Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple virus help needed - vundo.h, vundo, trojan.agent


  • This topic is locked This topic is locked
6 replies to this topic

#1 ShawnSPH

ShawnSPH

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 04 January 2009 - 11:17 PM

Hi.. I'm having problems with multiple virus/malware infections. My computer is running very slow at times and im limited as to what I can do at times also. For example, yesterday I couldn't click on any programs on my start list until I restarted my computer. I've uploaded the attach.txt file as well as my most recent log file from Malwarebyte's antimalware and hijack this. Thank you very much for your help... please let me know if there is anymore info needed from me. Take care -Shawn


DDS (Version 1.1.0) - NTFSx86
Run by Home at 19:51:21.19 on Sun 01/04/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\wmsdkns.exe,
BHO: {0a935262-9b91-4352-9c18-d679a63c682b} - c:\windows\system32\yatumeva.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.1.1119.1736\swg.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\home\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [niyugimina] Rundll32.exe "c:\windows\system32\kisoyama.dll",s
mRun: [bc61e8cd] rundll32.exe "c:\windows\system32\wurigizu.dll",b
mRun: [CPMbf52db51] Rundll32.exe "c:\windows\system32\werihova.dll",a
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: ebay.com\research
Trusted Zone: paypal.com\www
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\dpuguit11.dll avgrsstx.dll evshea.dll tlgztk.dll c:\windows\system32\lesatuho.dll c:\windows\system32\werihova.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\werihova.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\werihova.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli c:\windows\system32\lesatuho.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\3a3y7jd1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\google\web accelerator\firefox\components\GoogleWebAccFirefox.dll
FF - component: c:\program files\mozilla firefox\components\msvcrj71.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npCtxCAOHF425.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\NPOFF12.DLL
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

FF - user.js: browser.sessionstore.resume_from_crash - false

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-04 11:14 1,262,075 ---sh--- c:\windows\system32\uzigiruw.ini
2009-01-03 23:14 1,262,093 ---sh--- c:\windows\system32\unusagib.ini
2009-01-03 11:14 1,262,093 ---sh--- c:\windows\system32\ezopotaf.ini
2009-01-02 11:14 3,850 ---sh--- c:\windows\system32\gazibifu.exe
2009-01-01 11:10 1,262,075 ---sh--- c:\windows\system32\akozotid.ini
2008-12-31 23:10 1,262,075 ---sh--- c:\windows\system32\apemover.ini
2008-12-31 11:09 1,262,075 ---sh--- c:\windows\system32\isoriyof.ini
2008-12-30 23:09 1,262,075 ---sh--- c:\windows\system32\usowaveb.ini
2008-12-27 23:27 61,440 a------- c:\windows\system32\drivers\wkist.sys
2008-12-27 09:16 <DIR> --d----- C:\!KillBox
2008-12-27 09:07 <DIR> --d----- c:\program files\Trend Micro
2008-12-27 08:50 <DIR> --d----- c:\docume~1\home\applic~1\Malwarebytes
2008-12-27 08:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-27 08:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 08:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 08:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-27 00:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2008-12-27 00:34 <DIR> --d----- c:\program files\Security Task Manager
2008-12-25 15:17 <DIR> --d----- c:\program files\Smartparts
2008-12-13 16:23 <DIR> --d----- C:\2008-12-13
2008-12-13 16:23 <DIR> --d----- C:\Hanson Quarry

==================== Find3M ====================

2009-01-04 11:14 102,025 a--sh--- c:\windows\system32\werihova.dll
2009-01-04 11:14 92,269 a--sh--- c:\windows\system32\wurigizu.dll
2009-01-03 23:14 102,492 a--sh--- c:\windows\system32\kinotava.dll
2009-01-03 23:14 92,403 -------- c:\windows\system32\bigasunu.dll
2009-01-03 11:14 102,678 a--sh--- c:\windows\system32\zukenezo.dll
2009-01-03 11:14 92,375 -------- c:\windows\system32\fatopoze.dll
2009-01-02 23:13 104,036 a--sh--- c:\windows\system32\logoviko.dll
2009-01-02 23:13 66,164 a--sh--- c:\windows\system32\dawopami.dll
2009-01-01 11:10 95,962 a--sh--- c:\windows\system32\wibayoja.dll
2008-12-30 11:09 97,961 a--sh--- c:\windows\system32\yibuleko.dll
2008-12-04 23:08 304,957 a------- C:\hjsplit.zip
2008-12-01 15:19 3,852,560 a------- C:\PHP-Nuke-6.0.zip
2008-11-30 18:07 291,648 a------- C:\gbtop4.8-1.zip
2008-11-30 14:13 1,697,280 a------- c:\docume~1\home\applic~1\KaspAVP.exe
2008-11-29 20:08 197,965 a------- c:\windows\CoffeeCup Visual Site Designer Uninstaller.exe
2008-11-05 14:12 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-11-04 14:10 225 a------- c:\docume~1\home\applic~1\shedl.bat
2008-11-04 14:09 1,697,280 a------- c:\docume~1\home\applic~1\winavp3.exe
2008-11-04 14:09 1,697,280 a------- c:\docume~1\home\applic~1\winavp.exe
2008-11-04 14:09 1,695,744 a------- c:\docume~1\home\applic~1\NTuser3.exe
2008-11-04 14:08 1,695,744 a------- c:\docume~1\home\applic~1\NTuser.exe
2008-10-23 05:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-22 15:09 182,928 a------- c:\windows\system32\PnkBstrB.exe
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-06-02 19:26 13 ----h--- c:\docume~1\alluse~1\applic~1\Λ3113.sys
2007-12-17 17:23 1,136,640 a------- c:\program files\common files\ewutils2.dll
2002-07-31 19:55 252 ---sh--- c:\windows\WSYS049.SYS
2008-05-17 04:57 952 a--sh--- c:\windows\system32\KGyGaAvL.sys
0000-00-00 00:00 66,164 a--sh--- c:\windows\system32\kisoyama.dll
0000-00-00 00:00 66,164 a--sh--- c:\windows\system32\lesatuho.dll
0000-00-00 00:00 66,164 a--sh--- c:\windows\system32\yatumeva.dll
2008-05-27 07:33 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-05-27 07:33 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-05-27 07:33 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:53:11.86 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 05 January 2009 - 02:55 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 ShawnSPH

ShawnSPH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 05 January 2009 - 01:45 PM

Hi. Thanks for the quick response. Here is the combofix log along with the Hijack this fresh log...

ComboFix 09-01-05.02 - Home 2009-01-05 9:53:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1110 [GMT -8:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Home\Application Data\NTuser3.exe
c:\documents and settings\Home\Application Data\winavp3.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\system32\akozotid.ini
c:\windows\system32\apemover.ini
c:\windows\system32\bedokelo.dll
c:\windows\system32\isoriyof.ini
c:\windows\system32\kinotava.dll
c:\windows\system32\kuhayeku.dll
c:\windows\system32\logoviko.dll
c:\windows\system32\ukeyahuk.ini
c:\windows\system32\usowaveb.ini
c:\windows\system32\wibayoja.dll
c:\windows\system32\yibuleko.dll
c:\windows\system32\zukenezo.dll
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-02 11:14 . 2009-01-02 11:14 3,850 ---hs---- c:\windows\system32\gazibifu.exe
2008-12-27 23:27 . 2008-12-27 23:27 61,440 --a------ c:\windows\system32\drivers\wkist.sys
2008-12-27 09:16 . 2008-12-27 09:16 <DIR> d-------- C:\!KillBox
2008-12-27 09:07 . 2008-12-27 09:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\documents and settings\Home\Application Data\Malwarebytes
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 08:50 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 08:50 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 00:35 . 2009-01-03 08:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-27 00:34 . 2008-12-27 00:34 <DIR> d-------- c:\program files\Security Task Manager
2008-12-26 17:17 . 2008-12-26 17:17 <DIR> d-------- c:\documents and settings\Administrator.COMPUTER-B2A67D\Application Data\Nero
2008-12-25 15:17 . 2008-12-25 15:17 <DIR> d-------- c:\program files\Smartparts
2008-12-13 16:23 . 2008-12-13 16:23 <DIR> d-------- C:\Hanson Quarry
2008-12-13 16:23 . 2008-12-23 18:05 <DIR> d-------- C:\2008-12-13
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\program files\AIM Toolbar
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-05 08:01 . 2008-12-05 08:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 17:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-05 17:58 --------- d-----w c:\documents and settings\Home\Application Data\LimeWire
2009-01-05 07:35 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-05 02:44 --------- d-----w c:\program files\LimeWire
2009-01-05 02:19 --------- d-----w c:\program files\Sportsbook Poker
2009-01-03 16:22 --------- d-----w c:\documents and settings\Home\Application Data\NewsBin
2008-12-07 02:18 --------- d-----w c:\program files\WarRock
2008-12-05 16:02 --------- d-----w c:\program files\AIM6
2008-12-05 07:08 304,957 ----a-w C:\hjsplit.zip
2008-12-05 07:01 --------- d-----w c:\program files\MasterSplitter
2008-12-04 06:37 --------- d-----w c:\documents and settings\Home\Application Data\FileZilla
2008-12-03 08:37 --------- d-----w c:\documents and settings\Home\Application Data\Apple Computer
2008-12-03 08:35 --------- d-----w c:\program files\iTunes
2008-12-03 08:35 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-03 08:34 --------- d-----w c:\program files\iPod
2008-12-03 08:34 --------- d-----w c:\program files\Common Files\Apple
2008-12-03 08:34 --------- d-----w c:\program files\Bonjour
2008-12-03 08:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-03 08:33 --------- d-----w c:\program files\QuickTime
2008-12-03 08:32 --------- d-----w c:\program files\Apple Software Update
2008-12-03 08:32 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-01 23:19 3,852,560 ----a-w C:\PHP-Nuke-6.0.zip
2008-12-01 02:07 291,648 ----a-w C:\gbtop4.8-1.zip
2008-12-01 01:59 --------- d-----w c:\program files\FileZilla FTP Client
2008-12-01 00:10 --------- d-----w c:\documents and settings\Home\Application Data\CoffeeCup Software
2008-11-30 22:13 1,697,280 ----a-w c:\documents and settings\Home\Application Data\KaspAVP.exe
2008-11-30 04:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 04:14 --------- d-----w c:\program files\CoffeeCup Software
2008-11-30 04:11 --------- d-----w c:\program files\Applet Effects Factory
2008-11-30 04:08 197,965 ----a-w c:\windows\CoffeeCup Visual Site Designer Uninstaller.exe
2008-11-30 03:46 --------- d-----w c:\documents and settings\Home\Application Data\Likno
2008-11-30 02:08 --------- d-----w c:\program files\Web CEO
2008-11-21 22:18 --------- d-----w c:\documents and settings\Home\Application Data\cronometer
2008-11-21 22:17 --------- d-----w c:\program files\CRON-O-METER
2008-11-18 07:05 --------- d-----w c:\program files\AllWebMenus5
2008-11-18 07:05 --------- d-----w c:\documents and settings\All Users\Application Data\Tarma Installer
2008-11-17 04:20 --------- d-----w c:\program files\Xpress Software
2008-11-17 04:17 --------- d-----w c:\program files\ShopFactory V6
2008-11-17 04:15 --------- d-----w c:\program files\SEO Report
2008-11-17 04:14 --------- d-----w c:\program files\SEO GodFather
2008-11-17 04:14 --------- d-----w c:\program files\Search Engine Composer
2008-11-17 04:13 --------- d-----w c:\program files\PokerStars
2008-11-17 04:12 --------- d-----w c:\program files\PayPal Shop Maker 3
2008-11-17 04:12 --------- d-----w c:\program files\Page Generator
2008-11-17 04:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-17 04:06 --------- d-----w c:\program files\Keyword Extreme
2008-11-17 04:05 --------- d-----w c:\program files\iMapBuilder
2008-11-17 04:05 --------- d-----w c:\program files\Flash Website Design
2008-11-17 04:05 --------- d-----w c:\program files\Flash Effect Maker
2008-11-17 04:00 --------- d-----w c:\program files\Synonymizer
2008-11-17 04:00 --------- d-----w c:\program files\Classified Ad Posting Utility
2008-11-17 03:39 --------- d-----w c:\program files\AffiliateToolBoxCreator
2008-11-17 03:23 --------- d-----w c:\program files\3D Home Architect
2008-11-14 21:39 --------- d-----w c:\documents and settings\Home\Application Data\ImgBurn
2008-11-14 20:28 --------- d-----w c:\program files\ImgBurn
2008-11-14 17:58 --------- d-----w c:\program files\QuickPar
2008-11-07 22:20 --------- d-----w c:\program files\Ateksoft
2008-11-07 22:13 --------- d-----w c:\program files\Mobiola Web Camera for Windows Mobile
2008-11-06 17:44 --------- d-----w c:\program files\PowerISO
2008-11-05 22:12 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-05 22:12 --------- d-----w c:\program files\AVG
2008-11-05 22:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-05 20:29 --------- d-----w c:\program files\BBDBViewerPlus
2008-11-05 19:39 --------- d-----w c:\program files\Ultra Mobile 3GP Video Converter
2008-11-05 19:23 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-04 22:10 225 ----a-w c:\documents and settings\Home\Application Data\shedl.bat
2008-11-04 22:09 1,697,280 ----a-w c:\documents and settings\Home\Application Data\winavp.exe
2008-11-04 22:08 1,695,744 ----a-w c:\documents and settings\Home\Application Data\NTuser.exe
2008-06-03 03:26 13 ---h--w c:\documents and settings\All Users\Application Data\Λ3113.sys
2007-12-18 01:23 1,136,640 ----a-w c:\program files\Common Files\ewutils2.dll
2008-12-25 09:38 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 09:38 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-01 11:17 192,512 ----a-w c:\program files\mozilla firefox\components\msvcrj71.dll
2008-12-25 09:38 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-25 09:38 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-25 09:38 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-05-17 12:57 952 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Google Update"="c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-13 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-06-16 167936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]

c:\documents and settings\Home\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free DHTML Menu Builder\ThirtyDayTimer.exe [2008-11-29 372224]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2008-06-06 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\lesatuho.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KmReg]
@="Event log"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NtLclIpc]
@="Event log"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Scprtn]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe"
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"ysicp"=c:\program files\Instant Color Picker\icp.exe
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-05 97928]
R1 KmReg;System kernel configuration;c:\windows\system32\ansiox.sys [2008-05-27 38784]
R1 NtLclIpc;Remote Procedure Call RT4s;c:\windows\system32\ansio.sys [2008-05-27 122112]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-04-16 39424]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2008-11-07 11776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-04-22 109616]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-05 231704]
R4 HPWJAUpdateService;HP WJA Update Service;c:\program files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe [2008-05-29 20480]
R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-05-28 14976]
R4 Scprtn;System kernel integrity service;c:\windows\system32\svchostn.exe [2008-05-27 167936]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-15 24652]
R4 Webcamera Plus Service;Webcamera Plus Service;c:\program files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe [2008-11-07 46592]
S4 AutoExNT;AutoExNT;c:\windows\system32\Autoexnt.exe [2008-06-14 5904]
S4 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [2002-01-24 20480]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a422612-21df-11dd-a52d-001e8c6c7f58}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 18:35]

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1965331169-839522115-1003.job
- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 11:18]

2008-12-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Home.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-13 17:09]

2009-01-05 c:\windows\Tasks\qnfonxms.job
- c:\windows\system32\rundll32.exe [2004-08-10 04:00]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{0a935262-9b91-4352-9c18-d679a63c682b} - c:\windows\system32\yatumeva.dll
HKLM-Run-niyugimina - c:\windows\system32\kisoyama.dll
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: research.ebay.com
Trusted Zone: www.paypal.com
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\3a3y7jd1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Google\Web Accelerator\firefox\components\GoogleWebAccFirefox.dll
FF - component: c:\program files\Mozilla Firefox\components\msvcrj71.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npCtxCAOHF425.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 09:58:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-01-05 10:05:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 18:03:59

Pre-Run: 241,510,780,928 bytes free
Post-Run: 242,151,555,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /TUTag=736G1Z /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=736G1Z-BAK

344 --- E O F --- 2008-12-14 04:33:11

HIJACK THIS LOG DONE RIGHT AFTER RESTART...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:54 AM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchostn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://research.ebay.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoExNT - Unknown owner - C:\WINDOWS\system32\AutoExNT.Exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WJA Update Service (HPWJAUpdateService) - Unknown owner - C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: System kernel integrity service (Scprtn) - SearchHelp, Inc. - C:\WINDOWS\system32\svchostn.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webcamera Plus Service - Ateksoft Company Ltd. - C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe

--
End of file - 11949 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 05 January 2009 - 02:00 PM

Please uninstall Viewpoint from your computer..



Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\drivers\wkist.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Scprtn

File::
c:\windows\system32\gazibifu.exe
c:\windows\system32\lesatuho.dll
c:\windows\system32\svchostn.exe
c:\windows\Tasks\qnfonxms.job

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 ShawnSPH

ShawnSPH
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 05 January 2009 - 04:34 PM

ok.... Here's what I'm coming up with...

Combofix log
-----------------
ComboFix 09-01-05.02 - Home 2009-01-05 12:03:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1281 [GMT -8:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\gazibifu.exe
c:\windows\system32\lesatuho.dll
c:\windows\system32\svchostn.exe
c:\windows\Tasks\qnfonxms.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gazibifu.exe
c:\windows\system32\svchostn.exe
c:\windows\Tasks\qnfonxms.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SCPRTN
-------\Service_Scprtn


((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2008-12-27 23:27 . 2008-12-27 23:27 61,440 --a------ c:\windows\system32\drivers\wkist.sys
2008-12-27 09:16 . 2008-12-27 09:16 <DIR> d-------- C:\!KillBox
2008-12-27 09:07 . 2008-12-27 09:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\documents and settings\Home\Application Data\Malwarebytes
2008-12-27 08:50 . 2008-12-27 08:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 08:50 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 08:50 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 00:35 . 2009-01-03 08:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-27 00:34 . 2008-12-27 00:34 <DIR> d-------- c:\program files\Security Task Manager
2008-12-26 17:17 . 2008-12-26 17:17 <DIR> d-------- c:\documents and settings\Administrator.COMPUTER-B2A67D\Application Data\Nero
2008-12-25 15:17 . 2008-12-25 15:17 <DIR> d-------- c:\program files\Smartparts
2008-12-13 16:23 . 2008-12-13 16:23 <DIR> d-------- C:\Hanson Quarry
2008-12-13 16:23 . 2008-12-23 18:05 <DIR> d-------- C:\2008-12-13
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\program files\AIM Toolbar
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
2008-12-05 08:02 . 2008-12-05 08:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-05 08:01 . 2008-12-05 08:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 20:11 --------- d-----w c:\documents and settings\Home\Application Data\LimeWire
2009-01-05 20:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-05 20:01 --------- d-----w c:\documents and settings\Home\Application Data\NewsBin
2009-01-05 19:52 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-05 07:35 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-05 02:44 --------- d-----w c:\program files\LimeWire
2009-01-05 02:19 --------- d-----w c:\program files\Sportsbook Poker
2008-12-07 02:18 --------- d-----w c:\program files\WarRock
2008-12-05 16:02 --------- d-----w c:\program files\AIM6
2008-12-05 07:08 304,957 ----a-w C:\hjsplit.zip
2008-12-05 07:01 --------- d-----w c:\program files\MasterSplitter
2008-12-04 06:37 --------- d-----w c:\documents and settings\Home\Application Data\FileZilla
2008-12-03 08:37 --------- d-----w c:\documents and settings\Home\Application Data\Apple Computer
2008-12-03 08:35 --------- d-----w c:\program files\iTunes
2008-12-03 08:35 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-03 08:34 --------- d-----w c:\program files\iPod
2008-12-03 08:34 --------- d-----w c:\program files\Common Files\Apple
2008-12-03 08:34 --------- d-----w c:\program files\Bonjour
2008-12-03 08:34 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-03 08:33 --------- d-----w c:\program files\QuickTime
2008-12-03 08:32 --------- d-----w c:\program files\Apple Software Update
2008-12-03 08:32 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-01 23:19 3,852,560 ----a-w C:\PHP-Nuke-6.0.zip
2008-12-01 02:07 291,648 ----a-w C:\gbtop4.8-1.zip
2008-12-01 01:59 --------- d-----w c:\program files\FileZilla FTP Client
2008-12-01 00:10 --------- d-----w c:\documents and settings\Home\Application Data\CoffeeCup Software
2008-11-30 22:13 1,697,280 ----a-w c:\documents and settings\Home\Application Data\KaspAVP.exe
2008-11-30 04:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 04:14 --------- d-----w c:\program files\CoffeeCup Software
2008-11-30 04:11 --------- d-----w c:\program files\Applet Effects Factory
2008-11-30 04:08 197,965 ----a-w c:\windows\CoffeeCup Visual Site Designer Uninstaller.exe
2008-11-30 03:46 --------- d-----w c:\documents and settings\Home\Application Data\Likno
2008-11-30 02:08 --------- d-----w c:\program files\Web CEO
2008-11-21 22:18 --------- d-----w c:\documents and settings\Home\Application Data\cronometer
2008-11-21 22:17 --------- d-----w c:\program files\CRON-O-METER
2008-11-18 07:05 --------- d-----w c:\program files\AllWebMenus5
2008-11-18 07:05 --------- d-----w c:\documents and settings\All Users\Application Data\Tarma Installer
2008-11-17 04:20 --------- d-----w c:\program files\Xpress Software
2008-11-17 04:17 --------- d-----w c:\program files\ShopFactory V6
2008-11-17 04:15 --------- d-----w c:\program files\SEO Report
2008-11-17 04:14 --------- d-----w c:\program files\SEO GodFather
2008-11-17 04:14 --------- d-----w c:\program files\Search Engine Composer
2008-11-17 04:13 --------- d-----w c:\program files\PokerStars
2008-11-17 04:12 --------- d-----w c:\program files\PayPal Shop Maker 3
2008-11-17 04:12 --------- d-----w c:\program files\Page Generator
2008-11-17 04:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-17 04:06 --------- d-----w c:\program files\Keyword Extreme
2008-11-17 04:05 --------- d-----w c:\program files\iMapBuilder
2008-11-17 04:05 --------- d-----w c:\program files\Flash Website Design
2008-11-17 04:05 --------- d-----w c:\program files\Flash Effect Maker
2008-11-17 04:00 --------- d-----w c:\program files\Synonymizer
2008-11-17 04:00 --------- d-----w c:\program files\Classified Ad Posting Utility
2008-11-17 03:39 --------- d-----w c:\program files\AffiliateToolBoxCreator
2008-11-17 03:23 --------- d-----w c:\program files\3D Home Architect
2008-11-14 21:39 --------- d-----w c:\documents and settings\Home\Application Data\ImgBurn
2008-11-14 20:28 --------- d-----w c:\program files\ImgBurn
2008-11-14 17:58 --------- d-----w c:\program files\QuickPar
2008-11-07 22:20 --------- d-----w c:\program files\Ateksoft
2008-11-07 22:13 --------- d-----w c:\program files\Mobiola Web Camera for Windows Mobile
2008-11-06 17:44 --------- d-----w c:\program files\PowerISO
2008-11-05 22:12 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-05 22:12 --------- d-----w c:\program files\AVG
2008-11-05 22:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-05 20:29 --------- d-----w c:\program files\BBDBViewerPlus
2008-11-05 19:39 --------- d-----w c:\program files\Ultra Mobile 3GP Video Converter
2008-11-05 19:23 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-04 22:10 225 ----a-w c:\documents and settings\Home\Application Data\shedl.bat
2008-11-04 22:09 1,697,280 ----a-w c:\documents and settings\Home\Application Data\winavp.exe
2008-11-04 22:08 1,695,744 ----a-w c:\documents and settings\Home\Application Data\NTuser.exe
2008-06-03 03:26 13 ---h--w c:\documents and settings\All Users\Application Data\Λ3113.sys
2007-12-18 01:23 1,136,640 ----a-w c:\program files\Common Files\ewutils2.dll
2008-12-25 09:38 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 09:38 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-01 11:17 192,512 ----a-w c:\program files\mozilla firefox\components\msvcrj71.dll
2008-12-25 09:38 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-25 09:38 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-25 09:38 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-05-17 12:57 952 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Google Update"="c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-01-13 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-06-16 167936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]

c:\documents and settings\Home\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-02-08 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Free WebSite Tools.lnk - c:\program files\CoffeeCup Software\CoffeeCup Free DHTML Menu Builder\ThirtyDayTimer.exe [2008-11-29 372224]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2008-06-06 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KmReg]
@="Event log"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NtLclIpc]
@="Event log"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe"
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"ysicp"=c:\program files\Instant Color Picker\icp.exe
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-05 97928]
R1 KmReg;System kernel configuration;c:\windows\system32\ansiox.sys [2008-05-27 38784]
R1 NtLclIpc;Remote Procedure Call RT4s;c:\windows\system32\ansio.sys [2008-05-27 122112]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-04-16 39424]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2008-11-07 11776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-04-22 109616]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-05 231704]
R4 HPWJAUpdateService;HP WJA Update Service;c:\program files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe [2008-05-29 20480]
R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-05-28 14976]
R4 Webcamera Plus Service;Webcamera Plus Service;c:\program files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe [2008-11-07 46592]
S4 AutoExNT;AutoExNT;c:\windows\system32\Autoexnt.exe [2008-06-14 5904]
S4 PHPGeekUtil;PHPGeekUtil;c:\apache\Apache.exe [2002-01-24 20480]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a422612-21df-11dd-a52d-001e8c6c7f58}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 18:35]

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1965331169-839522115-1003.job
- c:\documents and settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 11:18]

2008-12-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Home.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-13 17:09]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: research.ebay.com
Trusted Zone: www.paypal.com
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\3a3y7jd1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Google\Web Accelerator\firefox\components\GoogleWebAccFirefox.dll
FF - component: c:\program files\Mozilla Firefox\components\msvcrj71.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npCtxCAOHF425.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 12:10:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Google\Web Accelerator\GoogleWebAccClient.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-05 12:19:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 20:18:04
ComboFix2.txt 2009-01-05 18:05:19

Pre-Run: 242,318,405,632 bytes free
Post-Run: 242,264,633,344 bytes free

313 --- E O F --- 2008-12-14 04:33:11


VirScan.org log
------------------
VirSCAN.org Scanned Report :
Scanned time : 2008/12/30 22:22:14 (EST)
Scanner results: 18% Scanner(7/39) found malware!
File Name : sdnmctyw.sys
File Size : 61440 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 589312a3b46721c5a751e4d5222a89be
SHA1 : 3a497d3968a4f6e3c648d196da38e5f98e75ec30
Online report : http://virscan.org/report/d431bff0ca4da1eb...cee43dab85.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20081231050130 2008-12-31 2.10 Hoax.Win32.Agent.fu!A2
AhnLab V3 2008.12.31.00 2008.12.31 2008-12-31 1.01 Win-Trojan/Avenger.61440
AntiVir 7.9.0.45 7.1.1.54 2008-12-30 1.66 -
Antiy 2.0.18 20081230.1945037 2008-12-30 0.12 -
Arcavir 1.0.5 200812131407 2008-12-13 1.29 -
Authentium 5.1.1 200812301619 2008-12-30 1.09 -
AVAST! 3.0.1 081230-0 2008-12-30 0.01 -
AVG 7.5.52.442 270.10.1/1869 2008-12-30 1.80 -
BitDefender 7.81008.2397126 7.22876 2008-12-31 2.20 -
CA (VET) 9.0.0.143 31.6.6284 2008-12-31 3.81 -
ClamAV 0.94.2 8815 2008-12-31 0.01 -
Comodo 3.0 851 2008-12-31 0.83 -
CP Secure 1.1.0.715 2008.12.30 2008-12-30 6.22 Malware.W32.Agent.fu
Dr.Web 4.44.0.9170 2008.12.31 2008-12-31 3.80 -
ewido 4.0.0.2 2008.12.29 2008-12-29 3.16 -
F-Prot 4.4.4.56 20081230 2008-12-30 1.09 -
F-Secure 5.51.6100 2008.12.31.01 2008-12-31 0.05 -
Fortinet 2.81-3.117 9.872 2008-12-30 0.15 PossibleThreat
GData 19.2176/19.162 20081231 2008-12-31 4.02 -
ViRobot 20081230 2008.12.30 2008-12-30 0.41 -
Ikarus T3.1.01.45 2008.12.31.72085 2008-12-31 3.58 -
JiangMin 11.0.706 2008.12.21 2008-12-21 1.38 Hoax.Agent.f
Kaspersky 5.5.10 2008.12.31 2008-12-31 0.04 -
KingSoft 2008.9.8.18 2008.12.31.10 2008-12-31 0.58 -
McAfee 5.3.00 5479 2008-12-30 2.78 -
Microsoft 1.4205 2008.12.31 2008-12-31 4.31 -
mks_vir 2.01 2008.12.30 2008-12-30 2.72 -
Norman 5.93.01 5.93.00 2008-12-30 5.93 W32/Agent.HHSF
Panda 9.05.01 2008.12.30 2008-12-30 2.53 Trj/Downloader.MDW
Trend Micro 8.700-1004 5.740.03 2008-12-30 0.03 -
Quick Heal 10.00 2008.11.17 2008-11-17 0.87 -
Rising 20.0 21.10.12.00 2008-12-30 0.78 -
Sophos 2.82.1 4.37 2008-12-31 1.94 -
Sunbelt 4755 4755 2008-12-22 0.95 -
Symantec 1.3.0.24 20081230.004 2008-12-30 0.22 -
nProtect 20081230.02 2827454 2008-12-30 4.17 -
The Hacker 6.3.1.2 v00202 2008-12-30 0.50 -
VBA32 3.12.8.10 20081230.0938 2008-12-30 1.54 -
VirusBuster 4.5.11.10 10.100.10/732162 2008-12-30 0.94 -

HiJack this log
----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:00 PM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://research.ebay.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoExNT - Unknown owner - C:\WINDOWS\system32\AutoExNT.Exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WJA Update Service (HPWJAUpdateService) - Unknown owner - C:\Program Files\Common Files\Hewlett-Packard\WJA Update Service\HPWJAUpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webcamera Plus Service - Ateksoft Company Ltd. - C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe

--
End of file - 11724 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 05 January 2009 - 10:47 PM

Repeat CFScript step but this time with this script

KillAll::

File::
c:\windows\system32\drivers\wkist.sys

As usual, drag it like below, and post the log here..

Posted Image


Then do below..


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Post these logs in your next reply..

1. ComboFix
2. ESET Online Scanner

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 12 January 2009 - 03:12 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users