43008 c:\program files\Alwil Software\Avast4\AhResStd.dll
2008-03-29 13:38 43008 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058358.dll

2008-11-18 12:36 53248 c:\program files\Alwil Software\Avast4\AhResWS.dll
2008-03-29 13:26 53248 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058359.dll

2008-11-18 12:38 65536 c:\program files\Alwil Software\Avast4\AhRuiMai.dll
2008-03-29 13:33 65536 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058360.dll

2008-11-18 12:37 36864 c:\program files\Alwil Software\Avast4\ahRuiMes.dll
2008-03-29 13:29 36864 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058361.dll

2008-11-18 12:36 36864 c:\program files\Alwil Software\Avast4\AhRuiNS.dll
2008-03-29 13:28 36864 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058362.dll

2008-11-18 12:38 90112 c:\program files\Alwil Software\Avast4\AhRuiOut.dll
2008-03-29 13:34 90112 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058363.dll

2008-11-18 12:37 22528 c:\program files\Alwil Software\Avast4\ahRuiP2P.dll
2008-03-29 13:28 22016 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058364.dll

2008-11-18 12:39 57344 c:\program files\Alwil Software\Avast4\AhRuiStd.dll
2008-03-29 13:38 57344 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058365.dll

2008-11-18 12:36 49152 c:\program files\Alwil Software\Avast4\AhRuiWS.dll
2008-03-29 13:29 49152 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058366.dll

2008-11-18 12:33 274640 c:\program files\Alwil Software\Avast4\ashAvast.exe
2008-03-29 13:18 271736 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058388.exe

2008-11-18 12:31 225280 c:\program files\Alwil Software\Avast4\ashBase.dll
2008-03-29 13:09 225280 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058367.dll

2008-11-18 12:34 130440 c:\program files\Alwil Software\Avast4\ashBug.exe
2008-03-29 13:19 128376 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058389.exe

2008-11-18 12:33 98304 c:\program files\Alwil Software\Avast4\ashCfgP.dll
2008-03-29 13:16 98304 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058368.dll

2008-11-18 12:33 131072 c:\program files\Alwil Software\Avast4\ashCfgT.dll
2008-03-29 13:16 135168 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058369.dll

2008-11-18 12:33 151552 c:\program files\Alwil Software\Avast4\ashChest.dll
2008-03-29 13:17 151552 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058370.dll

2008-11-18 12:34 68640 c:\program files\Alwil Software\Avast4\ashChest.exe
2008-03-29 13:19 66936 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058390.exe

2008-11-18 12:34 53792 c:\program files\Alwil Software\Avast4\ashCnsnt.exe
2008-03-29 13:19 52088 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058391.exe

2008-11-18 12:39 81000 c:\program files\Alwil Software\Avast4\ashDisp.exe
2008-03-29 13:37 79224 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058392.exe

2008-11-18 12:34 50184 c:\program files\Alwil Software\Avast4\ashLogV.exe
2008-03-29 13:18 49016 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058393.exe

2008-11-18 12:38 254040 c:\program files\Alwil Software\Avast4\ashMaiSv.exe
2008-03-29 13:36 247160 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058394.exe

2008-11-18 12:38 204600 c:\program files\Alwil Software\Avast4\ashOutXt.dll
2008-03-29 13:36 202104 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058371.dll

2008-11-18 12:39 208720 c:\program files\Alwil Software\Avast4\ashPopWz.exe
2008-03-29 13:37 206200 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058395.exe

2008-11-18 12:35 282880 c:\program files\Alwil Software\Avast4\ashQuick.exe
2008-03-29 13:22 279928 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058396.exe

2008-11-18 12:38 155160 c:\program files\Alwil Software\Avast4\ashServ.exe
2008-03-29 13:37 144760 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058397.exe

2008-03-31 16:14 80976 c:\program files\Alwil Software\Avast4\ashShA64.dll
2008-02-19 08:49 78152 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058372.dll

2008-11-18 12:35 76880 c:\program files\Alwil Software\Avast4\ashShell.dll
2008-03-29 13:22 75128 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058373.dll

2008-11-18 12:34 126320 c:\program files\Alwil Software\Avast4\ashSimp2.exe
2008-03-29 13:20 128376 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058398.exe

2008-11-18 12:35 159280 c:\program files\Alwil Software\Avast4\ashSimpl.exe
2008-03-29 13:24 157048 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058399.exe

2008-11-18 12:34 17920 c:\program files\Alwil Software\Avast4\ashSkPcc.exe
2008-03-29 13:18 18432 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058400.exe

2008-11-18 12:34 61440 c:\program files\Alwil Software\Avast4\ashSkPck.exe
2008-03-29 13:18 61440 {EA08C926-9DBF-45C3-A844-86480350E43B}\RP649\A0058401.exe

2008-11-18 12:31 53248 c:\program files\Alwil Software\Avast4\ashSODBC.dll

c:\system volume information\_r
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"OLPSYNCH"="c:\program files\Offline Course Player\OlpSynch.exe" [2007-01-24 42544]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-18 81000]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"PDF3 Registry Controller"="c:\program files\ScanSoft\PDF Converter 3.0\\RegistryController.exe" [2005-04-12 106496]
"VX1000"="c:\windows\vVX1000.exe" [2006-06-29 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2006-05-01 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-05-01 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2004-02-28 12:12 144896 c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe"=
"c:\\Program Files\\mIRC\\mIRC - English.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-21 110160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-21 20560]
R3 NWADI;NWADI Bus Enumerator;c:\windows\system32\DRIVERS\NWADIenum.sys [2006-03-27 74752]
S4 hpt3xx;hpt3xx; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{545c29e4-66e1-11db-a9cd-0018de221297}]
\Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6069bde5-4c32-11db-9719-c529ffafc6bc}]
\Shell\AutoRun\command - F:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2007-03-23 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1166376228.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 16:21:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Cisco Systems\Vpn Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-30 16:29:47 - machine was rebooted [Brendan]
ComboFix-quarantined-files.txt 2008-11-30 21:29:44

Pre-Run: 34,186,121,216 bytes free
Post-Run: 34,176,761,856 bytes free

363 --- E O F --- 2008-11-30 16:41:55

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 30 November 2008 - 09:21 PM

A lot better.. Lets do an online scan to see what might left...


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 bwmfsu

bwmfsu
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 30 November 2008 - 11:03 PM

The scan found 3 threats. Here is the log from the scan.

Thanks.

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3652 (20081130)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=62bc8ac382ec3e428be9a6032a19a872
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-01 03:44:52
# local_time=2008-11-30 10:44:52 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=339990
# found=3
# scan_time=3783
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamyy.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\o255.exe.vir Win32/Agent.OMJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\SDFix\backups\HOSTS Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 30 November 2008 - 11:24 PM

Well, that threat is come from quarantine folder, that should be ok..

How is your computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 bwmfsu

bwmfsu
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 01 December 2008 - 08:42 AM

It seems to be running fine now. Since the last set of steps I haven't had any problems with redirects, or had unknown services running.

Would I be able to remove all of the applications that I installed to remove the malware or will they have to stay installed since some of the applications have quarantined files that were infected?

Also, I have been using Avast as my anti-virus but I am thinking about switching to an anti-virus that will be a little more proactive in finding infected files. Do you have any suggestions?

Thanks again for all of your help. In the past I have been able to troubleshoot my way out of spyware but this time my machine became too infected for me to know what to do with it.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 01 December 2008 - 05:50 PM

Would I be able to remove all of the applications that I installed to remove the malware or will they have to stay installed since some of the applications have quarantined files that were infected?


We're gonna remove all unneeded things in the next step..


Also, I have been using Avast as my anti-virus but I am thinking about switching to an anti-virus that will be a little more proactive in finding infected files. Do you have any suggestions?


Avast! is good.. Actually it is really up to us on how safe we are on the internet..


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between combofix and /u is needed

    Posted Image


Lastly, to keep your operating system up to date please visit the link below monthlyPlease read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 bwmfsu

bwmfsu
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 01 December 2008 - 06:00 PM

The computer is running fine now. It is back to it's normal processing speed and I have not been redirected to any sites.

Avast! is good.. Actually it is really up to us on how safe we are on the internet..


I know this. I was the cause of my malware infection. I actually bypassed Avast to install something... but believe me I won't second guess the validity of an anti-virus application ever again.

Thanks for all of the help. You were very knowledgeable and speedy at helping to diagnose and fix my issue.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 01 December 2008 - 07:02 PM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users