Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes and Combofix will not remove Vundo.H


  • This topic is locked This topic is locked
3 replies to this topic

#1 BrewerSewer

BrewerSewer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 07 April 2009 - 09:12 AM

I have tried to use Malwarebytes, Combofix, Hijack This, and Symantec's VundoFix utility and cannot remove infected files, any help would be appreciated. Thank you.

Here is my DDS.log file:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jeff at 9:55:12.87 on Tue 04/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1511 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: *disabled*
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\HP Wireless Adapter\HPWLAN.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Troopmaster Software\AutoMailer\AutoMailer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
E:\MalwareBytes 090406\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {4f4cbd67-615f-4cba-858a-2ca22589db10} - c:\windows\system32\zhbkmtg.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.0.0.135\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.0.0.135\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPWireless] "c:\program files\hp wireless adapter\HPWLAN.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [D066UUtility] c:\windows\twain_32\d66u\D066UUTY.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\jeff\startm~1\programs\startup\automa~1.lnk - c:\troopmaster software\automailer\AutoMailer.exe
StartupFolder: c:\docume~1\jeff\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
Trusted Zone: turbotax.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.0.0.135\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: kymghduq - zhbkmtg.dll

============= SERVICES / DRIVERS ===============

R0 igcnescs;igcnescs;c:\windows\system32\drivers\igcnescs.sys [2005-8-16 23424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0300000.087\SymEFA.sys [2009-3-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0300000.087\BHDrvx86.sys [2009-3-27 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0300000.087\cchpx86.sys [2009-3-27 482352]
R2 HPEAPPkt;Realtek EAPPkt Protocol(HP);c:\windows\system32\drivers\HPEAPPkt.sys [2007-1-15 68864]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-27 101936]
R3 hpnuhst;HP NUSB Host;c:\windows\system32\drivers\hpnuhst.sys [2007-1-15 10752]
R3 HPNUHUB;HP NUSB Hub;c:\windows\system32\drivers\hpnuhub.sys [2007-1-15 37120]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090406.032\NAVENG.SYS [2009-4-6 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090406.032\NAVEX15.SYS [2009-4-6 876144]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSXpx86.sys [2009-4-6 276344]
S3 HPNUCMP;HP NUSB Composite;c:\windows\system32\drivers\hpnucmp.sys [2007-1-15 11648]
S3 RTLWUSB;Wireless Adapter;c:\windows\system32\drivers\HPL8187.SYS [2007-1-15 189440]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2007-1-15 13532]

=============== Created Last 30 ================

2009-04-07 09:37 61,440 a------- c:\windows\system32\drivers\mzzelxc.sys
2009-04-07 07:27 161,792 a------- c:\windows\SWREG.exe
2009-04-07 07:27 98,816 a------- c:\windows\sed.exe
2009-04-03 13:18 173,456 a------- C:\FixVundo.exe
2009-04-03 13:15 <DIR> --d----- c:\program files\Trend Micro
2009-04-02 14:54 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-02 14:00 <DIR> --d----- c:\docume~1\jeff\applic~1\Malwarebytes
2009-04-02 14:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 14:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 14:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-02 14:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 22:49 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-04-01 22:28 <DIR> --d----- c:\docume~1\jeff\applic~1\vtaiiahh
2009-04-01 07:45 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-01 07:42 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-01 07:42 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 07:42 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 07:42 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-01 07:42 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 07:42 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-01 07:42 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 07:42 <DIR> --d----- C:\681e976f9b1c14ab1d
2009-04-01 07:41 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-01 07:15 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-01 07:15 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-04-01 07:14 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-01 07:14 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-01 07:14 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-04-01 07:14 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-01 07:14 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-01 07:14 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-04-01 07:14 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-03-27 01:32 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-27 01:32 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-27 01:32 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-27 01:32 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-27 01:32 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-27 01:30 <DIR> --d----- c:\windows\system32\drivers\N360
2009-03-27 01:30 <DIR> --d----- c:\program files\Norton 360
2009-03-27 00:49 <DIR> --d----- C:\07392e149fe90367c8e386aca0454ac7
2009-03-27 00:00 <DIR> --d----- c:\windows\system32\scripting
2009-03-27 00:00 <DIR> --d----- c:\windows\l2schemas
2009-03-27 00:00 <DIR> --d----- c:\windows\system32\en
2009-03-27 00:00 <DIR> --d----- c:\windows\system32\bits
2009-03-26 23:41 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-26 23:30 <DIR> --d----- c:\windows\network diagnostic
2009-03-26 21:48 <DIR> --d----- c:\program files\NortonInstaller
2009-03-26 20:32 <DIR> --d----- c:\windows\LMI44.tmp
2009-03-25 22:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-25 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-25 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-25 22:04 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-03-22 18:46 <DIR> --d----- c:\program files\WinPcap
2009-03-15 18:02 1,248,933 a------- C:\SAVE0001.JPG
2009-03-15 18:00 32,411 a------- c:\windows\SGTBox.INI
2009-03-15 17:50 32,523 a------- c:\windows\SGTBoxf.INI
2009-03-12 07:17 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-12 07:17 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-04-07 09:37 666 a------- c:\program files\szvfjhy.txt
2009-03-27 00:10 88,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-25 20:13 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-20 22:35 41,988 a------- c:\docume~1\jeff\applic~1\wklnhst.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-19 23:50 251 a------- c:\program files\wt3d.ini
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-14 17:48 6 a------- c:\windows\fonts\wfonts.key
2008-05-30 00:00 77,856 ac------ c:\docume~1\jeff\applic~1\GDIPFONTCACHEV1.DAT
2007-05-28 00:23 16,782,136 ac------ c:\program files\flash_player_update3_flash8_win.zip

============= FINISH: 9:58:40.25 ===============


Here is my Malwarebytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/7/2009 8:09:06 AM
mbam-log-2009-04-07 (08-09-06).txt

Scan type: Quick Scan
Objects scanned: 74370
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4f4cbd67-615f-4cba-858a-2ca22589db10} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kymghduq (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4f4cbd67-615f-4cba-858a-2ca22589db10} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\zhbkmtg.dll (Trojan.Vundo.H) -> Delete on reboot.

Here is my Hijack This Log after the Malwarebytes reboot:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:03 AM, on 4/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP Wireless Adapter\HPWLAN.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Troopmaster Software\AutoMailer\AutoMailer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4F4CBD67-615F-4CBA-858A-2CA22589DB10} - c:\windows\system32\zhbkmtg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [HPWireless] "C:\Program Files\HP Wireless Adapter\HPWLAN.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AutoMailer.lnk = C:\Troopmaster Software\AutoMailer\AutoMailer.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O20 - Winlogon Notify: kymghduq - C:\WINDOWS\SYSTEM32\zhbkmtg.dll
O20 - Winlogon Notify: kymghduqa - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9003 bytes

Here is my Combofix log:

ComboFix 09-04-04.01 - Jeff 2009-04-07 8:22:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1625 [GMT -4:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: *disabled*
FW: Norton 360 *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-03 13:18 . 2009-04-03 13:07 173,456 --a------ C:\FixVundo.exe
2009-04-03 13:15 . 2009-04-03 13:15 <DIR> d-------- c:\program files\Trend Micro
2009-04-02 14:54 . 2009-04-02 14:54 552 --a------ c:\windows\system32\d3d8caps.dat
2009-04-02 14:00 . 2009-04-07 08:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-02 14:00 . 2009-04-02 14:00 <DIR> d-------- c:\documents and settings\Jeff\Application Data\Malwarebytes
2009-04-02 14:00 . 2009-04-02 14:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 14:00 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 14:00 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-01 22:49 . 2009-01-09 15:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-04-01 22:28 . 2009-04-01 22:28 <DIR> d-------- c:\documents and settings\Jeff\Application Data\vtaiiahh
2009-04-01 07:45 . 2009-04-01 07:45 <DIR> d-------- c:\windows\system32\XPSViewer
2009-04-01 07:45 . 2009-04-01 07:45 <DIR> d-------- c:\program files\MSBuild
2009-04-01 07:44 . 2009-04-01 07:44 <DIR> d-------- c:\program files\Reference Assemblies
2009-04-01 07:42 . 2009-04-01 07:43 <DIR> d-------- C:\681e976f9b1c14ab1d
2009-04-01 07:42 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-04-01 07:42 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 07:42 . 2008-07-06 06:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 07:42 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-04-01 07:42 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 07:42 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-04-01 07:42 . 2008-07-06 08:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 07:41 . 2009-04-01 22:22 <DIR> d-------- c:\windows\SxsCaPendDel
2009-04-01 07:15 . 2008-12-20 19:15 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-04-01 07:15 . 2008-12-20 19:15 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-01 07:14 . 2008-12-20 19:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-04-01 07:14 . 2007-04-17 05:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-04-01 07:14 . 2007-03-08 01:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-01 07:14 . 2008-12-20 19:15 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-04-01 07:14 . 2008-12-20 19:15 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-04-01 07:14 . 2008-12-20 19:15 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-04-01 07:14 . 2008-12-19 05:10 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-03-28 08:50 . 2009-03-28 08:50 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\vtaiiahh
2009-03-27 01:32 . 2009-03-27 01:32 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-27 01:32 . 2009-03-27 01:32 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-27 01:32 . 2009-03-27 01:31 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-27 01:32 . 2009-03-27 01:32 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-27 01:32 . 2009-03-27 01:32 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-27 01:30 . 2009-03-27 01:30 <DIR> d-------- c:\windows\system32\drivers\N360
2009-03-27 01:30 . 2009-03-27 01:30 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-27 01:30 . 2009-03-27 01:30 <DIR> d-------- c:\program files\Norton 360
2009-03-27 00:49 . 2009-03-27 00:49 <DIR> d-------- C:\07392e149fe90367c8e386aca0454ac7
2009-03-27 00:00 . 2009-03-27 00:00 <DIR> d-------- c:\windows\system32\scripting
2009-03-27 00:00 . 2009-03-27 00:00 <DIR> d-------- c:\windows\system32\en
2009-03-27 00:00 . 2009-03-27 00:00 <DIR> d-------- c:\windows\system32\bits
2009-03-27 00:00 . 2009-03-27 00:00 <DIR> d-------- c:\windows\l2schemas
2009-03-26 23:41 . 2009-03-27 00:02 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-26 21:48 . 2009-03-26 21:48 <DIR> d-------- c:\program files\NortonInstaller
2009-03-26 20:32 . 2009-03-27 00:31 <DIR> d-------- c:\windows\LMI44.tmp
2009-03-25 22:39 . 2009-03-27 01:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-25 22:20 . 2009-03-27 01:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-25 22:20 . 2009-03-27 01:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-25 22:04 . 2009-03-25 22:04 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2009-03-22 18:46 . 2009-03-22 18:46 <DIR> d-------- c:\program files\WinPcap
2009-03-15 18:02 . 2009-03-15 18:06 1,248,933 --a------ C:\SAVE0001.JPG
2009-03-15 18:00 . 2009-03-15 18:34 32,411 --a------ c:\windows\SGTBox.INI
2009-03-15 17:50 . 2009-03-15 22:37 32,523 --a------ c:\windows\SGTBoxf.INI
2009-03-12 07:17 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-12 07:17 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 18:21 --------- d-----w c:\program files\Common
2009-03-30 01:08 --------- d-----w c:\documents and settings\Jeff\Application Data\Canon
2009-03-28 13:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 13:56 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-03-28 02:37 --------- d-----w c:\program files\ItsDeductible2005
2009-03-28 02:35 --------- d-----w c:\program files\TurboTax
2009-03-27 05:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-27 05:32 --------- d-----w c:\program files\Symantec
2009-03-27 05:30 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-26 02:28 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-26 00:13 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-21 02:35 41,988 ----a-w c:\documents and settings\Jeff\Application Data\wklnhst.dat
2009-03-17 23:28 --------- d-----w c:\program files\Day-Timer Organizer 2000
2009-03-11 23:43 --------- d-----w c:\documents and settings\Jeff\Application Data\U3
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-20 03:50 251 ----a-w c:\program files\wt3d.ini
2009-01-17 01:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-14 21:48 6 ----a-w c:\windows\Fonts\wfonts.key
2008-05-30 04:00 77,856 -c--a-w c:\documents and settings\Jeff\Application Data\GDIPFONTCACHEV1.DAT
2007-05-28 04:23 16,782,136 -c--a-w c:\program files\flash_player_update3_flash8_win.zip
.

((((((((((((((((((((((((((((( SnapShot@2009-04-07_ 7.34.52.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-07 12:15:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_404.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F4CBD67-615F-4CBA-858A-2CA22589DB10}]
2004-08-10 07:00 105984 --a------ c:\windows\system32\zhbkmtg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPWireless"="c:\program files\HP Wireless Adapter\HPWLAN.exe" [2006-10-04 618496]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"D066UUtility"="c:\windows\TWAIN_32\D66U\D066UUTY.EXE" [2000-07-06 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-16 106496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

c:\documents and settings\Jeff\Start Menu\Programs\Startup\
AutoMailer.lnk - c:\troopmaster software\AutoMailer\AutoMailer.exe [2008-02-21 73728]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-09-29 368640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kymghduq]
2004-08-10 07:00 105984 c:\windows\system32\zhbkmtg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kymghduqa]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.DVSD"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^connection manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\connection manager.lnk
backup=c:\windows\pss\connection manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
- [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2007-10-10 20:51 39792 c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2005-08-05 23:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 03:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 18:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-06-10 12:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-06-10 12:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-22 19:22 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\javaws\\javaws.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 igcnescs;igcnescs;c:\windows\system32\drivers\igcnescs.sys [2005-08-16 23424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [2009-03-27 01:31:48 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [2009-03-27 01:31:48 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [2009-03-27 01:31:48 482352]
R2 HPEAPPkt;Realtek EAPPkt Protocol(HP);c:\windows\system32\drivers\HPEAPPkt.sys [2007-01-15 68864]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-12-09 13088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [2009-03-27 115560]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-27 101936]
R3 hpnuhst;HP NUSB Host;c:\windows\system32\drivers\hpnuhst.sys [2007-01-15 10752]
R3 HPNUHUB;HP NUSB Hub;c:\windows\system32\drivers\hpnuhub.sys [2007-01-15 37120]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-06 276344]
S3 HPNUCMP;HP NUSB Composite;c:\windows\system32\drivers\hpnucmp.sys [2007-01-15 11648]
S3 RTLWUSB;Wireless Adapter;c:\windows\system32\drivers\HPL8187.SYS [2007-01-15 189440]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2007-01-15 13532]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
zaaozkdv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65682092-6908-11dc-a4cd-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\At1.job
- c:\windows\system32\zhbkmtg.dll [2004-08-10 07:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 08:25:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1524)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-04-07 8:33:12
ComboFix-quarantined-files.txt 2009-04-07 12:33:02
ComboFix2.txt 2009-04-07 11:37:39

Pre-Run: 5,606,248,448 bytes free
Post-Run: 5,580,398,592 bytes free

255 --- E O F --- 2009-04-02 03:12:06

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 18 April 2009 - 12:53 PM

Hello.

Combofix Warning:

Posted ImageCombofix Warning

ComboFix is an extremely powerful tool and you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.


Please delete Combofix.exe you have, and follow the instructions below.

Download and Run Combofix

Important: Before we start please disabe any anti-virus programs or any real-time protection that is enabled.

Please refer to this page if your unsure how.
  • Please follow the instructions for running Combofix from here
  • Please read the guide carefully and follow every instructions percisly and remeber to install the Recovery Console first.
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Download the appropriate Windows XP setup boot disk and drag it on Combofix like the image below:
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After you succusfully install the recovery console, will see this window.
    Posted Image
    Please select Yes.
  • Combofix will then run, when combofix it finished, it will create a log for you. Please copy and paste that log in your next reply.
  • Please post that log on your next reply. (the log is located in C:\ComboFix.txt.)
Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with the Combofix, once it's done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 21 April 2009 - 02:57 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 24 April 2009 - 02:59 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users