Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Infected With Win32 Trojan


  • This topic is locked This topic is locked
14 replies to this topic

#1 sloc0005

sloc0005

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 01 August 2007 - 09:56 PM

I have apparently been infected with a Trojan virus. I have not been able to remove this trojan yet to date. I have tried removing this with Ad-Aware SE as well as Avast Anit-Virus Software that I use. My PC is running slow and I am still getting pop-ups while on the internet. I have also tried to search the Web for any possible help and I have not been successful and that is why I am now turning to you for any possible assistance. You all are a great resource and I do appreciate any assistance that may be offered to help resolve my PC problems. I have provided my Hi-Jack This log below for review.

Thanks,

Sloc0005

Logfile of HijackThis v1.99.1
Scan saved at 10:29:57 PM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\YEDIEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\qwerty12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
G:\Backup of Hardrive C\Documents and Settings\Shayne\Virus Removal\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {460624ab-f4b1-4a33-b7d9-2977a186cccc} - C:\WINDOWS\system32\kbdfrm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp5.tmp.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\hgdcbx.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://radar.weather.gov
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...l...own
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171259519781
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - AppInit_DLLs: c:\windows\system32\awtqrol.dll
O20 - Winlogon Notify: kbdfrm - C:\WINDOWS\SYSTEM32\kbdfrm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: YEDIEx - Unknown owner - C:\WINDOWS\system32\YEDIEx.exe

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 01 August 2007 - 11:41 PM

Hello sloc0005 and welcome to the TomCoyote Forums

My name is Trevuren and I will be helping you with your problem.


I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, then Settings, then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, Remove the Viewpoint component
4. Do the same for each Viewpoint component.


Please download this file - combofix.exe by sUBs
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 sloc0005

sloc0005

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 02 August 2007 - 12:31 AM

Thank you so much for your help. I have done as you requested and here are the requested logs.

Thanks,

Sloc0005

Logfile of HijackThis v1.99.1
Scan saved at 1:24:44 AM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\YEDIEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
G:\Backup of Hardrive C\Documents and Settings\Shayne\Virus Removal\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://radar.weather.gov
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...l...own
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171259519781
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - AppInit_DLLs: c:\windows\system32\awtqrol.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: YEDIEx - Unknown owner - C:\WINDOWS\system32\YEDIEx.exe

ComboFix 07-08-02.2 - "Shayne" 2007-08-02 1:08:40.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Shayne\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmp48E.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmp48F.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmp52.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmpCF.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmpD1.tmp.exe
C:\DOCUME~1\Shayne\APPLIC~1\tmpE.tmp.exe
C:\DOCUME~1\Shayne\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\dndcc883cf.dat
C:\WINDOWS\system32\kbdfrm.dll
C:\WINDOWS\system32\pmkhf.exe
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp48F.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp52.tmp.dll
C:\WINDOWS\system32\tmpB.tmp.dll
C:\WINDOWS\system32\tmpD1.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-02 01:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-02 00:45 131,464 --a------ C:\WINDOWS\nnonml.dll
2007-08-02 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-01 22:26 <DIR> d-------- C:\VundoFix Backups
2007-08-01 21:13 131,491 --a------ C:\WINDOWS\hgdcbx.dll
2007-08-01 14:19 <DIR> d-------- C:\WINDOWS\pss
2007-08-01 14:16 131,491 --a------ C:\WINDOWS\ursrop.dll
2007-08-01 13:13 131,491 --a------ C:\WINDOWS\fcbxwx.dll
2007-08-01 12:27 2,798 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-08-01 12:14 131,491 --a------ C:\WINDOWS\tuvvut.dll
2007-08-01 12:13 119,236 --a------ C:\WINDOWS\system32\vtutq.exe
2007-08-01 11:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-08-01 11:27 <DIR> d-------- C:\Program Files\backburner 2
2007-08-01 11:27 <DIR> d-------- C:\3dsmax7
2007-08-01 10:53 <DIR> d-------- C:\DOCUME~1\Shayne\APPLIC~1\Temp
2007-07-24 17:35 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-24 17:35 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-07-24 17:35 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-07-24 17:35 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-07-24 17:35 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-07-24 17:35 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-24 17:35 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-07-24 17:35 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-07-24 17:09 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2007-07-24 17:09 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2007-07-24 17:09 38,912 --------- C:\WINDOWS\system32\picn20.dll
2007-07-24 17:09 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2007-07-24 17:08 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-07-24 17:08 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-24 17:08 <DIR> d-------- C:\Program Files\Ahead
2007-07-16 19:32 <DIR> d-------- C:\Program Files\Roxio
2007-07-16 19:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Roxio
2007-07-16 19:31 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 01:12 --------- d-------- C:\Program Files\Viewpoint
2007-08-01 11:59 --------- d-------- C:\Program Files\Common Files\Autodesk Shared
2007-08-01 11:25 --------- d-------- C:\Program Files\Autodesk
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 17:36 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\Ahead
2007-07-13 22:44 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-13 22:44 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-06-15 11:32 10856 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-15 11:03 43602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-06-15 11:03 --------- d-------- C:\Program Files\Gabest
2007-06-15 11:03 --------- d-------- C:\Program Files\AviSynth 2.5
2007-06-15 10:56 --------- d-------- C:\Program Files\DVD Decrypter
2007-06-15 10:50 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\Roxio
2007-06-13 12:12 --------- d-------- C:\Program Files\Teamspeak2_RC2
2007-06-13 12:12 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\teamspeak2
2007-06-13 09:17 --------- d-------- C:\Program Files\Shareaza
2007-06-08 08:35 --------- d-------- C:\Program Files\Yahoo!
2007-06-07 20:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-07 17:37 --------- d-------- C:\Program Files\DVD Shrink
2007-06-07 01:05 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\uTorrent
2007-06-04 17:46 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-06-04 10:09 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\BitTorrent
2007-05-16 10:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 04:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2004-08-04 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 12:00:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 12:00:00 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 12:00:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 12:00:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 10:06 C:\WINDOWS\system32\ptipbmf.dll]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 12:38]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 04:50 C:\WINDOWS\LOGI_MWX.EXE]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 15:11]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 19:07]
"CTHelper"="CTHELPER.EXE" [2006-05-23 23:20 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-23 23:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 09:55]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2001-10-25 09:55]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 11:18]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-07-03 01:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 09:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 00:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-21 07:57]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Steam"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB625"=command /c del "C:\WINDOWS\system32\qwerty12.exe_tobedeleted_old"
"SpybotDeletingD4430"=cmd /c del "C:\WINDOWS\system32\qwerty12.exe_tobedeleted_old"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA2011"=command /c del "C:\WINDOWS\system32\qwerty12.exe_tobedeleted_old"
"SpybotDeletingC3903"=cmd /c del "C:\WINDOWS\system32\qwerty12.exe_tobedeleted_old"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-02-12 21:09:34]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-19 22:07:20]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2004-04-06 16:49:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\awtqrol.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

R0 fasttx2k;fasttx2k;C:\WINDOWS\system32\drivers\fasttx2k.sys
R0 iaStor;Intel Integrated RAID;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R1 PCLEPCI;PCLEPCI;\??\C:\WINDOWS\system32\drivers\pclepci.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R3 ASAPIW2K;ASAPIW2K;C:\WINDOWS\system32\Drivers\ASAPIW2K.sys
R3 ATIAVAIW;ATI T200 Unified AVStream service;C:\WINDOWS\system32\DRIVERS\atinavt2.sys
R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
R3 dtscsi;dtscsi;C:\WINDOWS\system32\Drivers\dtscsi.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 E1000;Intel® PRO/1000 Adapter Driver;C:\WINDOWS\system32\DRIVERS\e1000325.sys
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 ATI Remote Wonder II;ATI Remote Wonder II;C:\WINDOWS\system32\drivers\ATIRWVD.SYS
S3 atinevxx;ATI WDM Rage Theater Video NSP;C:\WINDOWS\system32\DRIVERS\atinevxx.sys
S3 atinrvxx;ATI WDM Rage Theater Video;C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 MVDCODEC;ATI WDM Specialized MVD Codec;C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
S3 PnkBstrK;PnkBstrK;\??\C:\WINDOWS\system32\drivers\PnkBstrK.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S3 yeddef;YEDDEF driver;C:\WINDOWS\system32\Drivers\yeddef.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

*Newly Created Service* - AVGASCLN

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 01:12:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 1:13:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 01:13

--- E O F ---

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 02 August 2007 - 11:20 AM

The following disabling of some of your protective software is esential to the success of the fix:

A. While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
  • Now with both Spybot and Tea Timer shut down:
  • Download ResetTeaTimer.bat.
  • Double click ResetTeaTimer.bat to remove all entries set by TeaTimer

B. Please disable AVG AntiSpyware by opening the program and on the Status page - beside "Resident Shield" click on "change status" so that it says "inactive" for it may interfere with our HJT fix.
  • Remember to reactivate these features when all our work is finished.

C. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Files::
C:\WINDOWS\nnonml.dll
C:\WINDOWS\hgdcbx.dll
C:\WINDOWS\ursrop.dll
C:\WINDOWS\fcbxwx.dll
C:\WINDOWS\tuvvut.dll
C:\WINDOWS\system32\vtutq.exe
c:\windows\system32\awtqrol.dll

Folders::
C:\Program Files\Viewpoint
C:\VundoFix Backups

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{03F998B2-0E00-11D3-A498-00104B6EB52E}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="" 
[-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 sloc0005

sloc0005

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 02 August 2007 - 11:41 AM

Trevuren,

Thanks for all the help I really appreciate it very much. I have posted the requested logs below.

Thanks,

Sloc0005

Logfile of HijackThis v1.99.1
Scan saved at 12:37:39 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\YEDIEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Backup of Hardrive C\Documents and Settings\Shayne\Virus Removal\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://radar.weather.gov
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171259519781
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: YEDIEx - Unknown owner - C:\WINDOWS\system32\YEDIEx.exe


ComboFix 07-08-02.2 - "Shayne" 2007-08-02 12:31:30.2 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Shayne\My Documents\Viras Removal Tools\CFScript.txt


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-02 01:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-02 00:45 131,464 --a------ C:\WINDOWS\nnonml.dll
2007-08-02 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-01 22:26 <DIR> d-------- C:\VundoFix Backups
2007-08-01 21:13 131,491 --a------ C:\WINDOWS\hgdcbx.dll
2007-08-01 14:19 <DIR> d-------- C:\WINDOWS\pss
2007-08-01 14:16 131,491 --a------ C:\WINDOWS\ursrop.dll
2007-08-01 13:13 131,491 --a------ C:\WINDOWS\fcbxwx.dll
2007-08-01 12:27 2,798 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-08-01 12:14 131,491 --a------ C:\WINDOWS\tuvvut.dll
2007-08-01 12:13 119,236 --a------ C:\WINDOWS\system32\vtutq.exe
2007-08-01 11:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-08-01 11:27 <DIR> d-------- C:\Program Files\backburner 2
2007-08-01 11:27 <DIR> d-------- C:\3dsmax7
2007-08-01 10:53 <DIR> d-------- C:\DOCUME~1\Shayne\APPLIC~1\Temp
2007-07-24 17:35 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-24 17:35 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-07-24 17:35 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-07-24 17:35 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-07-24 17:35 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-07-24 17:35 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-24 17:35 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-07-24 17:35 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-07-24 17:09 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2007-07-24 17:09 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2007-07-24 17:09 38,912 --------- C:\WINDOWS\system32\picn20.dll
2007-07-24 17:09 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2007-07-24 17:08 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-07-24 17:08 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-24 17:08 <DIR> d-------- C:\Program Files\Ahead
2007-07-16 19:32 <DIR> d-------- C:\Program Files\Roxio
2007-07-16 19:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Roxio
2007-07-16 19:31 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 01:12 --------- d-------- C:\Program Files\Viewpoint
2007-08-01 11:59 --------- d-------- C:\Program Files\Common Files\Autodesk Shared
2007-08-01 11:25 --------- d-------- C:\Program Files\Autodesk
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 17:36 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\Ahead
2007-07-13 22:44 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-13 22:44 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-06-15 11:32 10856 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-15 11:03 43602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-06-15 11:03 --------- d-------- C:\Program Files\Gabest
2007-06-15 11:03 --------- d-------- C:\Program Files\AviSynth 2.5
2007-06-15 10:56 --------- d-------- C:\Program Files\DVD Decrypter
2007-06-15 10:50 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\Roxio
2007-06-13 12:12 --------- d-------- C:\Program Files\Teamspeak2_RC2
2007-06-13 12:12 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\teamspeak2
2007-06-13 09:17 --------- d-------- C:\Program Files\Shareaza
2007-06-08 08:35 --------- d-------- C:\Program Files\Yahoo!
2007-06-07 20:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-07 17:37 --------- d-------- C:\Program Files\DVD Shrink
2007-06-07 01:05 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\uTorrent
2007-06-04 17:46 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-06-04 10:09 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\BitTorrent
2007-05-16 10:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 04:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2004-08-04 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 12:00:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 12:00:00 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 12:00:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 12:00:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 10:06 C:\WINDOWS\system32\ptipbmf.dll]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 12:38]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 04:50 C:\WINDOWS\LOGI_MWX.EXE]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 15:11]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 19:07]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-23 23:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 09:55]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2001-10-25 09:55]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 11:18]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-07-03 01:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 09:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 00:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-21 07:57]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Steam"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-02-12 21:09:34]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-19 22:07:20]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2004-04-06 16:49:02]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

R0 fasttx2k;fasttx2k;C:\WINDOWS\system32\drivers\fasttx2k.sys
R0 iaStor;Intel Integrated RAID;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R1 PCLEPCI;PCLEPCI;\??\C:\WINDOWS\system32\drivers\pclepci.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R3 ASAPIW2K;ASAPIW2K;C:\WINDOWS\system32\Drivers\ASAPIW2K.sys
R3 ATIAVAIW;ATI T200 Unified AVStream service;C:\WINDOWS\system32\DRIVERS\atinavt2.sys
R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
R3 dtscsi;dtscsi;C:\WINDOWS\system32\Drivers\dtscsi.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 E1000;Intel® PRO/1000 Adapter Driver;C:\WINDOWS\system32\DRIVERS\e1000325.sys
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 ATI Remote Wonder II;ATI Remote Wonder II;C:\WINDOWS\system32\drivers\ATIRWVD.SYS
S3 atinevxx;ATI WDM Rage Theater Video NSP;C:\WINDOWS\system32\DRIVERS\atinevxx.sys
S3 atinrvxx;ATI WDM Rage Theater Video;C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 MVDCODEC;ATI WDM Specialized MVD Codec;C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
S3 PnkBstrK;PnkBstrK;\??\C:\WINDOWS\system32\drivers\PnkBstrK.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S3 yeddef;YEDDEF driver;C:\WINDOWS\system32\Drivers\yeddef.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

*Newly Created Service* - AVGASCLN

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 12:33:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 12:34:03
C:\ComboFix-quarantined-files.txt ... 2007-08-02 12:33
C:\ComboFix2.txt ... 2007-08-02 01:13

--- E O F ---

Edited by sloc0005, 02 August 2007 - 11:42 AM.


#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 02 August 2007 - 11:59 AM

Sorry, I made a slight error in the script I gave you to run so part of it did nort run. I added an "s". These tools are finicky .

Please rerun the following with all the security programs Totally disabled.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\nnonml.dll
C:\WINDOWS\hgdcbx.dll
C:\WINDOWS\ursrop.dll
C:\WINDOWS\fcbxwx.dll
C:\WINDOWS\tuvvut.dll
C:\WINDOWS\system32\vtutq.exe
c:\windows\system32\awtqrol.dll

Folder::
C:\Program Files\Viewpoint
C:\VundoFix Backups


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 sloc0005

sloc0005

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 02 August 2007 - 12:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:48:32 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\YEDIEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Backup of Hardrive C\Documents and Settings\Shayne\Virus Removal\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://radar.weather.gov
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1171259519781
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: YEDIEx - Unknown owner - C:\WINDOWS\system32\YEDIEx.exe


ComboFix 07-08-02.2 - "Shayne" 2007-08-02 13:19:56.3 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Shayne\My Documents\Viras Removal Tools\CFSript.txt


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-02 01:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-02 00:45 131,464 --a------ C:\WINDOWS\nnonml.dll
2007-08-02 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-01 22:26 <DIR> d-------- C:\VundoFix Backups
2007-08-01 21:13 131,491 --a------ C:\WINDOWS\hgdcbx.dll
2007-08-01 14:19 <DIR> d-------- C:\WINDOWS\pss
2007-08-01 14:16 131,491 --a------ C:\WINDOWS\ursrop.dll
2007-08-01 13:13 131,491 --a------ C:\WINDOWS\fcbxwx.dll
2007-08-01 12:27 2,798 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-08-01 12:14 131,491 --a------ C:\WINDOWS\tuvvut.dll
2007-08-01 12:13 119,236 --a------ C:\WINDOWS\system32\vtutq.exe
2007-08-01 11:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-08-01 11:27 <DIR> d-------- C:\Program Files\backburner 2
2007-08-01 11:27 <DIR> d-------- C:\3dsmax7
2007-08-01 10:53 <DIR> d-------- C:\DOCUME~1\Shayne\APPLIC~1\Temp
2007-07-24 17:35 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-24 17:35 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-07-24 17:35 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-07-24 17:35 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-07-24 17:35 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-07-24 17:35 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-24 17:35 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-07-24 17:35 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-07-24 17:09 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2007-07-24 17:09 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2007-07-24 17:09 38,912 --------- C:\WINDOWS\system32\picn20.dll
2007-07-24 17:09 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2007-07-24 17:08 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-07-24 17:08 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-24 17:08 <DIR> d-------- C:\Program Files\Ahead
2007-07-16 19:32 <DIR> d-------- C:\Program Files\Roxio
2007-07-16 19:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Roxio
2007-07-16 19:31 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 01:12 --------- d-------- C:\Program Files\Viewpoint
2007-08-01 11:59 --------- d-------- C:\Program Files\Common Files\Autodesk Shared
2007-08-01 11:25 --------- d-------- C:\Program Files\Autodesk
2007-07-27 17:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 17:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 17:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 17:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 16:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 16:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 16:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 17:36 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\Ahead
2007-07-13 22:44 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-13 22:44 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-06-15 11:32 10856 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-15 11:03 43602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-06-15 11:03 --------- d-------- C:\Program Files\Gabest
2007-06-15 11:03 --------- d-------- C:\Program Files\AviSynth 2.5
2007-06-15 10:56 --------- d-------- C:\Program Files\DVD Decrypter
2007-06-15 10:50 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\Roxio
2007-06-13 12:12 --------- d-------- C:\Program Files\Teamspeak2_RC2
2007-06-13 12:12 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\teamspeak2
2007-06-13 09:17 --------- d-------- C:\Program Files\Shareaza
2007-06-08 08:35 --------- d-------- C:\Program Files\Yahoo!
2007-06-07 20:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-07 17:37 --------- d-------- C:\Program Files\DVD Shrink
2007-06-07 01:05 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\uTorrent
2007-06-04 17:46 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-06-04 10:09 --------- d-------- C:\DOCUME~1\Shayne\APPLIC~1\BitTorrent
2007-05-16 10:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 04:24 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2004-08-04 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 12:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 12:00:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 12:00:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 12:00:00 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 12:00:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 12:00:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 10:06 C:\WINDOWS\system32\ptipbmf.dll]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 12:38]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 04:50 C:\WINDOWS\LOGI_MWX.EXE]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 15:11]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 19:07]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-23 23:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 09:55]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2001-10-25 09:55]
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 11:18]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-07-03 01:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 09:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 00:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-21 07:57]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Steam"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-02-12 21:09:34]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-19 22:07:20]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2004-04-06 16:49:02]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

R0 fasttx2k;fasttx2k;C:\WINDOWS\system32\drivers\fasttx2k.sys
R0 iaStor;Intel Integrated RAID;C:\WINDOWS\system32\DRIVERS\iaStor.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R1 PCLEPCI;PCLEPCI;\??\C:\WINDOWS\system32\drivers\pclepci.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R3 ASAPIW2K;ASAPIW2K;C:\WINDOWS\system32\Drivers\ASAPIW2K.sys
R3 ATIAVAIW;ATI T200 Unified AVStream service;C:\WINDOWS\system32\DRIVERS\atinavt2.sys
R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
R3 dtscsi;dtscsi;C:\WINDOWS\system32\Drivers\dtscsi.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 E1000;Intel® PRO/1000 Adapter Driver;C:\WINDOWS\system32\DRIVERS\e1000325.sys
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 ATI Remote Wonder II;ATI Remote Wonder II;C:\WINDOWS\system32\drivers\ATIRWVD.SYS
S3 atinevxx;ATI WDM Rage Theater Video NSP;C:\WINDOWS\system32\DRIVERS\atinevxx.sys
S3 atinrvxx;ATI WDM Rage Theater Video;C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
S3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 MVDCODEC;ATI WDM Specialized MVD Codec;C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
S3 PnkBstrK;PnkBstrK;\??\C:\WINDOWS\system32\drivers\PnkBstrK.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S3 yeddef;YEDDEF driver;C:\WINDOWS\system32\Drivers\yeddef.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

*Newly Created Service* - AVGASCLN

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 13:21:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 13:22:23
C:\ComboFix-quarantined-files.txt ... 2007-08-02 13:22
C:\ComboFix2.txt ... 2007-08-02 12:34
C:\ComboFix3.txt ... 2007-08-02 01:13

--- E O F ---

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 02 August 2007 - 02:18 PM

For some unknown reason, it is not removing the files and folders.

Please download the
OTMoveIt
by OldTimer
.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the content of the quotebox below to the clipboard by highlighting ALL of
    the file paths and pressing CTRL + C (or, after highlighting, right-click and choose
    copy):

    C:\WINDOWS\nnonml.dll
    C:\WINDOWS\hgdcbx.dll
    C:\WINDOWS\ursrop.dll
    C:\WINDOWS\fcbxwx.dll
    C:\WINDOWS\tuvvut.dll
    C:\WINDOWS\system32\vtutq.exe
    c:\windows\system32\awtqrol.dll
    C:\Program Files\Viewpoint
    C:\VundoFix Backups


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be
    moved"
    window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot
the machine to finish the move process. If you are asked to reboot the machine
choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste"
them into your next reply on the forum. Reboot into Normal Mode if you have to reboot.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 sloc0005

sloc0005

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 02 August 2007 - 02:26 PM

DllUnregisterServer procedure not found in C:\WINDOWS\nnonml.dll C:\WINDOWS\nnonml.dll NOT unregistered. C:\WINDOWS\nnonml.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\hgdcbx.dll C:\WINDOWS\hgdcbx.dll NOT unregistered. C:\WINDOWS\hgdcbx.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\ursrop.dll C:\WINDOWS\ursrop.dll NOT unregistered. C:\WINDOWS\ursrop.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\fcbxwx.dll C:\WINDOWS\fcbxwx.dll NOT unregistered. C:\WINDOWS\fcbxwx.dll moved successfully. DllUnregisterServer procedure not found in C:\WINDOWS\tuvvut.dll C:\WINDOWS\tuvvut.dll NOT unregistered. C:\WINDOWS\tuvvut.dll moved successfully. C:\WINDOWS\system32\vtutq.exe moved successfully. File/Folder c:\windows\system32\awtqrol.dll not found. C:\Program Files\Viewpoint moved successfully. C:\VundoFix Backups moved successfully. Created on 08/02/2007 15:23:33

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 02 August 2007 - 03:11 PM

Now that we have the logs looking acceptable, it is time to give the entire system a good look see just to make sure no baddies are lurking:

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply,
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#11 sloc0005

sloc0005

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 03 August 2007 - 01:25 AM

------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, August 03, 2007 2:20:18 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 3/08/2007 Kaspersky Anti-Virus database records: 371439 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ Scan Statistics: Total number of scanned objects: 177261 Number of viruses found: 3 Number of infected objects: 7 Number of suspicious objects: 0 Duration of the scan process: 01:56:05 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Shayne\Application Data\Sun\Java\Deployment\cache\6.0\5\347e3285-4c7a85d8 Infected: Exploit.Java.Gimsh.a skipped C:\Documents and Settings\Shayne\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Temp\Perflib_Perfdata_6b4.dat Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Temp\Perflib_Perfdata_828.dat Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Temp\Perflib_Perfdata_82c.dat Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Temp\~DFE2C9.tmp Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Temp\~DFE2D5.tmp Object is locked skipped C:\Documents and Settings\Shayne\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Shayne\ntuser.dat Object is locked skipped C:\Documents and Settings\Shayne\ntuser.dat.LOG Object is locked skipped C:\itouch_crash_info.txt Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\QooBox\Quarantine\C\DOCUME~1\Shayne\APPLIC~1\tmpE.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd5309.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\_OTMoveIt\MovedFiles\WINDOWS\fcbxwx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\_OTMoveIt\MovedFiles\WINDOWS\hgdcbx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\_OTMoveIt\MovedFiles\WINDOWS\nnonml.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\_OTMoveIt\MovedFiles\WINDOWS\tuvvut.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped C:\_OTMoveIt\MovedFiles\WINDOWS\ursrop.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed.

#12 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 03 August 2007 - 09:29 AM

Good Report :thumbup:

That shows that the few bugs on your machine are all in a safe area, one of which we will fix now and the rest we will clean up during our final cleanup procedures.

A. I need you to clean out your Java Cache:

Clearing Java Cache
Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)Posted Image
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


B. Your log looks clean. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures and recommendations.

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#13 sloc0005

sloc0005

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 03 August 2007 - 11:36 AM

Trevuren, I have cleared out my temp files in Java as asked and everything seems to be great. I am not noticiing anything happening on my PC that would make me think that I am still infected. I am ready to proceed forward on the cleanup now. Again, thank you so much for the assistance. I would have had to wipe my drives clean if it were not for you, and that would have been a pain. You and your fellow bretheren provide a top notch service here with a professional and curtious manner that is very rare today. I will refer this site to all who ask me for assistance with virus removal from now on as you all are the bomb. Sincerely, Sloc0005

#14 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 03 August 2007 - 11:48 AM

Thank you for the kind words.

Congratulations, your log looks CLEAN

There are a few things you must do once you are completely clean:

1. Time for some housekeeping

Please download the OTMoveIt by OldTimer (If you have deleted already)
  • Save it to your desktop.
  • Run the tool by clicking on the icon.
  • Click the Cleanup button.
  • The tools that we used as well as this one will be removed from your system.

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place?

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#15 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 12 August 2007 - 08:25 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users