Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware Removal (vtstt.exe) [RESOLVED]

Started by dddcar , Jan 26 2008 02:21 PM

This topic is locked

#1
dddcar

Posted 26 January 2008 - 02:21 PM

Member

Member
10 posts

Hi,

First of all I want to thank Geeks to Go for a great site that has got me through many problems recently. Unfortunetly I have not been able to solve this one on my own thus would kindly ask for your help. I know this is a problem other users have had but the posts have not been able to help me and I am afraid to mess with my registry without specific instructions towards me. If at any time you deem my problem is parallel to someone else's feel free to just direct me to that post and I would be happy to follow through.

I have obtained a Malware Virus and while I think i know what it is, I cannot get rid of it completely. I believe the Virus is in the following file C:WINDOWS/system32/vtstt.exe (at least if not some other). As I've said I've seen a lot of posts on vtstt but so far have not been able to solve my problem. I will post my log below and here are specfics and actions taken so far.

1) System Restore does not work - There are no dates from before when this virus came onboard my unit (about 1 month ago)
2) GOBack does not function as well.
3) Nortons's (paid version) - does not seem to do anything for me. Nortons was actually disable and we had to reinstall, I'm not sure if this was because of the virus.
4) Installed AVG and have been running.
5) Use Spyware doctor which not always pops up when I open IE (however not anymore please see #10)
6) Superantispyware installed - will probably delete though
7) Spybot installed
8) HiJackthis Installed
9) Installed VundoFix as seen on here but have been afraid to run with it
10) I have been able to delete this (I think) from the C Drive,however I still receive errors when starting computer. I assume I may have got rid of it but it's still in the registry?
(RED "X" WINDOW) - Windows cannot find 'C:WINDOWS/system32/vtstt.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search
(YELLOW "!" WINDOW) - Could not load of run 'C:WINDOWS/system32/vtstt.exe' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.

For some reason after I OK this one Microsoft Intellipoint Window launches?

11) System is still very slow which leads me to believe there is still something here. IE is very slow (firefox not installed its my parents computer, I'm sure it would scare them to use anything but IE) and those error windows pop up in beginning.

Please note my log below and thanks in advance for all of your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:43 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\system32\uWDF.exe
C:\Documents and Settings\The Prodigal Son\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {B75A20FA-3904-32FF-D2A1-8BA5644B577C} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtstt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: {5e499326-5608-1cfb-d534-ae6cc4ca91cd} - {dc19ac4c-c6ea-435d-bfc1-8065623994e5} - (no file)
O2 - BHO: (no name) - {EB4E125E-8517-485C-83AC-3B41049D1D47} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [corrida] vxdman.exe
O4 - HKCU\..\Run: [SYSTRAV] Serviceprocess.exe
O4 - HKCU\..\Run: [porka_] AppMasterCenter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/sec...an/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093183032953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176080121296
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBCB70-5A75-463A-88A6-FA942A4EF484}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE060BFA-A084-4070-B61A-9A4A0728EF39}: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10487 bytes

Edited by dddcar, 26 January 2008 - 02:28 PM.

#2
Rorschach112

Posted 27 January 2008 - 05:28 PM

Ralphie

Retired Staff
47,710 posts

Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3
dddcar

Posted 28 January 2008 - 06:19 PM

Member

Topic Starter
Member
10 posts

Hi,

Thanks for your quick reply! I actually had to fly to Atlanta for two days and won't be back on my desktop until Wednesday, I think I need to respond withiin another 72 hours so this thread doesn't die, but thanks again for your response and sorry for the delay. I will update Wendesday night and report HiJack log post Combofix instructions.

Best,
DDDCAR

#4
Rorschach112

Posted 29 January 2008 - 08:54 AM

Ralphie

Retired Staff
47,710 posts

Take your time, I won't close the thread for at least a week unless I have heard from you

Enjoy your trip

#5
dddcar

Posted 02 February 2008 - 10:56 AM

Member

Topic Starter
Member
10 posts

Hey!

Finally back after too long of a trip. Many thanks for your patience. I have run Combofix and everything seems to have gone well. When compiling the log my Nortons box popped up and tried to block some cripts but I just authorized it so I don't think this should have had any effect. Let me know if you want me to disaple Norton's/ABG/SpyDoctor moving forward. There was also a google window that popped up that was not letting a program change setting unless i allowed it. I didn't take any action so hopefully this wasn't important.

Logs are below look forward to the next step.

COMBOFIX LOG

ComboFix 08-02.02.5 - The Prodigal Son 2008-02-02 11:33:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT -5:00]
Running from: C:\Documents and Settings\The Prodigal Son\Local Settings\Temporary Internet Files\Content.IE5\STW9EFW5\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\The Prodigal Son\Application Data\install.dat
C:\Documents and Settings\The Prodigal Son\Application Data\YMBOLS~1
C:\Documents and Settings\The Prodigal Son\Application Data\YMBOLS~1\?ymbols\
C:\U.exe
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-27 20:23 . 2008-01-27 20:23 557,056 --a------ C:\Documents and Settings\Dominick\GoToAssist_phone__317_en.exe
2008-01-26 14:48 . 2008-01-26 14:48 <DIR> d-------- C:\VundoFix Backups
2008-01-20 11:53 . 2008-01-20 11:53 32 --ahs---- C:\WINDOWS\system32\{5EA08C94-6BBC-4535-9147-DAFD2BD0033C}.dat
2008-01-20 11:53 . 2008-01-20 11:53 32 --ahs---- C:\WINDOWS\{B5E2E974-54C4-454E-B46B-9578C8266F15}.dat
2008-01-20 11:52 . 2008-01-20 11:52 32 --ahs---- C:\WINDOWS\system32\{C96919BD-BFB6-4FBB-8692-1D2A141AD344}.dat
2008-01-20 11:52 . 2008-01-20 11:52 32 --ahs---- C:\WINDOWS\{346C4F16-7C1C-413C-BB94-078D45F7A913}.dat
2008-01-20 11:51 . 2008-01-20 11:51 32 --ahs---- C:\WINDOWS\system32\{933638AD-76F7-493E-B02A-DCF0943683FA}.dat
2008-01-20 11:51 . 2008-01-20 11:51 32 --ahs---- C:\WINDOWS\{96AE22BC-5715-4B43-8533-27020211E4B4}.dat
2008-01-20 11:50 . 2002-08-14 06:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-01-20 11:50 . 2002-08-14 06:03 31,744 --a------ C:\WINDOWS\system32\S32STAT.DLL
2008-01-20 11:49 . 2002-08-13 17:00 182,784 --a------ C:\WINDOWS\system32\ddao35.dll
2008-01-20 11:49 . 2002-08-13 17:00 94,208 --a------ C:\WINDOWS\system32\qdcsinet.dll
2008-01-20 11:49 . 2002-08-13 17:00 86,016 --a------ C:\WINDOWS\system32\apitrap.dll
2008-01-20 11:49 . 2002-08-13 17:00 13,792 --a------ C:\WINDOWS\system32\drivers\qdfsdrv.sys
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{BDE223A3-C2D1-4FA4-8568-F0D45A3ED5AA}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{9D03B736-97A3-40C9-B40B-5ED10FC7ACE8}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{0AEE89A4-2494-44F5-8DC5-C2CB5F0E8624}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{B1B16FC6-239A-4B36-BAA0-D3B5E4F2AA22}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{A124F442-EEF6-44B6-9EF9-D4BBA0A4D275}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{4848229A-C621-4158-8E90-221D4F5824FB}.dat
2008-01-20 11:48 . 2002-08-14 14:03 45,056 --a------ C:\WINDOWS\system32\WNASPI2K.BAK
2008-01-20 11:48 . 2002-08-14 14:03 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI2K.BAK
2008-01-20 11:48 . 2002-08-14 14:03 5,600 --a------ C:\WINDOWS\system\WINASPI.BAK
2008-01-20 11:48 . 2002-08-14 14:03 4,672 --a------ C:\WINDOWS\system\WOWPOST.BAK
2008-01-20 11:47 . 2008-01-20 11:47 32 --ahs---- C:\WINDOWS\system32\{BE1ACE46-4A86-45E8-A99E-5FB03A81E906}.dat
2008-01-20 11:47 . 2008-01-20 11:47 32 --ahs---- C:\WINDOWS\{A6C91350-E81C-47FB-A7B4-7A51B163BA20}.dat
2008-01-20 11:47 . 2008-01-20 11:47 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-01-13 20:05 . 2008-02-02 11:22 <DIR> d-------- C:\Documents and Settings\The Prodigal Son\Application Data\AVG7
2008-01-13 12:57 . 2008-01-24 04:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-13 12:57 . 2008-01-13 12:57 <DIR> d-------- C:\Documents and Settings\Dominick\Application Data\PC Tools
2008-01-13 12:57 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-13 12:57 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-13 12:57 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-13 12:57 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-13 12:45 . 2008-01-13 12:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 12:45 . 2008-02-02 08:00 <DIR> d-------- C:\Documents and Settings\Dominick\Application Data\AVG7
2008-01-13 12:45 . 2008-01-13 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 12:45 . 2008-01-13 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-05 10:13 . 2008-01-05 10:13 1,283,174 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 16:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 16:25 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-28 02:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-26 19:39 --------- d-----w C:\Program Files\ParticleG
2008-01-26 19:09 --------- d-----w C:\Program Files\Java
2008-01-25 22:30 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-21 22:11 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\ZoomBrowser EX
2008-01-21 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-20 16:51 --------- d-----w C:\Program Files\Symantec
2008-01-20 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-13 17:56 --------- d-----w C:\Program Files\Google
2008-01-11 15:12 --------- d-----w C:\Program Files\TomTom HOME
2008-01-11 15:12 --------- d-----w C:\Program Files\SymNetDrv
2008-01-11 15:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-25 06:03 --------- d-----w C:\Program Files\Trend Micro
2007-12-24 23:31 4,194,304,000 --sha-w C:\gobackio.bin
2007-12-24 19:04 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\SUPERAntiSpyware.com
2007-12-24 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 18:37 --------- d-----w C:\Program Files\Focus MP3 Recorder
2007-12-24 03:02 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\PrevxCSI
2007-12-24 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-23 18:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2004-08-28 01:17 450,560 -c----w C:\Documents and Settings\Dominick\chatlnk.exe
2003-08-27 19:19 36,963 -c----r C:\Program Files\Common Files\SM1updtr.dll
.

<pre>
----a-w			63,712 2007-12-29 01:28:49  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w			39,792 2007-12-29 01:28:50  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   617,984 2007-12-29 01:28:32  C:\Program Files\ASUS\Probe\AsusProb .exe
----a-w		   339,968 2007-12-29 01:28:30  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			54,296 2007-12-29 01:28:31  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			58,392 2007-12-29 01:28:32  C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
----a-w			68,856 2007-12-29 01:28:53  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		   132,496 2007-12-29 01:28:40  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		 1,694,208 2008-01-05 16:06:19  C:\Program Files\Messenger\msmsgs .exe
----a-w		   204,800 2007-12-29 01:28:38  C:\Program Files\Microsoft IntelliPoint\point32 .exe
----a-w			94,208 2007-12-29 01:28:35  C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp .exe
----a-w		 1,318,912 2007-12-29 19:03:09  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		   100,056 2007-12-29 01:28:43  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w		 3,576,512 2007-12-29 01:28:54  C:\Program Files\TomTom HOME\TomTomHOME .exe
----a-w			15,360 2007-12-27 05:22:36  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc19ac4c-c6ea-435d-bfc1-8065623994e5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB4E125E-8517-485C-83AC-3B41049D1D47}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-05 11:54 1694208]
"corrida"="vxdman.exe" []
"SYSTRAV"="Serviceprocess.exe" []
"porka_"="AppMasterCenter.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [2006-10-16 22:00 163576]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 11:52 339968]
"ASUS Probe"="E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 15:07 617984]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe" [2004-06-03 01:50 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Symantec NetDriver Monitor"="E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe" [2005-11-03 19:10 100056]
"Adobe Reader Speed Launcher"="E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [2005-09-24 01:05 29696]
"QuickTime Task"="E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" [2006-07-14 22:52 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 12:45 579072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23 34504]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2002-08-14 15:21 94208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 12:45 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2004-08-22 18:51:24 524288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="cslej.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmncn.exe]
C:\WINDOWS\system32\dmncn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2003-10-31 18:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-r------- 2003-08-27 14:20 94208 C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startman]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--------- 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\___]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys [2002-01-21 11:37]
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys [2002-01-21 11:36]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys [2002-01-21 11:37]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 13:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 15:08:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-01 23:01:30 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-02-02 16:44:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 11:42:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2008-02-02 11:48:54 - machine was rebooted [The Prodigal Son]
ComboFix-quarantined-files.txt 2008-02-02 16:48:48
.
2008-01-10 08:03:27 --- E O F ---

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:18 AM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {B75A20FA-3904-32FF-D2A1-8BA5644B577C} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: {5e499326-5608-1cfb-d534-ae6cc4ca91cd} - {dc19ac4c-c6ea-435d-bfc1-8065623994e5} - (no file)
O2 - BHO: (no name) - {EB4E125E-8517-485C-83AC-3B41049D1D47} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [corrida] vxdman.exe
O4 - HKCU\..\Run: [SYSTRAV] Serviceprocess.exe
O4 - HKCU\..\Run: [porka_] AppMasterCenter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/sec...an/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093183032953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176080121296
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBCB70-5A75-463A-88A6-FA942A4EF484}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE060BFA-A084-4070-B61A-9A4A0728EF39}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9735 bytes

#6
Rorschach112

Posted 02 February 2008 - 11:09 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\dmncn.exe

RenV::
----a-w 63,712 2007-12-29 01:28:49 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w 39,792 2007-12-29 01:28:50 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 617,984 2007-12-29 01:28:32 C:\Program Files\ASUS\Probe\AsusProb .exe
----a-w 339,968 2007-12-29 01:28:30 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w 54,296 2007-12-29 01:28:31 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 58,392 2007-12-29 01:28:32 C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
----a-w 68,856 2007-12-29 01:28:53 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 132,496 2007-12-29 01:28:40 C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w 1,694,208 2008-01-05 16:06:19 C:\Program Files\Messenger\msmsgs .exe
----a-w 204,800 2007-12-29 01:28:38 C:\Program Files\Microsoft IntelliPoint\point32 .exe
----a-w 94,208 2007-12-29 01:28:35 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp .exe
----a-w 1,318,912 2007-12-29 19:03:09 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w 100,056 2007-12-29 01:28:43 C:\Program Files\SymNetDrv\SNDMon .exe
----a-w 3,576,512 2007-12-29 01:28:54 C:\Program Files\TomTom HOME\TomTomHOME .exe
----a-w 15,360 2007-12-27 05:22:36 C:\WINDOWS\system32\ctfmon .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\___]

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#7
dddcar

Posted 02 February 2008 - 11:22 AM

Member

Topic Starter
Member
10 posts

Hi,

For some reason I dont have the Combofix Icon anywhere. Maybe it didn't install completely. Going to reinstall right now.

#8
dddcar

Posted 02 February 2008 - 11:48 AM

Member

Topic Starter
Member
10 posts

Hi,

Ok I think we're good. Three externalities were the following but hopefully nothing major.

- An 'Entry Point Not Found CCRegVfy.exe' window popped up when my computer restarted that read 'The procedure entry point ?AlertSettingsViolationAAYAXK@Z Could not be located in the dynamic link library CCREGMON.dll.'

- Microsoft Intellipoint Window is still opening upon entry

- Norton's opened again trying to block C:/ComboFix/SvcDrv.vbs but I just ignroed it.

Assuming you need them so logs supplied below.

ComboFix LOG

ComboFix 08-02.02.5 - The Prodigal Son 2008-02-02 12:25:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT -5:00]
Running from: C:\Documents and Settings\The Prodigal Son\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\The Prodigal Son\Desktop\OPERATION FIX VIRUS\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\dmncn.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-27 20:23 . 2008-01-27 20:23 557,056 --a------ C:\Documents and Settings\Dominick\GoToAssist_phone__317_en.exe
2008-01-26 14:48 . 2008-01-26 14:48 <DIR> d-------- C:\VundoFix Backups
2008-01-20 11:53 . 2008-01-20 11:53 32 --ahs---- C:\WINDOWS\system32\{5EA08C94-6BBC-4535-9147-DAFD2BD0033C}.dat
2008-01-20 11:53 . 2008-01-20 11:53 32 --ahs---- C:\WINDOWS\{B5E2E974-54C4-454E-B46B-9578C8266F15}.dat
2008-01-20 11:52 . 2008-01-20 11:52 32 --ahs---- C:\WINDOWS\system32\{C96919BD-BFB6-4FBB-8692-1D2A141AD344}.dat
2008-01-20 11:52 . 2008-01-20 11:52 32 --ahs---- C:\WINDOWS\{346C4F16-7C1C-413C-BB94-078D45F7A913}.dat
2008-01-20 11:51 . 2008-01-20 11:51 32 --ahs---- C:\WINDOWS\system32\{933638AD-76F7-493E-B02A-DCF0943683FA}.dat
2008-01-20 11:51 . 2008-01-20 11:51 32 --ahs---- C:\WINDOWS\{96AE22BC-5715-4B43-8533-27020211E4B4}.dat
2008-01-20 11:50 . 2002-08-14 06:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-01-20 11:50 . 2002-08-14 06:03 31,744 --a------ C:\WINDOWS\system32\S32STAT.DLL
2008-01-20 11:49 . 2002-08-13 17:00 182,784 --a------ C:\WINDOWS\system32\ddao35.dll
2008-01-20 11:49 . 2002-08-13 17:00 94,208 --a------ C:\WINDOWS\system32\qdcsinet.dll
2008-01-20 11:49 . 2002-08-13 17:00 86,016 --a------ C:\WINDOWS\system32\apitrap.dll
2008-01-20 11:49 . 2002-08-13 17:00 13,792 --a------ C:\WINDOWS\system32\drivers\qdfsdrv.sys
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{BDE223A3-C2D1-4FA4-8568-F0D45A3ED5AA}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{9D03B736-97A3-40C9-B40B-5ED10FC7ACE8}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{0AEE89A4-2494-44F5-8DC5-C2CB5F0E8624}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{B1B16FC6-239A-4B36-BAA0-D3B5E4F2AA22}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{A124F442-EEF6-44B6-9EF9-D4BBA0A4D275}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{4848229A-C621-4158-8E90-221D4F5824FB}.dat
2008-01-20 11:48 . 2002-08-14 14:03 45,056 --a------ C:\WINDOWS\system32\WNASPI2K.BAK
2008-01-20 11:48 . 2002-08-14 14:03 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI2K.BAK
2008-01-20 11:48 . 2002-08-14 14:03 5,600 --a------ C:\WINDOWS\system\WINASPI.BAK
2008-01-20 11:48 . 2002-08-14 14:03 4,672 --a------ C:\WINDOWS\system\WOWPOST.BAK
2008-01-20 11:47 . 2008-01-20 11:47 32 --ahs---- C:\WINDOWS\system32\{BE1ACE46-4A86-45E8-A99E-5FB03A81E906}.dat
2008-01-20 11:47 . 2008-01-20 11:47 32 --ahs---- C:\WINDOWS\{A6C91350-E81C-47FB-A7B4-7A51B163BA20}.dat
2008-01-20 11:47 . 2008-01-20 11:47 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-01-13 20:05 . 2008-02-02 11:22 <DIR> d-------- C:\Documents and Settings\The Prodigal Son\Application Data\AVG7
2008-01-13 12:57 . 2008-01-24 04:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-13 12:57 . 2008-01-13 12:57 <DIR> d-------- C:\Documents and Settings\Dominick\Application Data\PC Tools
2008-01-13 12:57 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-13 12:57 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-13 12:57 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-13 12:57 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-13 12:45 . 2008-01-13 12:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 12:45 . 2008-02-02 08:00 <DIR> d-------- C:\Documents and Settings\Dominick\Application Data\AVG7
2008-01-13 12:45 . 2008-01-13 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 12:45 . 2008-01-13 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-05 10:13 . 2008-01-05 10:13 1,283,174 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 17:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 17:25 --------- d-----w C:\Program Files\TomTom HOME
2008-02-02 17:25 --------- d-----w C:\Program Files\SymNetDrv
2008-02-02 17:25 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-02 17:25 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-28 02:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-26 19:39 --------- d-----w C:\Program Files\ParticleG
2008-01-26 19:09 --------- d-----w C:\Program Files\Java
2008-01-25 22:30 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-21 22:11 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\ZoomBrowser EX
2008-01-21 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-20 16:51 --------- d-----w C:\Program Files\Symantec
2008-01-20 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-13 17:56 --------- d-----w C:\Program Files\Google
2007-12-25 06:03 --------- d-----w C:\Program Files\Trend Micro
2007-12-24 23:31 4,194,304,000 --sha-w C:\gobackio.bin
2007-12-24 19:04 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\SUPERAntiSpyware.com
2007-12-24 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 18:37 --------- d-----w C:\Program Files\Focus MP3 Recorder
2007-12-24 03:02 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\PrevxCSI
2007-12-24 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-23 18:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2004-08-28 01:17 450,560 -c----w C:\Documents and Settings\Dominick\chatlnk.exe
2003-08-27 19:19 36,963 -c----r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc19ac4c-c6ea-435d-bfc1-8065623994e5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB4E125E-8517-485C-83AC-3B41049D1D47}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-05 11:06 1694208]
"corrida"="vxdman.exe" []
"SYSTRAV"="Serviceprocess.exe" []
"porka_"="AppMasterCenter.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [2006-10-16 22:00 163576]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-12-29 14:03 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 11:52 339968]
"ASUS Probe"="E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 15:07 617984]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe" [2004-06-03 01:50 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Symantec NetDriver Monitor"="E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe" [2005-11-03 19:10 100056]
"Adobe Reader Speed Launcher"="E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [2005-09-24 01:05 29696]
"QuickTime Task"="E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" [2006-07-14 22:52 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 12:45 579072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-28 20:28 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2007-12-28 20:28 58392]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2007-12-28 20:28 94208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 12:45 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2004-08-22 18:51:24 524288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="cslej.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmncn.exe]
C:\WINDOWS\system32\dmncn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2003-10-31 18:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-r------- 2003-08-27 14:20 94208 C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startman]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--------- 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys [2002-01-21 11:37]
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys [2002-01-21 11:36]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys [2002-01-21 11:37]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 13:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 15:08:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-01 23:01:30 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-02-02 17:34:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 12:30:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-02-02 12:35:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 17:35:33
ComboFix2.txt 2008-02-02 16:48:55
.
2008-01-10 08:03:27 --- E O F ---

HiJackThis LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:48 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {B75A20FA-3904-32FF-D2A1-8BA5644B577C} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: {5e499326-5608-1cfb-d534-ae6cc4ca91cd} - {dc19ac4c-c6ea-435d-bfc1-8065623994e5} - (no file)
O2 - BHO: (no name) - {EB4E125E-8517-485C-83AC-3B41049D1D47} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [corrida] vxdman.exe
O4 - HKCU\..\Run: [SYSTRAV] Serviceprocess.exe
O4 - HKCU\..\Run: [porka_] AppMasterCenter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/sec...an/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093183032953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176080121296
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBCB70-5A75-463A-88A6-FA942A4EF484}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE060BFA-A084-4070-B61A-9A4A0728EF39}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9774 bytes

THANKS!

#9
Rorschach112

Posted 02 February 2008 - 12:59 PM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\dmncn.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmncn.exe]

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: (no name) - {B75A20FA-3904-32FF-D2A1-8BA5644B577C} - (no file)
O2 - BHO: {5e499326-5608-1cfb-d534-ae6cc4ca91cd} - {dc19ac4c-c6ea-435d-bfc1-8065623994e5} - (no file)
O2 - BHO: (no name) - {EB4E125E-8517-485C-83AC-3B41049D1D47} - (no file)
O4 - HKCU\..\Run: [corrida] vxdman.exe
O4 - HKCU\..\Run: [SYSTRAV] Serviceprocess.exe
O4 - HKCU\..\Run: [porka_] AppMasterCenter.exe

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Reboot and post a new HijackThis log

#10
dddcar

Posted 02 February 2008 - 01:50 PM

Member

Topic Starter
Member
10 posts

Hi,

Everything went ok, still getting the following but I feel like they might be related to something else so no big deal.

- An 'Entry Point Not Found CCRegVfy.exe' window popped up when my computer restarted that read 'The procedure entry point ?AlertSettingsViolationAAYAXK@Z Could not be located in the dynamic link library CCREGMON.dll.'

- Microsoft Intellipoint Window is still opening upon entry

- Also some window about SuperAntiSpyware.exe file not starting
Not a big deal I'm sure I can get rid of this

Logs are below, if you don't need the ComboFix Log any more happy to stop posting it, just let me know.

Thanks!

ComboFix LOG

ComboFix 08-02.02.5 - The Prodigal Son 2008-02-02 14:33:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.202 [GMT -5:00]
Running from: C:\Documents and Settings\The Prodigal Son\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\The Prodigal Son\Desktop\OPERATION FIX VIRUS\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\dmncn.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-27 20:23 . 2008-01-27 20:23 557,056 --a------ C:\Documents and Settings\Dominick\GoToAssist_phone__317_en.exe
2008-01-26 14:48 . 2008-01-26 14:48 <DIR> d-------- C:\VundoFix Backups
2008-01-20 11:53 . 2008-01-20 11:53 32 --ahs---- C:\WINDOWS\system32\{5EA08C94-6BBC-4535-9147-DAFD2BD0033C}.dat
2008-01-20 11:53 . 2008-01-20 11:53 32 --ahs---- C:\WINDOWS\{B5E2E974-54C4-454E-B46B-9578C8266F15}.dat
2008-01-20 11:52 . 2008-01-20 11:52 32 --ahs---- C:\WINDOWS\system32\{C96919BD-BFB6-4FBB-8692-1D2A141AD344}.dat
2008-01-20 11:52 . 2008-01-20 11:52 32 --ahs---- C:\WINDOWS\{346C4F16-7C1C-413C-BB94-078D45F7A913}.dat
2008-01-20 11:51 . 2008-01-20 11:51 32 --ahs---- C:\WINDOWS\system32\{933638AD-76F7-493E-B02A-DCF0943683FA}.dat
2008-01-20 11:51 . 2008-01-20 11:51 32 --ahs---- C:\WINDOWS\{96AE22BC-5715-4B43-8533-27020211E4B4}.dat
2008-01-20 11:50 . 2002-08-14 06:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-01-20 11:50 . 2002-08-14 06:03 31,744 --a------ C:\WINDOWS\system32\S32STAT.DLL
2008-01-20 11:49 . 2002-08-13 17:00 182,784 --a------ C:\WINDOWS\system32\ddao35.dll
2008-01-20 11:49 . 2002-08-13 17:00 94,208 --a------ C:\WINDOWS\system32\qdcsinet.dll
2008-01-20 11:49 . 2002-08-13 17:00 86,016 --a------ C:\WINDOWS\system32\apitrap.dll
2008-01-20 11:49 . 2002-08-13 17:00 13,792 --a------ C:\WINDOWS\system32\drivers\qdfsdrv.sys
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{BDE223A3-C2D1-4FA4-8568-F0D45A3ED5AA}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{9D03B736-97A3-40C9-B40B-5ED10FC7ACE8}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{0AEE89A4-2494-44F5-8DC5-C2CB5F0E8624}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{B1B16FC6-239A-4B36-BAA0-D3B5E4F2AA22}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{A124F442-EEF6-44B6-9EF9-D4BBA0A4D275}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{4848229A-C621-4158-8E90-221D4F5824FB}.dat
2008-01-20 11:48 . 2002-08-14 14:03 45,056 --a------ C:\WINDOWS\system32\WNASPI2K.BAK
2008-01-20 11:48 . 2002-08-14 14:03 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI2K.BAK
2008-01-20 11:48 . 2002-08-14 14:03 5,600 --a------ C:\WINDOWS\system\WINASPI.BAK
2008-01-20 11:48 . 2002-08-14 14:03 4,672 --a------ C:\WINDOWS\system\WOWPOST.BAK
2008-01-20 11:47 . 2008-01-20 11:47 32 --ahs---- C:\WINDOWS\system32\{BE1ACE46-4A86-45E8-A99E-5FB03A81E906}.dat
2008-01-20 11:47 . 2008-01-20 11:47 32 --ahs---- C:\WINDOWS\{A6C91350-E81C-47FB-A7B4-7A51B163BA20}.dat
2008-01-20 11:47 . 2008-01-20 11:47 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-01-13 20:05 . 2008-02-02 11:22 <DIR> d-------- C:\Documents and Settings\The Prodigal Son\Application Data\AVG7
2008-01-13 12:57 . 2008-01-24 04:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-13 12:57 . 2008-01-13 12:57 <DIR> d-------- C:\Documents and Settings\Dominick\Application Data\PC Tools
2008-01-13 12:57 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-13 12:57 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-13 12:57 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-13 12:57 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-13 12:45 . 2008-01-13 12:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 12:45 . 2008-02-02 08:00 <DIR> d-------- C:\Documents and Settings\Dominick\Application Data\AVG7
2008-01-13 12:45 . 2008-01-13 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 12:45 . 2008-01-13 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-05 10:13 . 2008-01-05 10:13 1,283,174 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 17:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 17:25 --------- d-----w C:\Program Files\TomTom HOME
2008-02-02 17:25 --------- d-----w C:\Program Files\SymNetDrv
2008-02-02 17:25 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-02 17:25 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-28 02:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-26 19:39 --------- d-----w C:\Program Files\ParticleG
2008-01-26 19:09 --------- d-----w C:\Program Files\Java
2008-01-25 22:30 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-21 22:11 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\ZoomBrowser EX
2008-01-21 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-20 16:51 --------- d-----w C:\Program Files\Symantec
2008-01-20 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-13 17:56 --------- d-----w C:\Program Files\Google
2007-12-25 06:03 --------- d-----w C:\Program Files\Trend Micro
2007-12-24 23:31 4,194,304,000 --sha-w C:\gobackio.bin
2007-12-24 19:04 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\SUPERAntiSpyware.com
2007-12-24 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 18:37 --------- d-----w C:\Program Files\Focus MP3 Recorder
2007-12-24 03:02 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\PrevxCSI
2007-12-24 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-23 18:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2004-08-28 01:17 450,560 -c----w C:\Documents and Settings\Dominick\chatlnk.exe
2003-08-27 19:19 36,963 -c----r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc19ac4c-c6ea-435d-bfc1-8065623994e5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB4E125E-8517-485C-83AC-3B41049D1D47}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-05 11:06 1694208]
"corrida"="vxdman.exe" []
"SYSTRAV"="Serviceprocess.exe" []
"porka_"="AppMasterCenter.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [2006-10-16 22:00 163576]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-12-29 14:03 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 11:52 339968]
"ASUS Probe"="E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 15:07 617984]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe" [2004-06-03 01:50 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Symantec NetDriver Monitor"="E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe" [2005-11-03 19:10 100056]
"Adobe Reader Speed Launcher"="E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [2005-09-24 01:05 29696]
"QuickTime Task"="E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" [2006-07-14 22:52 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 12:45 579072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-28 20:28 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2007-12-28 20:28 58392]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2007-12-28 20:28 94208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 12:45 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2004-08-22 18:51:24 524288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2003-10-31 18:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-r------- 2003-08-27 14:20 94208 C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startman]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--------- 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys [2002-01-21 11:37]
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys [2002-01-21 11:36]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys [2002-01-21 11:37]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 13:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 15:08:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-02-01 23:01:30 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-02-02 19:34:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 14:36:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 14:37:07
ComboFix-quarantined-files.txt 2008-02-02 19:37:02
ComboFix2.txt 2008-02-02 17:35:39
ComboFix3.txt 2008-02-02 16:48:55
.
2008-01-10 08:03:27 --- E O F ---

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:26 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EB4E125E-8517-485C-83AC-3B41049D1D47} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/sec...an/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093183032953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176080121296
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBCB70-5A75-463A-88A6-FA942A4EF484}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE060BFA-A084-4070-B61A-9A4A0728EF39}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9401 bytes

#11
Rorschach112

Posted 03 February 2008 - 10:58 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {EB4E125E-8517-485C-83AC-3B41049D1D47} - (no file)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"corrida"=-
"SYSTRAV"=-
"porka_"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Reboot and post a new HijackThis log

#12
dddcar

Posted 04 February 2008 - 06:53 PM

Member

Topic Starter
Member
10 posts

Hi,

Sorry for the delay, the Spyware check took a couple of hours and the Super Bowl was yeserday so was a little crazy. Logs are below. You will note I posted two SuperAntiSpyware logs because I ran the Spyware twice, since I wasn't sure if I executed it the first time. Thus one has yesterdays date and one has today's date, so please feel free to reference whichever one you prefer.

Super Anti Spyware 3-Feb

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2008 at 07:55 PM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 05:17:53

Memory items scanned : 502
Memory threats detected : 0
Registry items scanned : 5962
Registry threats detected : 1
File items scanned : 188113
File threats detected : 61

Adware.Tracking Cookie
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal [email protected][2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal [email protected][1].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal [email protected][2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@zedo[2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal [email protected][1].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal [email protected][2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal [email protected][1].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@casalemedia[1].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@atdmt[1].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@2o7[2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@amsterdamlivexxx[1].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal [email protected][1].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@adbrite[2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@questionmarket[2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@tacoda[2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@doubleclick[1].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@advertising[2].txt
C:\Documents and Settings\The Prodigal Son\Cookies\the prodigal son@adultfriendfinder[1].txt
C:\Documents and Settings\Annette\Cookies\annette@2o7[1].txt
C:\Documents and Settings\Annette\Cookies\[email protected][2].txt
C:\Documents and Settings\Annette\Cookies\annette@adbrite[2].txt
C:\Documents and Settings\Annette\Cookies\[email protected][2].txt
C:\Documents and Settings\Annette\Cookies\annette@adserver[1].txt
C:\Documents and Settings\Annette\Cookies\annette@advertising[1].txt
C:\Documents and Settings\Annette\Cookies\[email protected][1].txt
C:\Documents and Settings\Annette\Cookies\[email protected][1].txt
C:\Documents and Settings\Annette\Cookies\annette@apmebf[2].txt
C:\Documents and Settings\Annette\Cookies\annette@atdmt[2].txt
C:\Documents and Settings\Annette\Cookies\annette@burstnet[2].txt
C:\Documents and Settings\Annette\Cookies\annette@casalemedia[1].txt
C:\Documents and Settings\Annette\Cookies\annette@collective-media[1].txt
C:\Documents and Settings\Annette\Cookies\annette@doubleclick[1].txt
C:\Documents and Settings\Annette\Cookies\annette@fastclick[2].txt
C:\Documents and Settings\Annette\Cookies\[email protected][1].txt
C:\Documents and Settings\Annette\Cookies\annette@overture[2].txt
C:\Documents and Settings\Annette\Cookies\annette@partner2profit[2].txt
C:\Documents and Settings\Annette\Cookies\annette@questionmarket[2].txt
C:\Documents and Settings\Annette\Cookies\[email protected][1].txt
C:\Documents and Settings\Annette\Cookies\annette@revsci[1].txt
C:\Documents and Settings\Annette\Cookies\[email protected][2].txt
C:\Documents and Settings\Annette\Cookies\[email protected][1].txt
C:\Documents and Settings\Annette\Cookies\annette@statcounter[1].txt
C:\Documents and Settings\Annette\Cookies\annette@tacoda[1].txt
C:\Documents and Settings\Annette\Cookies\annette@tribalfusion[1].txt
C:\Documents and Settings\Annette\Cookies\[email protected][1].txt
C:\Documents and Settings\Annette\Cookies\[email protected][2].txt
C:\Documents and Settings\Annette\Cookies\annette@zedo[1].txt
C:\Documents and Settings\Dominick\Cookies\dominick@2o7[1].txt
C:\Documents and Settings\Dominick\Cookies\dominick@nandomedia[1].txt
C:\Documents and Settings\Dominick\Cookies\dominick@revsci[1].txt
C:\Documents and Settings\Dominick\Cookies\dominick@tacoda[2].txt

Adware.AdSponsor/ISM
HKU\S-1-5-21-1957994488-362288127-725345543-1006\Software\QdrModule
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP870\A0119131.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP874\A0125023.DLL

Adware.SBSoft
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP874\A0122953.DLL
E:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP874\A0122954.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP874\A0122957.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP874\A0122958.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP874\A0122959.EXE
E:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP874\A0122960.EXE

Adware.WhenU
E:\SYSTEM VOLUME INFORMATION\_RESTORE{4384A9FF-63F0-4233-9762-7443BC02109B}\RP874\A0122961.EXE

BearShare File Sharing Client
E:\C 2006-11-19 23;31;44\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE

Super Anti Spyware 4-Feb

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/04/2008 at 04:32 AM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 05:00:51

Memory items scanned : 387
Memory threats detected : 0
Registry items scanned : 5672
Registry threats detected : 0
File items scanned : 188776
File threats detected : 15

Adware.Tracking Cookie
C:\Documents and Settings\Annette\Cookies\[email protected][1].txt
C:\Documents and Settings\Annette\Cookies\[email protected][1].txt
C:\Documents and Settings\Annette\Cookies\annette@adtech[1].txt
C:\Documents and Settings\Annette\Cookies\annette@trafficmp[1].txt
C:\Documents and Settings\Annette\Cookies\annette@zedo[2].txt

Trojan.Unknown Origin
C:\RECYCLER\NPROTECT\01118667
C:\RECYCLER\NPROTECT\01118669
C:\RECYCLER\NPROTECT\01118702
C:\RECYCLER\NPROTECT\01118706

Adware.AdSponsor/ISM
C:\RECYCLER\NPROTECT\01118699
C:\RECYCLER\NPROTECT\01118712

Adware.SBSoft
C:\RECYCLER\NPROTECT\01118701
C:\RECYCLER\NPROTECT\01118716

Adware.WhenU
C:\RECYCLER\NPROTECT\01118704

BearShare File Sharing Client
E:\C 2006-11-19 23;31;44\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE

HiJAck this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:58 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/sec...an/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093183032953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1176080121296
O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBCB70-5A75-463A-88A6-FA942A4EF484}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE060BFA-A084-4070-B61A-9A4A0728EF39}: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9469 bytes

ComboFix

ComboFix 08-02.02.5 - The Prodigal Son 2008-02-03 14:01:00.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.180 [GMT -5:00]
Running from: C:\Documents and Settings\The Prodigal Son\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\The Prodigal Son\Desktop\OPERATION FIX VIRUS\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-01-27 20:23 . 2008-01-27 20:23 557,056 --a------ C:\Documents and Settings\Dominick\GoToAssist_phone__317_en.exe
2008-01-26 14:48 . 2008-01-26 14:48 <DIR> d-------- C:\VundoFix Backups
2008-01-20 11:53 . 2008-01-20 11:53 32 --ahs---- C:\WINDOWS\system32\{5EA08C94-6BBC-4535-9147-DAFD2BD0033C}.dat
2008-01-20 11:53 . 2008-01-20 11:53 32 --ahs---- C:\WINDOWS\{B5E2E974-54C4-454E-B46B-9578C8266F15}.dat
2008-01-20 11:52 . 2008-01-20 11:52 32 --ahs---- C:\WINDOWS\system32\{C96919BD-BFB6-4FBB-8692-1D2A141AD344}.dat
2008-01-20 11:52 . 2008-01-20 11:52 32 --ahs---- C:\WINDOWS\{346C4F16-7C1C-413C-BB94-078D45F7A913}.dat
2008-01-20 11:51 . 2008-01-20 11:51 32 --ahs---- C:\WINDOWS\system32\{933638AD-76F7-493E-B02A-DCF0943683FA}.dat
2008-01-20 11:51 . 2008-01-20 11:51 32 --ahs---- C:\WINDOWS\{96AE22BC-5715-4B43-8533-27020211E4B4}.dat
2008-01-20 11:50 . 2002-08-14 06:03 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2008-01-20 11:50 . 2002-08-14 06:03 31,744 --a------ C:\WINDOWS\system32\S32STAT.DLL
2008-01-20 11:49 . 2002-08-13 17:00 182,784 --a------ C:\WINDOWS\system32\ddao35.dll
2008-01-20 11:49 . 2002-08-13 17:00 94,208 --a------ C:\WINDOWS\system32\qdcsinet.dll
2008-01-20 11:49 . 2002-08-13 17:00 86,016 --a------ C:\WINDOWS\system32\apitrap.dll
2008-01-20 11:49 . 2002-08-13 17:00 13,792 --a------ C:\WINDOWS\system32\drivers\qdfsdrv.sys
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{BDE223A3-C2D1-4FA4-8568-F0D45A3ED5AA}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{9D03B736-97A3-40C9-B40B-5ED10FC7ACE8}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\system32\{0AEE89A4-2494-44F5-8DC5-C2CB5F0E8624}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{B1B16FC6-239A-4B36-BAA0-D3B5E4F2AA22}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{A124F442-EEF6-44B6-9EF9-D4BBA0A4D275}.dat
2008-01-20 11:49 . 2008-01-20 11:49 32 --ahs---- C:\WINDOWS\{4848229A-C621-4158-8E90-221D4F5824FB}.dat
2008-01-20 11:48 . 2002-08-14 14:03 45,056 --a------ C:\WINDOWS\system32\WNASPI2K.BAK
2008-01-20 11:48 . 2002-08-14 14:03 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI2K.BAK
2008-01-20 11:48 . 2002-08-14 14:03 5,600 --a------ C:\WINDOWS\system\WINASPI.BAK
2008-01-20 11:48 . 2002-08-14 14:03 4,672 --a------ C:\WINDOWS\system\WOWPOST.BAK
2008-01-20 11:47 . 2008-01-20 11:47 32 --ahs---- C:\WINDOWS\system32\{BE1ACE46-4A86-45E8-A99E-5FB03A81E906}.dat
2008-01-20 11:47 . 2008-01-20 11:47 32 --ahs---- C:\WINDOWS\{A6C91350-E81C-47FB-A7B4-7A51B163BA20}.dat
2008-01-20 11:47 . 2008-01-20 11:47 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-01-13 20:05 . 2008-02-03 08:00 <DIR> d-------- C:\Documents and Settings\The Prodigal Son\Application Data\AVG7
2008-01-13 12:57 . 2008-01-24 04:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-13 12:57 . 2008-01-13 12:57 <DIR> d-------- C:\Documents and Settings\Dominick\Application Data\PC Tools
2008-01-13 12:57 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-13 12:57 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-13 12:57 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-13 12:57 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-13 12:45 . 2008-01-13 12:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 12:45 . 2008-02-02 08:00 <DIR> d-------- C:\Documents and Settings\Dominick\Application Data\AVG7
2008-01-13 12:45 . 2008-01-13 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 12:45 . 2008-01-13 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-05 10:13 . 2008-01-05 10:13 1,283,174 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 22:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 17:25 --------- d-----w C:\Program Files\TomTom HOME
2008-02-02 17:25 --------- d-----w C:\Program Files\SymNetDrv
2008-02-02 17:25 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-02 17:25 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-28 02:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-26 19:39 --------- d-----w C:\Program Files\ParticleG
2008-01-26 19:09 --------- d-----w C:\Program Files\Java
2008-01-25 22:30 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-21 22:11 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\ZoomBrowser EX
2008-01-21 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-20 16:51 --------- d-----w C:\Program Files\Symantec
2008-01-20 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-13 17:56 --------- d-----w C:\Program Files\Google
2007-12-25 06:03 --------- d-----w C:\Program Files\Trend Micro
2007-12-24 23:31 4,194,304,000 --sha-w C:\gobackio.bin
2007-12-24 19:04 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\SUPERAntiSpyware.com
2007-12-24 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 18:37 --------- d-----w C:\Program Files\Focus MP3 Recorder
2007-12-24 03:02 --------- d-----w C:\Documents and Settings\The Prodigal Son\Application Data\PrevxCSI
2007-12-24 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-23 18:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2004-08-28 01:17 450,560 -c----w C:\Documents and Settings\Dominick\chatlnk.exe
2003-08-27 19:19 36,963 -c----r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-05 11:06 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"swg"="E:\C 2006-11-19 23;31;44\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [2006-10-16 22:00 163576]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-12-29 14:03 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="E:\C 2006-11-19 23;31;44\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 11:52 339968]
"ASUS Probe"="E:\C 2006-11-19 23;31;44\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 15:07 617984]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint 5.2\IPoint\SETUP\Files\point32.exe" [2004-06-03 01:50 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Symantec NetDriver Monitor"="E:\C 2006-11-19 23;31;44\Program Files\SymNetDrv\SNDMon.exe" [2005-11-03 19:10 100056]
"Adobe Reader Speed Launcher"="E:\C 2006-11-19 23;31;44\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [2005-09-24 01:05 29696]
"QuickTime Task"="E:\C 2006-11-19 23;31;44\Program Files\QuickTime\qttask.exe" [2006-07-14 22:52 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-13 12:45 579072]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-28 20:28 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2007-12-28 20:28 58392]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2007-12-28 20:28 94208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 12:45 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2004-08-22 18:51:24 524288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2003-10-31 18:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
-r------- 2003-08-27 14:20 94208 C:\WINDOWS\SM1BG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startman]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--------- 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"Adobe LM Service"=3 (0x3)

R0 GBDevice;GBDevice;C:\WINDOWS\system32\drivers\GBDevice.sys [2002-01-21 11:37]
R0 GoBack2K;GoBack2K;C:\WINDOWS\system32\drivers\GoBack2K.sys [2002-01-21 11:36]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R2 GBFSHook;GBFSHook;C:\WINDOWS\system32\drivers\GBFSHook.sys [2002-01-21 11:37]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 13:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 15:08:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe
"2008-02-01 23:01:30 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-02-03 19:04:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 14:05:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 14:06:20
ComboFix-quarantined-files.txt 2008-02-03 19:06:06
ComboFix2.txt 2008-02-03 18:58:01
ComboFix3.txt 2008-02-02 17:35:39
ComboFix4.txt 2008-02-02 16:48:55
.
2008-01-10 08:03:27 --- E O F ---

Thanks

#13
Rorschach112

Posted 05 February 2008 - 08:25 AM

Ralphie

Retired Staff
47,710 posts

Your logs are clean ! We need to do a few things

You can delete the tools that we used

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#14
dddcar

Posted 09 February 2008 - 04:36 PM

Member

Topic Starter
Member
10 posts

Thanks so much! Computer is great! Thanks for your patience. I want to make a donation, can I reference your name?

Thanks!

#15
dddcar

Posted 09 February 2008 - 04:42 PM

Member

Topic Starter
Member
10 posts

Hey, Sorry one more thing. I just restarted and was recieving the same messages below. Clearly not a big deal as the virus was the big thing, but wasn't sure if this was a result of something I did during the fix. It it doens't rung a bell don't worry about it it's nothing major.

- An 'Entry Point Not Found CCRegVfy.exe' window popped up when my computer restarted that read 'The procedure entry point ?AlertSettingsViolationAAYAXK@Z Could not be located in the dynamic link library CCREGMON.dll.'

- Microsoft Intellipoint Window is still opening upon entry

Thanks!