Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help, Cant Restart Trojan.Vundo and Trojan.Metajuan [RESOLVED]


  • This topic is locked This topic is locked

#16
Matt T

Matt T

    Member

  • Member
  • PipPipPip
  • 674 posts
Posted Image 1) Recovery Console and ComboFix

Please download ComboFix from one of the locations below, and save it to your Desktop.

GeeksToGo
BleepingComputer
ForoSpyware

  • Go to Microsoft's Website: http://support.microsoft.com/kb/310994
  • Select the download that's appropriate to your Operating System.

    Posted Image
    SP3 users should select the download for SP2

  • Download the file & save it without changing it's default name, next to ComboFix.exe
  • Close all open windows and programs, then drag and drop the setup package onto ComboFix.exe as shown in the animation below.
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After installing the Recovery Console, please proceed with running ComboFix
  • When complete, you'll have a log named CF_RC.txt and another log from the ComboFix scan. Please post the contents of those logs in your next reply.

    Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
In Your Next Post:
  • The logs from ComboFix
Regards,
Matt
  • 0

Advertisements


#17
pashka

pashka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi, I am having a little trouble with this. I did everything up to the reboot..... and then my computer froze up as it was rebooting ... also i have no idea where the logs are for the combo fix that Im supposed to post. Also i don't know if it did everything that it should have, because i had to manually turn off the computer (press the power button till it turned off), because of the fact that it froze as usual at the reboot.

Thanks in advance.
  • 0

#18
Matt T

Matt T

    Member

  • Member
  • PipPipPip
  • 674 posts
Posted Image 1) ComboFix

Try running ComboFix again (double click on it from your Desktop). The log should be saved at C:\ComboFix.txt.

In Your Next Post:
  • The log from ComboFix
Regards,
Matt
  • 0

#19
pashka

pashka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
It worked this time, but i still had to shut it down manually... still having trouble shutting down. here is the log;

ComboFix 08-08-10.06 - Pavel Likhonin 2008-08-11 21:54:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.528 [GMT -4:00]
Running from: C:\Documents and Settings\Pavel Likhonin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\bijfyjgu.ini
C:\WINDOWS\system32\otmilwop.ini
C:\WINDOWS\system32\vrttelkd.ini
C:\WINDOWS\system32\wjcoxskx.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-08 18:47 . 2008-08-08 18:47 <DIR> d-------- C:\Program Files\Nero
2008-08-08 18:13 . 2008-06-24 13:45 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-08-08 18:13 . 2008-06-23 17:36 773,120 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-08-08 18:12 . 2008-08-08 18:12 0 --a------ C:\WINDOWS\Irremote.ini
2008-08-08 18:00 . 2008-08-08 18:00 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\Nero
2008-08-08 17:55 . 2008-08-08 18:47 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-08-08 17:55 . 2008-08-08 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-08 16:58 . 2008-08-08 17:39 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-08 16:58 . 2008-08-08 17:39 <DIR> d-------- C:\Program Files\AVS4YOU
2008-08-08 16:58 . 2008-08-08 16:58 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\AVS4YOU
2008-08-08 16:58 . 2008-08-08 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-08 16:58 . 2006-03-03 10:02 658,432 --a------ C:\WINDOWS\system32\cc3270mt.dll
2008-08-08 16:58 . 2002-01-05 15:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-08-08 16:58 . 2003-05-21 13:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-08-04 19:37 . 2008-08-04 19:37 <DIR> d-------- C:\_OTMoveIt
2008-08-03 21:12 . 2008-08-03 21:12 127 --a------ C:\Documents and Settings\Pavel Likhonin\fix.reg
2008-08-03 21:10 . 2008-08-03 21:11 <DIR> d-------- C:\Program Files\ERUNT
2008-08-03 12:05 . 2008-08-03 12:05 0 --a------ C:\WINDOWS\iPlayer.INI
2008-08-03 00:14 . 2008-08-03 00:14 <DIR> d-------- C:\Deckard
2008-08-03 00:11 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-03 00:10 . 2008-08-03 00:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-01 16:57 . 2008-08-01 16:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-08-01 16:57 . 2008-08-01 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-01 12:02 . 2008-08-01 12:02 0 --a------ C:\WINDOWS\VAIOUpdt.INI
2008-07-31 22:59 . 2008-07-31 22:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 22:59 . 2008-07-31 22:59 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-31 22:59 . 2008-07-31 22:59 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\Malwarebytes
2008-07-31 22:59 . 2008-07-31 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 22:59 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 22:59 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 23:01 . 2008-07-30 23:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-30 23:01 . 2008-07-30 23:01 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\Lavasoft
2008-07-30 22:56 . 2008-07-30 22:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 11:42 . 2008-05-09 17:09 91,520 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-07-27 11:41 . 2008-07-27 11:42 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-27 11:41 . 2008-07-27 11:42 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-27 11:41 . 2008-07-27 11:42 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-27 11:41 . 2008-07-27 11:42 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-26 08:52 . 2008-07-26 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-19 21:50 . 2008-07-19 21:50 0 --a------ C:\WINDOWS\PanelExe.INI
2008-07-19 21:47 . 2008-07-19 21:47 <DIR> d-------- C:\WINDOWS\Application Data
2008-07-19 21:47 . 2005-08-18 11:44 49,867 --a------ C:\WINDOWS\system32\drivers\mardp2k.sys
2008-07-19 21:47 . 2005-08-18 11:44 49,484 --a------ C:\WINDOWS\system32\drivers\MARDPNP.SYS
2008-07-19 21:47 . 2007-02-02 16:57 49,377 --a------ C:\WINDOWS\system32\drivers\mamotou.sys
2008-07-19 21:47 . 2007-01-16 11:46 25,302 --a------ C:\WINDOWS\system32\drivers\MaVctrl.sys
2008-07-19 21:47 . 2007-01-16 11:44 11,986 --a------ C:\WINDOWS\system32\drivers\MaVc2K.sys
2008-07-19 21:45 . 2008-07-19 21:45 0 --a------ C:\WINDOWS\PhoneBkExe.INI
2008-07-15 17:14 . 2008-07-07 21:07 152,368 --a------ C:\WINDOWS\system32\WIN2PDFS.DLL
2008-07-15 17:14 . 2008-07-07 21:07 22,832 --a------ C:\WINDOWS\system32\WIN2PDFM.DLL
2008-07-15 17:14 . 2008-07-15 17:37 1,001 --a------ C:\WINDOWS\1way.ini
2008-07-15 14:33 . 2008-07-15 17:00 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\U3
2008-07-14 19:09 . 2008-07-14 19:09 0 --a------ C:\Documents and Settings\Pavel Likhonin\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-04 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 03:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-03 04:11 --------- d-----w C:\Program Files\Java
2008-08-03 03:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-01 16:58 --------- d-----w C:\Documents and Settings\Pavel Likhonin\Application Data\Sony Corporation
2008-08-01 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 16:02 --------- d-----w C:\Program Files\Sony
2008-08-01 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-27 15:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-27 15:42 --------- d-----w C:\Program Files\Symantec
2008-07-20 01:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-11 21:20 --------- d-----w C:\Program Files\AIM6
2008-07-11 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-11 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-24 20:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 17:38 --------- d-----w C:\Program Files\Starcraft
2008-06-13 15:59 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 19:50 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-06-06 18:54 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-10-28 19:11 48,000 ----a-w C:\Documents and Settings\Pavel Likhonin\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 09:08 136136]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 16:06 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 09:53 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 09:31 2221352]

C:\Documents and Settings\Pavel Likhonin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-08-11 19:09 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pavel Likhonin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Pavel Likhonin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2003-11-07 17:21 114688 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--a--c--- 2005-04-29 13:56 45056 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-08-05 10:56 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-08-05 10:56 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-08-05 10:57 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
--a------ 2004-02-20 14:12 32768 C:\Program Files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-06-29 12:25 14720000 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20142:TCP"= 20142:TCP:BitComet 20142 TCP
"20142:UDP"= 20142:UDP:BitComet 20142 UDP
"12996:TCP"= 12996:TCP:BitComet 12996 TCP
"12996:UDP"= 12996:UDP:BitComet 12996 UDP
"15166:TCP"= 15166:TCP:BitComet 15166 TCP
"15166:UDP"= 15166:UDP:BitComet 15166 UDP

R0 a348bus;a348bus;C:\WINDOWS\system32\DRIVERS\a348bus.sys [2004-04-30 10:37]
R0 a348scsi;a348scsi;C:\WINDOWS\system32\Drivers\a348scsi.sys [2004-04-30 10:33]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;C:\DOCUME~1\PAVELL~1\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
.
Contents of the 'Scheduled Tasks' folder

2008-07-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-12 C:\WINDOWS\Tasks\User_Feed_Synchronization-{99B96753-DC22-43F7-9274-5E13FE62E05B}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-c8907458 - C:\WINDOWS\system32\ugjyfjib.dll
Notify-NavLogon - (no file)
MSConfigStartUp-DAEMON Tools - C:\Program Files\DAEMON Tools\daemon.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Pavel Likhonin\Application Data\Mozilla\Firefox\Profiles\djzfunxj.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 22:12:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-11 22:17:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-12 02:17:26

Pre-Run: 60,073,353,216 bytes free
Post-Run: 60,051,640,320 bytes free

256 --- E O F --- 2008-07-12 13:13:47
  • 0

#20
Matt T

Matt T

    Member

  • Member
  • PipPipPip
  • 674 posts
Hello

Please post a new HijackThis log and tell me how your PC is running


Also do this


  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • C:\WINDOWS\system32\msxml3a.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#21
pashka

pashka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
http://virscan.org/r...57e919fab1.html with no malware found.

my computer runs the same. I'm still getting the same error as before and it that file (O4 - HKLM\..\Run: [c8907458] rundll32.exe "C:\WINDOWS\system32\ugjyfjib.dll",b) keeps appearing after i check it and click fix selected. Is there anything else we can do? and im still having the problem of shutting down/ restarting... i have to manually press the power button for it to turn off, or else it just sits there frozen trying to turn off by itself for hours not doing anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:51, on 2008-08-12
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [c8907458] rundll32.exe "C:\WINDOWS\system32\ugjyfjib.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175795516296
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\PAVELL~1\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 9364 bytes
  • 0

#22
Matt T

Matt T

    Member

  • Member
  • PipPipPip
  • 674 posts
Hi,

Posted Image 1) ComboFix Deletions
  • Please open Notepad (Click Start then Run; type Notepad into the box and press enter)
  • Copy and Paste the content of the box below into the Notepad window:

    File::
    C:\WINDOWS\system32\ugjyfjib.dll

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "c8907458"=-

  • Save the above as CFScript.txt
  • Drag CFScript.txt into ComboFix.exe as shown in the animation below. This will start ComboFix again.

    Posted Image

  • After a reboot (if you're asked to reboot), please save the log Combofix.txt you're provided with.
In Your Next Post:
  • Combofix.txt from ComboFix
  • A fresh Hijack This log
Regards,
Matt
  • 0

#23
pashka

pashka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Once ComboFix was done, it continued to an automatic restart. The computer froze up just as usual. I come back an hour later and manually shut it down. Then I turn it back on, and when it turns on nothing loads. It was an empty screen with my background. I had to CTRL + ALT + Delete to get the task manager start a new task explore to load everything. once it loaded, the error came back up. I checked for a Combo fix text file and it was just the old one that i had from 8/8/08.
  • 0

#24
pashka

pashka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I just ran it again and I got this

ComboFix 08-08-12.01 - Pavel Likhonin 2008-08-13 17:49:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.519 [GMT -4:00]
Running from: C:\Documents and Settings\Pavel Likhonin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pavel Likhonin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ugjyfjib.dll
.

((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-13 17:24 . 2008-08-13 17:24 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-13 16:27 . 2008-08-13 16:35 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-13 16:00 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 15:59 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-08 18:47 . 2008-08-08 18:47 <DIR> d-------- C:\Program Files\Nero
2008-08-08 18:13 . 2008-06-24 13:45 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-08-08 18:13 . 2008-06-23 17:36 773,120 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-08-08 18:12 . 2008-08-08 18:12 0 --a------ C:\WINDOWS\Irremote.ini
2008-08-08 18:00 . 2008-08-08 18:00 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\Nero
2008-08-08 17:55 . 2008-08-08 18:47 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-08-08 17:55 . 2008-08-08 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-08 16:58 . 2008-08-08 17:39 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-08 16:58 . 2008-08-08 17:39 <DIR> d-------- C:\Program Files\AVS4YOU
2008-08-08 16:58 . 2008-08-08 16:58 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\AVS4YOU
2008-08-08 16:58 . 2008-08-08 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-08 16:58 . 2006-03-03 10:02 658,432 --a------ C:\WINDOWS\system32\cc3270mt.dll
2008-08-08 16:58 . 2002-01-05 15:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-08-08 16:58 . 2003-05-21 13:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-08-04 19:37 . 2008-08-04 19:37 <DIR> d-------- C:\_OTMoveIt
2008-08-03 21:12 . 2008-08-03 21:12 127 --a------ C:\Documents and Settings\Pavel Likhonin\fix.reg
2008-08-03 21:10 . 2008-08-03 21:11 <DIR> d-------- C:\Program Files\ERUNT
2008-08-03 12:05 . 2008-08-03 12:05 0 --a------ C:\WINDOWS\iPlayer.INI
2008-08-03 00:14 . 2008-08-03 00:14 <DIR> d-------- C:\Deckard
2008-08-03 00:11 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-03 00:10 . 2008-08-03 00:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-01 16:57 . 2008-08-01 16:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-08-01 16:57 . 2008-08-01 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-01 12:02 . 2008-08-01 12:02 0 --a------ C:\WINDOWS\VAIOUpdt.INI
2008-07-31 22:59 . 2008-07-31 22:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 22:59 . 2008-07-31 22:59 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-31 22:59 . 2008-07-31 22:59 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\Malwarebytes
2008-07-31 22:59 . 2008-07-31 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 22:59 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 22:59 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 23:01 . 2008-07-30 23:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-30 23:01 . 2008-07-30 23:01 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\Lavasoft
2008-07-30 22:56 . 2008-07-30 22:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 11:42 . 2008-05-09 17:09 91,520 --a------ C:\WINDOWS\system32\drivers\SysPlant.sys
2008-07-27 11:41 . 2008-07-27 11:42 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-27 11:41 . 2008-07-27 11:42 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-27 11:41 . 2008-07-27 11:42 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-27 11:41 . 2008-07-27 11:42 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-26 08:52 . 2008-07-26 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-19 21:50 . 2008-07-19 21:50 0 --a------ C:\WINDOWS\PanelExe.INI
2008-07-19 21:47 . 2008-07-19 21:47 <DIR> d-------- C:\WINDOWS\Application Data
2008-07-19 21:47 . 2005-08-18 11:44 49,867 --a------ C:\WINDOWS\system32\drivers\mardp2k.sys
2008-07-19 21:47 . 2005-08-18 11:44 49,484 --a------ C:\WINDOWS\system32\drivers\MARDPNP.SYS
2008-07-19 21:47 . 2007-02-02 16:57 49,377 --a------ C:\WINDOWS\system32\drivers\mamotou.sys
2008-07-19 21:47 . 2007-01-16 11:46 25,302 --a------ C:\WINDOWS\system32\drivers\MaVctrl.sys
2008-07-19 21:47 . 2007-01-16 11:44 11,986 --a------ C:\WINDOWS\system32\drivers\MaVc2K.sys
2008-07-19 21:45 . 2008-07-19 21:45 0 --a------ C:\WINDOWS\PhoneBkExe.INI
2008-07-15 17:14 . 2008-07-07 21:07 152,368 --a------ C:\WINDOWS\system32\WIN2PDFS.DLL
2008-07-15 17:14 . 2008-07-07 21:07 22,832 --a------ C:\WINDOWS\system32\WIN2PDFM.DLL
2008-07-15 17:14 . 2008-07-15 17:37 1,001 --a------ C:\WINDOWS\1way.ini
2008-07-15 14:33 . 2008-07-15 17:00 <DIR> d-------- C:\Documents and Settings\Pavel Likhonin\Application Data\U3
2008-07-14 19:09 . 2008-07-14 19:09 0 --a------ C:\Documents and Settings\Pavel Likhonin\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-04 03:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 03:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-03 04:11 --------- d-----w C:\Program Files\Java
2008-08-03 03:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-01 16:58 --------- d-----w C:\Documents and Settings\Pavel Likhonin\Application Data\Sony Corporation
2008-08-01 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 16:02 --------- d-----w C:\Program Files\Sony
2008-08-01 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-27 15:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-27 15:42 --------- d-----w C:\Program Files\Symantec
2008-07-20 01:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-11 21:20 --------- d-----w C:\Program Files\AIM6
2008-07-11 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-11 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 20:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 17:38 --------- d-----w C:\Program Files\Starcraft
2008-06-13 15:59 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 19:50 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-06-06 18:54 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-06-06 18:54 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-10-28 19:11 48,000 ----a-w C:\Documents and Settings\Pavel Likhonin\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 09:08 136136]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 16:06 1840424]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 09:53 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 09:31 2221352]

C:\Documents and Settings\Pavel Likhonin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-08-11 19:09 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pavel Likhonin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Pavel Likhonin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2003-11-07 17:21 114688 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--a--c--- 2005-04-29 13:56 45056 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-08-05 10:56 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-08-05 10:56 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-08-05 10:57 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
--a------ 2004-02-20 14:12 32768 C:\Program Files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-06-29 12:25 14720000 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20142:TCP"= 20142:TCP:BitComet 20142 TCP
"20142:UDP"= 20142:UDP:BitComet 20142 UDP
"12996:TCP"= 12996:TCP:BitComet 12996 TCP
"12996:UDP"= 12996:UDP:BitComet 12996 UDP
"15166:TCP"= 15166:TCP:BitComet 15166 TCP
"15166:UDP"= 15166:UDP:BitComet 15166 UDP

R0 a348bus;a348bus;C:\WINDOWS\system32\DRIVERS\a348bus.sys [2004-04-30 10:37]
R0 a348scsi;a348scsi;C:\WINDOWS\system32\Drivers\a348scsi.sys [2004-04-30 10:33]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;C:\DOCUME~1\PAVELL~1\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
.
Contents of the 'Scheduled Tasks' folder

2008-07-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-13 C:\WINDOWS\Tasks\User_Feed_Synchronization-{99B96753-DC22-43F7-9274-5E13FE62E05B}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 11:58]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 17:52:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-13 17:53:27
ComboFix-quarantined-files.txt 2008-08-13 21:53:16
ComboFix2.txt 2008-08-13 20:35:26
ComboFix3.txt 2008-08-12 02:17:32

Pre-Run: 59,735,674,880 bytes free
Post-Run: 59,714,809,856 bytes free

228 --- E O F --- 2008-07-12 13:13:47




Here is the Hijackthis log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:55, on 2008-08-13
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175795516296
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\PAVELL~1\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 9193 bytes
  • 0

#25
pashka

pashka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
My computer is running the slowest it has ever ran. Anything else we can do to get rid of this infection?
  • 0

Advertisements


#26
Matt T

Matt T

    Member

  • Member
  • PipPipPip
  • 674 posts
Congratulations, your log shows that your system is clean! It doesn't look like the reboot and slowness issues you are having are malware related. The Windows XP forum should be able to help you out with those.

Just a couple of last things to do.

Posted Image 1) Uninstall ComboFix
  • Click Start then Run
  • Type Combofix /u in the box and click OK
    Note the space between the X and the /U, it needs to be there.

    Posted Image
Posted Image2) Enable Tea TimerYou can now enable Tea Timer.
Posted Image 3) Uninstall The Tools We Used
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the cleanup of malware will be downloaded.
  • Please allow OTMoveIt to access the internet if your firewall or other real time protection attempts to block it.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You might be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Posted Image 4) Update Adobe ReaderClick here and update your version of Adobe Reader.
Posted Image 5) Preventing Re-infection

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Good luck, safe surfing and have a great day :)

Regards,
Matt
  • 0

#27
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP