Hi thanks for your reply!
Here the logs that you requested, my system ssems to be behaving now but I keep getting a message at startup 'The Specified module could not be found c/-windows/system32/hccmslwu.dll' I think this was one of the files that Vundofix deleted.
Here's the Vundofix Log:
VundoFix V5.1.4
Checking Java version...
Java version is 1.4.2.3
Java version is 1.4.2.4
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 3:30:37 PM 15/08/2008
Listing files found while scanning....
No infected files were found.
VundoFix V5.1.4
Checking Java version...
Java version is 1.4.2.3
Java version is 1.4.2.4
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 11:36:08 PM 16/08/2008
Listing files found while scanning....
No infected files were found.
VundoFix V7.0.6
Scan started at 8:05:17 PM 19/08/2008
Listing files found while scanning....
C:\Windows\SYSTEM32\celpgaoo.dll
C:\Windows\SYSTEM32\cuyaxv.dll
C:\Windows\SYSTEM32\djattpxy.dll
C:\Windows\SYSTEM32\elyyjrxa.dll
C:\Windows\SYSTEM32\eotoammy.dll
C:\Windows\SYSTEM32\evrbrkku.dll
C:\Windows\SYSTEM32\ezwjgp.dll
C:\Windows\SYSTEM32\guuvsktj.ini
C:\Windows\SYSTEM32\hbmsfrlr.dll
C:\Windows\SYSTEM32\hccmslwu.dll
C:\Windows\SYSTEM32\hwffmewm.dll
C:\Windows\SYSTEM32\jhfbkx.dll
C:\Windows\SYSTEM32\jtksvuug.dll
C:\Windows\SYSTEM32\ljzses.dll
C:\Windows\SYSTEM32\nbcvkdjk.dll
C:\Windows\SYSTEM32\ovsuhdly.dll
C:\Windows\SYSTEM32\qenienfh.dll
C:\Windows\SYSTEM32\qksuolde.dll
C:\Windows\SYSTEM32\qogrfgkc.dll
C:\Windows\SYSTEM32\qsgdrlsf.dll
C:\Windows\SYSTEM32\qvlewwiy.dll
C:\Windows\SYSTEM32\rleemfaw.dll
Beginning removal...
Attempting to delete C:\Windows\SYSTEM32\celpgaoo.dll
C:\Windows\SYSTEM32\celpgaoo.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\cuyaxv.dll
C:\Windows\SYSTEM32\cuyaxv.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\djattpxy.dll
C:\Windows\SYSTEM32\djattpxy.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\elyyjrxa.dll
C:\Windows\SYSTEM32\elyyjrxa.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\eotoammy.dll
C:\Windows\SYSTEM32\eotoammy.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\evrbrkku.dll
C:\Windows\SYSTEM32\evrbrkku.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\ezwjgp.dll
C:\Windows\SYSTEM32\ezwjgp.dll Could not be deleted.
Attempting to delete C:\Windows\SYSTEM32\guuvsktj.ini
C:\Windows\SYSTEM32\guuvsktj.ini Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\hbmsfrlr.dll
C:\Windows\SYSTEM32\hbmsfrlr.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\hccmslwu.dll
C:\Windows\SYSTEM32\hccmslwu.dll Could not be deleted.
Attempting to delete C:\Windows\SYSTEM32\hwffmewm.dll
C:\Windows\SYSTEM32\hwffmewm.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\jhfbkx.dll
C:\Windows\SYSTEM32\jhfbkx.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\jtksvuug.dll
C:\Windows\SYSTEM32\jtksvuug.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\ljzses.dll
C:\Windows\SYSTEM32\ljzses.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\nbcvkdjk.dll
C:\Windows\SYSTEM32\nbcvkdjk.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\ovsuhdly.dll
C:\Windows\SYSTEM32\ovsuhdly.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\qenienfh.dll
C:\Windows\SYSTEM32\qenienfh.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\qksuolde.dll
C:\Windows\SYSTEM32\qksuolde.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\qogrfgkc.dll
C:\Windows\SYSTEM32\qogrfgkc.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\qsgdrlsf.dll
C:\Windows\SYSTEM32\qsgdrlsf.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\qvlewwiy.dll
C:\Windows\SYSTEM32\qvlewwiy.dll Has been deleted!
Attempting to delete C:\Windows\SYSTEM32\rleemfaw.dll
C:\Windows\SYSTEM32\rleemfaw.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\Windows\SYSTEM32\ezwjgp.dll
C:\Windows\SYSTEM32\ezwjgp.dll Could not be deleted.
Attempting to delete C:\Windows\SYSTEM32\hccmslwu.dll
C:\Windows\SYSTEM32\hccmslwu.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Combofix Log:
ComboFix 08-08-18.04 - Brendan 2008-08-19 21:04:38.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.551 [GMT 10:00]
Running from: C:\Documents and Settings\Brendan\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Brendan\Application Data\inst.exe
C:\Documents and Settings\Brendan\Application Data\macromedia\Flash Player\#SharedObjects\WD3B9K6W\interclick.com
C:\Documents and Settings\Brendan\Application Data\macromedia\Flash Player\#SharedObjects\WD3B9K6W\interclick.com\ud.sol
C:\Documents and Settings\Brendan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Brendan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Brendan\UserData
C:\Documents and Settings\Brendan\UserData\8N05EFBT\oWindowsUpdate[1].xml
C:\Documents and Settings\Brendan\UserData\8N05EFBT\showHideState[2].xml
C:\Documents and Settings\Brendan\UserData\8N05EFBT\showHideState[3].xml
C:\Documents and Settings\Brendan\UserData\8N05EFBT\YL[1].xml
C:\Documents and Settings\Brendan\UserData\ED9GBILO\BlogIt[1].xml
C:\Documents and Settings\Brendan\UserData\ED9GBILO\iconState[1].xml
C:\Documents and Settings\Brendan\UserData\ED9GBILO\oWindowsUpdate[1].xml
C:\Documents and Settings\Brendan\UserData\ER0QYG32\iconState[2].xml
C:\Documents and Settings\Brendan\UserData\ER0QYG32\oWindowsUpdate[1].xml
C:\Documents and Settings\Brendan\UserData\ER0QYG32\showHideState[1].xml
C:\Documents and Settings\Brendan\UserData\ER0QYG32\showHideState[2].xml
C:\Documents and Settings\Brendan\UserData\index.dat
C:\Documents and Settings\Brendan\UserData\J7SSCNCS\BlogIt[1].xml
C:\Documents and Settings\Brendan\UserData\J7SSCNCS\iconState[1].xml
C:\Documents and Settings\Brendan\UserData\J7SSCNCS\iconState[2].xml
C:\Documents and Settings\Brendan\UserData\J7SSCNCS\IsOnIE6tbPromo[1].xml
C:\WINDOWS\BMe37b4b88.txt
C:\WINDOWS\BMe37b4b88.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ezwjgp.dll
C:\WINDOWS\system32\fslrdgsq.ini
C:\WINDOWS\system32\fxlvshnr.ini
C:\WINDOWS\SYSTEM32\hxcsmnoy.ini
C:\WINDOWS\system32\jrkmudws.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mpAGOUtv.ini
C:\WINDOWS\SYSTEM32\mpAGOUtv.ini2
C:\WINDOWS\system32\pwokwaby.exe
C:\WINDOWS\system32\qoxlcrsi.exe
C:\WINDOWS\system32\qqsrldew.ini
C:\WINDOWS\SYSTEM32\rrutv.bak1
C:\WINDOWS\SYSTEM32\rrutv.bak2
C:\WINDOWS\SYSTEM32\rrutv.ini
C:\WINDOWS\SYSTEM32\rrutv.ini2
C:\WINDOWS\SYSTEM32\rrutv.tmp
C:\WINDOWS\SYSTEM32\ttutv.bak1
C:\WINDOWS\SYSTEM32\ttutv.tmp
C:\WINDOWS\system32\turaiqnn.dll
C:\WINDOWS\system32\uadtucro.ini
C:\WINDOWS\system32\vtUOGApm.dll
C:\WINDOWS\system32\wedlrsqq.dll
C:\WINDOWS\system32\wvpriyyu.dll
C:\WINDOWS\system32\xvryyxfj.exe
C:\WINDOWS\system32\ykfzwt.dll
C:\WINDOWS\system32\yonmscxh.dll
----- BITS: Possible infected sites -----
http://195.225.176.25.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.
2008-08-19 17:15 . 2008-08-19 17:15 119,808 --a------ C:\WINDOWS\SYSTEM32\eafxigsm.dll_old
2008-08-19 17:03 . 2008-08-19 17:04 47,893 --a------ C:\WINDOWS\SYSTEM32\xhkapihs.dll
2008-08-18 17:04 . 2008-08-18 17:04 47,893 --a------ C:\WINDOWS\SYSTEM32\gjkhcklx.dll
2008-08-17 17:15 . 2008-08-17 17:15 47,893 --a------ C:\WINDOWS\SYSTEM32\kguanfcb.dll
2008-08-16 16:23 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-08-16 16:22 . 2002-07-17 08:20 45,056 --a------ C:\WINDOWS\SYSTEM32\wnaspi32.BAK
2008-08-16 16:22 . 2002-07-17 07:53 16,877 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aspi32.BAK
2008-08-16 16:22 . 2002-07-17 15:22 5,600 --a------ C:\WINDOWS\SYSTEM\winaspi.BAK
2008-08-16 16:22 . 2002-07-17 15:22 4,672 --a------ C:\WINDOWS\SYSTEM\wowpost.BAK
2008-08-16 16:21 . 2008-08-16 16:21 <DIR> d-------- C:\Program Files\Panda Security
2008-08-16 14:56 . 2008-08-16 14:57 50,813 --a------ C:\WINDOWS\SYSTEM32\wqqobqgg.dll
2008-08-16 09:21 . 2008-08-16 09:21 <DIR> d-------- C:\Deckard
2008-08-15 14:55 . 2008-08-15 14:55 93,184 --a------ C:\WINDOWS\SYSTEM32\hhtttton.dll_old
2008-08-15 14:55 . 2008-08-15 14:55 47,893 --a------ C:\WINDOWS\SYSTEM32\hasttple.dll
2008-08-13 15:07 . 2008-05-02 00:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-10 22:42 . 2008-08-10 22:42 <DIR> d-------- C:\Documents and Settings\Brendan\Application Data\Ashampoo
2008-08-10 22:34 . 2008-08-10 22:34 <DIR> d-------- C:\Program Files\Ashampoo
2008-08-10 22:34 . 2008-08-10 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2008-08-08 19:46 . 2008-08-08 19:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-05 22:33 . 2008-08-05 22:33 <DIR> d-------- C:\Program Files\FAT32 Format
2008-08-05 22:33 . 2008-08-05 22:33 19,572 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\FNETDEVI.SYS
2008-07-28 23:45 . 2008-08-15 21:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-28 23:45 . 2008-07-28 23:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-24 16:14 . 2008-07-24 16:14 <DIR> d-------- C:\Program Files\URUSoft
2008-07-21 19:59 . 2008-07-21 19:59 <DIR> d-------- C:\Program Files\DVD Decrypter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 11:19 --------- d-----w C:\Program Files\PeerGuardian2
2008-08-19 09:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-19 09:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-19 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-08-16 13:58 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2008-08-16 13:33 --------- d-----w C:\Program Files\Roguescanfix
2008-08-16 06:04 --------- d-----w C:\Documents and Settings\Brendan\Application Data\uTorrent
2008-08-16 04:02 --------- d-----w C:\Documents and Settings\Brendan\Application Data\Vso
2008-08-15 23:40 --------- d-----w C:\Program Files\Hijack this
2008-08-15 01:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-08 09:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-08 00:21 --------- d-----w C:\Program Files\Winamp
2008-08-05 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-30 07:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 07:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 07:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-29 22:38 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-26 08:35 --------- d-----w C:\Documents and Settings\Brendan\Application Data\dvdcss
2008-07-23 10:32 --------- d-----w C:\Program Files\Java
2008-07-11 13:27 --------- d-----w C:\Program Files\Magic Video Studio
2008-07-11 06:10 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-01 13:58 --------- d-----w C:\Program Files\FrostWire
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 11:09 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-26 03:36 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-02-15 00:21 47,360 ----a-w C:\Documents and Settings\Brendan\Application Data\pcouffin.sys
2003-03-15 17:00 7,216 ----a-w C:\WINDOWS\INF\RAMDISK.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockAds"="C:\Program Files\Tweak-XP Pro\AdBlocker.exe" [2003-10-29 02:00 45056]
"Ccy Cookies Remover v2.0.3"="C:\Program Files\Ccy Cookies Remover v203\ccycookr.exe" [2004-05-24 18:34 413184]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2006-07-06 17:26 573440]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"Gadwin PrintScreen 3.5"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2006-07-08 18:57 1101824]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 17:40 1421824]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-07-24 11:29 1863960]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 13:18 202024]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-03-07 04:26 1694656]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"NOMAD Detector"="C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe" [2002-03-05 05:15 18432]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 20:49 4662776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 04:00 191488]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-08-29 14:17 188416]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22 26248]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 18:51 583048]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-03 15:46 4800512]
C:\Documents and Settings\Brendan\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-05-23 17:17:00 1806336]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-18 17:34:25 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ezwjgp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"wave"= DrvTrNTm.dll
"mixer"= DrvTrNTm.dll
"msacm.enc"= ITIG726.acm
"VIDC.NSVI"= nsvideo.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vtUOGApm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 12:27 28672 C:\WINDOWS\SYSTEM32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2003-08-29 14:20 77824 C:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 07:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 13:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-23 07:00 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 20:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NOMAD Detector"="C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe"
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Tweak-XP Pro\\AdBlocker.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\Program Files\\Opera\\opera.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R0 Achernar;Achernar - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Achernar.sys [2005-09-23 13:50]
R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2007-02-03 05:56]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 sonypvl2;sonypvl2;C:\WINDOWS\system32\drivers\sonypvl2.sys [2003-07-25 15:02]
R1 FNETDEVI;FNETDEVI;C:\WINDOWS\system32\drivers\FNETDEVI.SYS [2008-08-05 22:33]
R1 sonypvf2;sonypvf2;C:\WINDOWS\system32\drivers\sonypvf2.sys [2004-04-08 11:04]
R1 sonypvt2;sonypvt2;C:\WINDOWS\system32\drivers\sonypvt2.sys [2003-08-20 10:44]
R2 Vqtfk;Vqtfk;C:\WINDOWS\System32\Vqtfk.sys [1999-08-11 10:49]
R3 Aldebaran;Aldebaran - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Aldebaran.sys [2005-09-23 13:50]
S1 sonypvd2;sonypvd2;C:\WINDOWS\system32\DRIVERS\sonypvd2.sys [2003-06-24 10:29]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2003-09-16 13:41]
*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder
2008-08-15 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Brendan.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2006-09-07 02:38]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-BMe37b4b88 - C:\WINDOWS\system32\hccmslwu.dll
ShellExecuteHooks-{50CE3245-BDBF-47CE-ADD6-8D738AF3807E} - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-Eraser - K:\Eraser\eraser.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.abc.net.au
R0 -: HKLM-Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
R1 -: HKCU-Internet Settings,ProxyOverride = 0<local>;localhost
O8 -: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O16 -: {860D5AAC-D059-4C9F-93D3-3FD6FBB6872F} - hxxp://icebergradio.com/aurora/1.0.2.259/client.cab
C:\WINDOWS\Downloaded Program Files\imaurora.inf
C:\WINDOWS\System32\imaurora.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-19 21:17:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?P?????B???@?????P?????@???????????A~??????????@???????????????????B?????\???????????????????????????r?B
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SAgent4.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\SYSTEM32\locator.exe
.
**************************************************************************
.
Completion time: 2008-08-19 21:31:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-19 11:31:14
Pre-Run: 17,254,064,128 bytes free
Post-Run: 17,227,698,176 bytes free
279 --- E O F --- 2008-08-13 14:07:49
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:12 PM, on 19/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Tweak-XP Pro\AdBlocker.exe
C:\Program Files\Ccy Cookies Remover v203\ccycookr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Hijack this\Hijack this v2.02\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.abc.net.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securityrespo...er/fix_homepageR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0<local>;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Speed Video Splitter\msdxm.ocx
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [Ccy Cookies Remover v2.0.3] C:\Program Files\Ccy Cookies Remover v203\ccycookr.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRun.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cabO16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) -
http://musicmix.mess.../Medialogic.CABO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} -
https://www-secure.s...rl/SymAData.cabO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) -
https://www-secure.s...abs/tgctlsr.cabO16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} -
http://picasaweb.goo...1/uploader2.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx1.hotmail....es/MSNPUpld.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} -
http://upload.facebo...otoUploader.cabO16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) -
http://www.putfile.c...Uploader4-5.cabO16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) -
http://sledgeka.spac...ad/MsnPUpld.cabO16 - DPF: {860D5AAC-D059-4C9F-93D3-3FD6FBB6872F} (AuroraCtrl Class) -
http://icebergradio.....259/client.cabO16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} -
http://chat.yahoo.com/cab/yuplapp.cabO16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} -
http://sc.groups.msn...eUC/MsnUpld.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
http://acs.pandasoft...free/asinst.cabO16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} -
http://sc.groups.msn...UC/MsnPUpld.cabO16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
http://download.abac...abasetup161.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: ezwjgp.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP2.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 11377 bytes
If there's anything I should be aware please let me know. Windows Recover Console Missing?
Thanks for your assistance.