Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91639 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Vundo Virus, cant remove


  • This topic is locked This topic is locked
8 replies to this topic

#1 Kama

Kama

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 02 May 2008 - 07:56 AM

I went through the "vundo/.../..." self help file with no luck. I ran the first Hijackthis scan and log with the name default and nothing showed up. I tried changing the name to spyware.exe like instructed and had both 02 and 020 files show up. I downloaded the vundofix.exe and scanned but it didnt find anything. Here is the log with hijackthis as spyware.exe:

Logfile of HijackThis v1.99.1
Scan saved at 8:34:53 AM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\GREGSE~1\LOCALS~1\Temp\Rar$EX00.702\AtomicTime.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\spyware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8DDE2364-3924-465E-87DC-B6D0BF365D33} - C:\WINDOWS\system32\pmnllkLd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE86878F-D099-4FFC-A4DC-E51D192063B1} - C:\WINDOWS\system32\awtuuRIA.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AtomicTime] C:\DOCUME~1\GREGSE~1\LOCALS~1\Temp\Rar$EX00.702\AtomicTime.exe s
O4 - HKLM\..\Run: [Dimondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206740436148
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206759683759
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-w...agi3.0.84.2.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15034/CTPID.cab
O20 - Winlogon Notify: awtuuRIA - C:\WINDOWS\SYSTEM32\awtuuRIA.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I found another thread with the malwarebytes antimalware and tried that. It found 21 infections and I selected to remove them. It auto restarted my computer then the pop-ups kept happening. I"ve also tried nortons 2005, reannimator, ad-aware 2007.

Also here is the malwarebytes log.

Malwarebytes' Anti-Malware 1.11
Database version: 707

Scan type: Quick Scan
Objects scanned: 48198
Time elapsed: 18 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pmnllkLd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awtuuRIA.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8dde2364-3924-465e-87dc-b6d0bf365d33} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8dde2364-3924-465e-87dc-b6d0bf365d33} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ce86878f-d099-4ffc-a4dc-e51d192063b1} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce86878f-d099-4ffc-a4dc-e51d192063b1} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtuuria (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ce86878f-d099-4ffc-a4dc-e51d192063b1} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnllkld -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnllkld -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pmnllkLd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\dLkllnmp.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\dLkllnmp.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awtuuRIA.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Greg Self\Local Settings\Temporary Internet Files\Content.IE5\64SCNIEE\css4[1] (Trojan.Vundo) -> No action taken.

    Advertisements

Register to Remove


#2 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 02 May 2008 - 02:54 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingc...to-use-combofix
  • Please Note: This tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
Also, run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

Death to the salad eaters!

#3 Kama

Kama

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 02 May 2008 - 05:14 PM

Thank you for taking the time to help me!

ComboFix gave me this:


ComboFix 08-05-01.1 - Greg Self 2008-05-02 17:53:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.662 [GMT -5:00]
Running from: C:\Documents and Settings\Greg Self\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Greg Self\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtuuRIA.dll
C:\WINDOWS\system32\dLkllnmp.ini
C:\WINDOWS\system32\dLkllnmp.ini2
C:\WINDOWS\system32\ibebbiyh.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmnllkLd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWSAPAGENT
-------\Service_NwSapAgent


((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-05-02 11:11 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-02 11:11 . 2008-05-02 11:11 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-05-02 11:11 . 2008-05-02 11:11 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-05-02 10:35 . 2008-05-02 10:35 22,528 --a------ C:\WINDOWS\system32\Partizan.exe
2008-05-02 08:36 . 2008-05-02 08:36 <DIR> d-------- C:\VundoFix Backups
2008-05-02 07:18 . 2008-05-02 07:18 <DIR> d-------- C:\Documents and Settings\Greg Self\Application Data\Malwarebytes
2008-05-02 07:17 . 2008-05-02 07:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-02 07:17 . 2008-05-02 07:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-01 21:30 . 2008-05-01 21:31 <DIR> d-------- C:\Program Files\Panda Security
2008-05-01 21:28 . 2008-05-01 21:28 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-01 19:23 . 2008-05-01 21:00 134 --a------ C:\WINDOWS\rootkitno.ini
2008-05-01 19:20 . 2008-05-01 21:16 <DIR> d-------- C:\RootkitNO
2008-05-01 09:10 . 2008-05-01 09:10 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-01 09:10 . 2008-05-02 17:53 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.dat.LOG
2008-05-01 08:47 . 2008-05-01 08:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-01 08:47 . 2008-05-01 08:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-29 18:45 . 2008-04-29 18:45 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2008-04-23 05:20 . 2008-04-23 05:20 <DIR> d-------- C:\Program Files\SymNetDrv
2008-04-23 05:06 . 2008-04-23 23:13 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-04-23 05:06 . 2008-04-23 05:06 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-04-20 12:17 . 2008-04-20 12:17 <DIR> d-------- C:\Program Files\DNA
2008-04-20 12:17 . 2008-04-20 12:17 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-20 12:17 . 2008-04-23 23:03 <DIR> d-------- C:\Documents and Settings\Greg Self\Application Data\DNA
2008-04-20 12:17 . 2008-04-20 12:38 <DIR> d-------- C:\Documents and Settings\Greg Self\Application Data\BitTorrent
2008-04-17 02:44 . 2008-04-17 02:44 58,192 --a------ C:\Documents and Settings\Greg Self\Application Data\GDIPFONTCACHEV1.DAT
2008-04-17 01:32 . 2008-04-17 01:36 <DIR> d-------- C:\Program Files\UltraVNC
2008-04-17 01:17 . 2008-04-17 01:33 197 --a------ C:\WINDOWS\system32\'
2008-04-17 01:14 . 2005-06-10 22:02 12,800 --a------ C:\WINDOWS\system32\vncdrv.dll
2008-04-17 01:14 . 2004-06-26 13:22 6,016 --a------ C:\WINDOWS\system32\drivers\vnccom.SYS
2008-04-17 01:14 . 2004-06-26 13:21 5,760 --a------ C:\WINDOWS\system32\vnchelp.dll
2008-04-17 01:14 . 2004-06-26 13:22 4,736 --a------ C:\WINDOWS\system32\drivers\vncdrv.sys
2008-04-09 06:01 . 2008-04-09 06:01 <DIR> d-------- C:\Documents and Settings\Greg Self\Application Data\dvdcss
2008-04-09 05:17 . 2008-04-18 21:06 <DIR> d-------- C:\Documents and Settings\Greg Self\Application Data\GARMIN
2008-04-09 05:16 . 2008-04-09 05:16 <DIR> d-------- C:\Program Files\Garmin
2008-04-09 05:16 . 2008-04-18 20:33 <DIR> d-------- C:\Garmin
2008-04-08 23:15 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-07 17:12 . 2008-05-02 07:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-07 17:12 . 2008-04-07 17:12 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-04-04 08:31 . 2008-04-04 08:31 0 --a------ C:\WINDOWS\MelodyExe.INI
2008-04-04 08:31 . 2008-04-04 08:31 0 --a------ C:\WINDOWS\EngineExe.INI
2008-04-04 07:30 . 2008-04-04 07:30 0 --a------ C:\WINDOWS\PanelExe.INI
2008-04-04 07:30 . 2008-04-04 07:30 0 --a------ C:\WINDOWS\FileMgrExe.INI
2008-04-02 20:54 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-04-02 03:23 . 2008-04-02 03:23 <DIR> d-------- C:\Documents and Settings\Greg Self\Application Data\vlc
2008-04-02 01:10 . 2008-04-02 01:10 <DIR> d-------- C:\Documents and Settings\Greg Self\Application Data\Jasc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 22:58 --------- d-----w C:\Program Files\PestPatrol
2008-05-02 16:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-02 15:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-28 00:22 --------- d-----w C:\Documents and Settings\Greg Self\Application Data\HLSW
2008-04-23 10:21 --------- d-----w C:\Program Files\Symantec
2008-04-23 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 09:48 --------- d-----w C:\Documents and Settings\Greg Self\Application Data\LimeWire
2008-04-03 01:57 --------- d-----w C:\Program Files\Download Manager
2008-04-03 01:57 --------- d-----w C:\Documents and Settings\Greg Self\Application Data\IGN_DLM
2008-04-01 22:18 --------- d-----w C:\Program Files\VideoLAN
2008-04-01 22:16 --------- d-----w C:\Program Files\dayam NFO Viewer
2008-04-01 22:15 --------- d-----w C:\Program Files\Jasc Software Inc
2008-04-01 22:14 --------- d-----w C:\Documents and Settings\Greg Self\Application Data\Jasc Software Inc
2008-03-31 04:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-31 01:01 --------- d-----w C:\Documents and Settings\Greg Self\Application Data\Ventrilo
2008-03-30 07:45 --------- d-----w C:\Program Files\Java
2008-03-30 07:44 --------- d-----w C:\Program Files\Common Files\Java
2008-03-30 06:05 --------- d-----w C:\Program Files\QuickTime
2008-03-30 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-30 05:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-29 06:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 06:52 --------- d-----w C:\Program Files\Creative
2008-03-29 04:42 --------- d-----w C:\Documents and Settings\Greg Self\Application Data\Creative
2008-03-29 04:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-29 03:24 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-29 02:46 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-29 02:00 --------- d-----w C:\Program Files\Mobile Action
2008-03-29 01:22 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-29 00:57 --------- d-----w C:\Program Files\MSBuild
2008-03-29 00:53 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-28 22:44 --------- d-----w C:\Program Files\CEVO
2008-03-28 22:25 --------- d-----w C:\Program Files\Saitek
2008-03-28 22:24 --------- d-----w C:\Program Files\Razer
2008-03-28 22:23 --------- d-----w C:\Documents and Settings\Greg Self\Application Data\InstallShield
2008-03-28 22:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 22:02 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-28 21:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-28 21:46 --------- d-----w C:\Program Files\Lavasoft
2008-03-28 21:30 --------- d-----w C:\Documents and Settings\Greg Self\Application Data\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-09-09 17:26 7110656]
"nwiz"="nwiz.exe" [2005-09-09 17:26 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-09-09 17:26 86016]
"Dimondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-01-18 10:48 147456]
"Profiler"="C:\Program Files\Saitek\Software\ProfilerU.exe" [2005-10-18 15:34 163840]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-11-03 12:09 126976]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-04-23 05:20 100056]
"PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 08:53 148480]
"CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2003-05-30 00:47 69632]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"= WinSpooler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuuRIA]
awtuuRIA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\80ce714b]
C:\WINDOWS\system32\hyibbebi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-04-20 12:17 288576 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
--a------ 2003-03-26 20:41 53248 C:\Program Files\PestPatrol\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Trillian\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\mIRC\\mirc.exe"=
"D:\\Program Files\\HLSW\\hlsw.exe"=
"D:\\Program Files\\steam\\steamapps\\self_48_11@hotmail.com\\counter-strike\\hl.exe"=
"D:\\Program Files\\steam\\steamapps\\self_48_11@hotmail.com\\half-life\\hl.exe"=
"E:\\Program files\\LimeWire\\LimeWire.exe"=
"D:\\Program Files\\steam\\steamapps\\self_48_11@hotmail.com\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 17:58:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
.
**************************************************************************
.
Completion time: 2008-05-02 18:06:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 23:06:24

Pre-Run: 83,798,867,968 bytes free
Post-Run: 84,605,878,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

211

HJT after I ran combo fix gave me this:

Logfile of HijackThis v1.99.1
Scan saved at 6:08:32 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\spyware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dimondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206740436148
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206759683759
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-w...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15034/CTPID.cab
O20 - Winlogon Notify: awtuuRIA - awtuuRIA.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

And here is the Uninstall_list.txt you also wanted to see

Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AtomicTime
ccCommon
CMN3
Counter-Strike
Counter-Strike: Source
Creative MediaSource
Creative System Information
Day of Defeat: Source
Garmin City Navigator North America NT 2008
Garmin MapSource
Garmin POI Loader
Garmin WebUpdater
Half-Life 2: Deathmatch
Hijackthis 1.99.1
HijackThis 1.99.1
HLSW v1.2.1
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Internet Worm Protection
Jasc Paint Shop Pro 8
Java™ 6 Update 5
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
Motorola RAZR V3m(U.S. Cellular) USB - Handset Manager V9.5
MSXML 6.0 Parser (KB933579)
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
NVIDIA Drivers
Panda ActiveScan 2.0
QuickTime
Razer Diamondback
Saitek SST Programming Software
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sound Blaster Audigy
SPBBC
Steam
Symantec
Symantec Script Blocking Installer
SymNet
Trillian
UltraVNC v1.0.2
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Ventrilo Client
VideoLAN VLC media player 0.8.6c
Virtual Earth 3D (Beta)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Zune Desktop Theme

#4 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 03 May 2008 - 12:51 PM

Let me know how the PC is behaving.

I can't see the PC and you can - if you don't say, I don't know and HJT doesn't tell everything.
Death to the salad eaters!

#5 Kama

Kama

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 May 2008 - 01:16 PM

I appologize. I wanted to run it for a bit to get a sense of the way its going and I havent been home. Since running the programs above, I've had no more random window's pop up. My pop up blocker is still telling me its blocking things but I'm sure its just stuff connected to the pages. I havent seen any more performance issues out of it. All seems to be running much better.

#6 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 03 May 2008 - 04:06 PM

Time for a general looksee and that should be that:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh HJT log (run in Normal Mode) AND a description of how your PC is behaving.
Death to the salad eaters!

#7 Kama

Kama

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 May 2008 - 09:19 PM

Ok its been ran. Saved the log:

Malwarebytes' Anti-Malware 1.11
Database version: 712

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 114152
Time elapsed: 1 hour(s), 11 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\awtuuRIA.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnllkLd.dll.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D634801F-53DC-4E20-AB1E-B219F0758394}\RP145\A0014509.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D634801F-53DC-4E20-AB1E-B219F0758394}\RP153\A0018850.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D634801F-53DC-4E20-AB1E-B219F0758394}\RP153\A0018869.dll (Trojan.Vundo) -> No action taken.


Ok, now I chose to remove them and it restarted. When windows came back up and I logged on, it said the system had recovered from a serious error. Other than that, I'm not getting any pop ups or anything weird going on.

Here is the fresh HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:18:22 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Atomic Time\AtomicTime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\spyware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dimondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AtomicTime] D:\Program Files\Atomic Time\AtomicTime.exe s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206740436148
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206759683759
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-w...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15034/CTPID.cab
O20 - Winlogon Notify: awtuuRIA - awtuuRIA.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 04 May 2008 - 01:25 PM

I don't know what could have caused the error, but as long as Windows is behaving OK i'd put it down to experience. A little tidying up and you're done.

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O20 - Winlogon Notify: awtuuRIA - awtuuRIA.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: combofix /u
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point - this will give a clean one should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
Death to the salad eaters!

#9 Kama

Kama

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 04 May 2008 - 06:27 PM

I greatly appreciate all of your time and help to resolve my issues.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users