TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Blender on October 22, 2006, 09:24:46 PM

Title: Malware Problem
Post by: Blender on October 22, 2006, 09:24:46 PM

I recently made a mistake by downloading a file that I thought could be suspicious. It was called "fastmp3_setup.exe"

The problems I am having are that my Symantec AntiVirus keeps popping up with various Trojans, Backdoors, etc. that recurringly pop up. Also, my Symantec keeps scanning e-mails that I am supposedly trying to send out and I am getting a ton of these "Your email message was unable to be sent because your mail server rejected the message"

Here is my hijackthis report.

Logfile of HijackThis v1.99.1
Scan saved at 9:16:39 PM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\restore1.exe
C:\dfndrff_e34.exe
C:\nwnmff_e34.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AIM95\aim.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\dmintf.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\mlnwinmc3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Zachary Ritter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ (http://\"http://securityresponse.symantec.com/avcenter/fix_homepage/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eyeseek.com/firstsite.asp?b= (http://\"http://www.eyeseek.com/firstsite.asp?b=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b= (http://\"http://www.eyeseek.com/firstsite.asp?b=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\7.bin\MWSSRCAS.DLL (file missing)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - C:\WINDOWS\system32\lqe2z.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SvcManager] restore1.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e34.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e34.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv7] c:\windows\system32\_mzu_stonedrv7.exe
O4 - HKLM\..\RunServices: [winsys001] ipsllnfg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKCU\..\Run: [dsdmo] C:\WINDOWS\system32\dsdmo.exe
O4 - HKCU\..\Run: [certmgr] C:\WINDOWS\system32\certmgr.exe
O4 - HKCU\..\Run: [dmintf] C:\WINDOWS\system32\dmintf.exe
O4 - HKCU\..\Run: [mswebdvd] C:\WINDOWS\system32\mswebdvd.exe
O4 - HKCU\..\Run: [_mzu_stonedrv2] c:\windows\system32\_mzu_stonedrv2.exe
O4 - HKCU\..\Run: [modex] C:\WINDOWS\system32\modex.exe
O4 - HKCU\..\Run: [msjetoledb40] C:\WINDOWS\system32\msjetoledb40.exe
O4 - HKCU\..\Run: [vga64k] C:\WINDOWS\system32\vga64k.exe
O4 - HKCU\..\Run: [mimefilt] C:\WINDOWS\system32\mimefilt.exe
O4 - HKCU\..\Run: [explorer] C:\WINDOWS\explorer.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\system32\d3d8.exe
O4 - HKCU\..\Run: [FIREFOX] C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
O4 - HKCU\..\Run: [rpcns4] C:\WINDOWS\system32\rpcns4.exe
O4 - HKCU\..\Run: [sclgntfy] C:\WINDOWS\system32\sclgntfy.exe
O4 - HKCU\..\Run: [psnppagn] C:\WINDOWS\system32\psnppagn.exe
O4 - HKCU\..\Run: [umandlg] C:\WINDOWS\system32\umandlg.exe
O4 - HKCU\..\Run: [mlwn2m8] C:\WINDOWS\system32\mlnwinmc3.exe
O4 - HKCU\..\Run: [SvcManager] restore1.exe
O4 - HKCU\..\Run: [wdigest] C:\WINDOWS\system32\wdigest.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\system32\ipxrip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000 (http://\"http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O18 - Filter: text/html - {8660A526-27A4-4FBD-85B2-857E82A25971} - C:\WINDOWS\system32\lqe2z.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\msiilt.dll
O23 - Service: adptif.exe - Unknown owner - C:\WINDOWS\system32\adptif.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: bthci.exe - Unknown owner - C:\WINDOWS\system32\bthci.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cmpbk32.exe - Unknown owner - C:\WINDOWS\system32\cmpbk32.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kbdcan.exe - Unknown owner - C:\WINDOWS\system32\kbdcan.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: msw3prt.exe - Unknown owner - C:\WINDOWS\system32\msw3prt.exe (file missing)
O23 - Service: mswstr10.exe - Unknown owner - C:\WINDOWS\system32\mswstr10.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: secur32.exe - Unknown owner - C:\WINDOWS\system32\secur32.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: tcpmib.exe - Unknown owner - C:\WINDOWS\system32\tcpmib.exe (file missing)
O23 - Service: tsbyuv.exe - Unknown owner - C:\WINDOWS\system32\tsbyuv.exe (file missing)
O23 - Service: xpsp2res.exe - Unknown owner - C:\WINDOWS\system32\xpsp2res.exe (file missing)

Thanks in advance.

Title: Malware Problem
Post by: guestolo on October 22, 2006, 10:53:22 PM

==Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/combofix.exe\") and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from combofix please with a fresh hijackthis log

Title: Malware Problem
Post by: Blender on October 23, 2006, 07:21:42 PM

Here is the combofix report:

Zachary Ritter - 06-10-23 19:13:44.42 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Zachary Ritter"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\dfndrff_e34.exe
C:\drsmartload.exe
C:\deskbar_e31.exe
C:\MTE3NDI6ODoxNg.exe
C:\nwnmff_e34.exe
C:\mte3ndi6odoxng.exe
C:\RDFX4.exe
C:\WINDOWS\offun.exe

((((((((((((((((((((((((((((((( Files Created from 2006-09-23 to 2006-10-23 ))))))))))))))))))))))))))))))))))

2006-10-23 19:07 1,024 --a------ C:\mapwdngk.exe
2006-10-23 19:07 1,024 --a------ C:\dmahfxwv.exe
2006-10-23 19:07 1,024 --a------ C:\cphp.exe
2006-10-23 19:06 76,800 --a------ C:\gofp.exe
2006-10-23 19:06 21,504 --a------ C:\Documents and Settings\Zachary Ritter\LNEB.exe
2006-10-23 19:05 40,960 --a------ C:\WINDOWS\SYSTEM32\restore1.exe
2006-10-23 19:05 21,504 --a------ C:\WINDOWS\SYSTEM32\adsnt.exe
2006-10-23 18:41 27,136 --a------ C:\WINDOWS\SYSTEM32\41209062ld.exe
2006-10-22 21:12 1,024 --a------ C:\teqjvb.exe
2006-10-22 21:11 21,504 --a------ C:\WINDOWS\SYSTEM32\hsfcisp2.exe
2006-10-22 21:11 21,504 --a------ C:\Documents and Settings\Zachary Ritter\KHIR.exe
2006-10-22 20:03 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-22 19:51 21,504 --a------ C:\WINDOWS\SYSTEM32\atioglxx.exe
2006-10-22 19:51 21,504 --a------ C:\Documents and Settings\Zachary Ritter\MTTA.exe
2006-10-22 19:42 21,504 --a------ C:\WINDOWS\SYSTEM32\dpwsock.exe
2006-10-22 19:42 21,504 --a------ C:\Documents and Settings\Zachary Ritter\QLIJ.exe
2006-10-22 11:38 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2006-10-22 11:31 76,615 --a------ C:\WINDOWS\mlwiniv1.exe
2006-10-21 19:53 21,504 --a------ C:\Documents and Settings\Zachary Ritter\PIQJ.exe
2006-10-21 19:50 10,479 --a------ C:\hycf.exe
2006-10-21 19:49 35,600 --a------ C:\WINDOWS\SYSTEM32\ipxrip.exe
2006-10-21 19:49 21,504 --a------ C:\WINDOWS\SYSTEM32\KGGT.exe
2006-10-21 19:49 21,504 --a------ C:\WINDOWS\SYSTEM32\dpwsockx.exe
2006-10-21 19:49 21,504 --a------ C:\Documents and Settings\Zachary Ritter\KDNN.exe
2006-10-21 17:54 21,504 --a------ C:\WINDOWS\SYSTEM32\OMMB.exe
2006-10-21 17:54 20,480 --a------ C:\mc44a34.exe
2006-10-21 17:53 21,504 --a------ C:\WINDOWS\SYSTEM32\dpnet.exe
2006-10-21 17:53 21,504 --a------ C:\Documents and Settings\Zachary Ritter\ANAA.exe
2006-10-19 21:24 76,615 ---hs---- C:\WINDOWS\SYSTEM32\mlnwinmc3.exe
2006-10-19 21:24 40,960 --a------ C:\ouxx.exe
2006-10-19 21:24 2,560 ---hs---- C:\WINDOWS\SYSTEM32\hlpwinmlt4.exe
2006-10-19 21:22 18,944 --a------ C:\WINDOWS\SYSTEM32\fltlib.exe
2006-10-19 21:22 18,944 --a------ C:\Documents and Settings\Zachary Ritter\PNQQ.exe
2006-10-19 19:49 76,800 --a------ C:\xideeh.exe
2006-10-19 19:49 45,056 --a------ C:\WINDOWS\SYSTEM32\uaw5wah6a.exe
2006-10-19 19:49 349,696 --a------ C:\921_135b.exe
2006-10-19 19:49 28,672 --a------ C:\WINDOWS\system32drei.exe
2006-10-19 19:49 28,672 --a------ C:\WINDOWS\SYSTEM32\lkyaekrrr.exe
2006-10-19 19:49 28,672 --a------ C:\WINDOWS\SYSTEM32\drei.exe
2006-10-19 19:49 26,112 --a------ C:\WINDOWS\SYSTEM32\rpcc.dll
2006-10-19 19:49 200,704 --a------ C:\WINDOWS\SYSTEM32\lqe2z.dll
2006-10-19 19:49 160,768 --a------ C:\WINDOWS\SYSTEM32\msiilt.dll
2006-10-19 19:49 135,168 --a------ C:\WINDOWS\SYSTEM32\ujtnzbw.exe
2006-10-19 19:49 1,134,592 --a------ C:\WINDOWS\SYSTEM32\ovauma1ep.exe
2006-10-19 19:49 0 --a------ C:\WINDOWS\system32uaw5wah6a.exe
2006-10-19 19:48 45,056 --a------ C:\w77uxb8v9.exe
2006-10-19 19:48 18,944 --a------ C:\WINDOWS\SYSTEM32\d3dramp.exe
2006-10-19 19:48 18,944 --a------ C:\Documents and Settings\Zachary Ritter\ASFN.exe
2006-10-18 22:43 18,944 --a------ C:\WINDOWS\SYSTEM32\atipdlxx.exe
2006-10-18 22:43 18,944 --a------ C:\Documents and Settings\Zachary Ritter\JHLJ.exe
2006-10-18 22:41 21,504 --a------ C:\WINDOWS\SYSTEM32\cryptdlg.exe
2006-10-18 22:41 18,944 --a------ C:\WINDOWS\SYSTEM32\atippaxx.exe
2006-10-18 22:41 18,944 --a------ C:\Documents and Settings\Zachary Ritter\NUPU.exe
2006-10-17 20:08 45,056 --a------ C:\WINDOWS\SYSTEM32\EPDI.exe
2006-10-17 20:07 45,056 --a------ C:\WINDOWS\SYSTEM32\dpvacm.exe
2006-10-17 20:07 45,056 --a------ C:\Documents and Settings\Zachary Ritter\HJRE.exe
2006-10-17 13:33 6,049,280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-10-17 13:33 50,688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-10-17 13:33 458,752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-10-17 13:33 180,736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-10-17 13:05 206,336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 13:01 13,312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-10-17 12:58 61,952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 12:58 12,288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 12:57 266,752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 12:27 380,928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-10-16 19:44 45,056 --a------ C:\WINDOWS\SYSTEM32\RJRE.exe
2006-10-16 19:43 45,056 --a------ C:\WINDOWS\SYSTEM32\cic.exe
2006-10-16 19:43 45,056 --a------ C:\Documents and Settings\Zachary Ritter\KEIB.exe
2006-10-15 19:26 45,056 --a------ C:\WINDOWS\SYSTEM32\QHDH.exe
2006-10-15 19:25 45,056 --a------ C:\WINDOWS\SYSTEM32\cdrtc.exe
2006-10-15 19:25 45,056 --a------ C:\Documents and Settings\Zachary Ritter\CCBK.exe
2006-10-15 11:21 45,056 --a------ C:\WINDOWS\SYSTEM32\cmdial32.exe
2006-10-15 11:21 45,056 --a------ C:\Documents and Settings\Zachary Ritter\GALR.exe
2006-10-15 11:14 45,056 --a------ C:\WINDOWS\SYSTEM32\BJPJ.exe
2006-10-15 11:13 48,640 --a------ C:\Documents and Settings\Zachary Ritter\7.exe
2006-10-15 11:13 45,056 --a------ C:\WINDOWS\SYSTEM32\ati2dvag.exe
2006-10-15 11:13 45,056 --a------ C:\Documents and Settings\Zachary Ritter\MNAG.exe
2006-10-14 13:24 45,056 --a------ C:\WINDOWS\SYSTEM32\LRLD.exe
2006-10-14 13:23 45,056 --a------ C:\WINDOWS\SYSTEM32\atl71.exe
2006-10-14 13:23 45,056 --a------ C:\Documents and Settings\Zachary Ritter\NRUL.exe
2006-10-12 21:20 45,056 --a------ C:\WINDOWS\SYSTEM32\audiosrv.exe
2006-10-12 21:20 45,056 --a------ C:\Documents and Settings\Zachary Ritter\IHCR.exe
2006-10-12 20:33 45,056 --a------ C:\WINDOWS\SYSTEM32\SGJS.exe
2006-10-12 20:33 13,824 --a------ C:\fudi.exe
2006-10-12 20:32 45,056 --a------ C:\WINDOWS\SYSTEM32\dhcpcsvc.exe
2006-10-12 20:32 45,056 --a------ C:\Documents and Settings\Zachary Ritter\BFNC.exe
2006-10-11 20:43 24,576 --a------ C:\WINDOWS\SYSTEM32\cnbjmon.exe
2006-10-11 20:43 24,576 --a------ C:\Documents and Settings\Zachary Ritter\EMIR.exe
2006-10-11 20:36 35,600 --a------ C:\WINDOWS\SYSTEM32\certmgr.exe
2006-10-11 20:36 24,576 --a------ C:\WINDOWS\SYSTEM32\RCFE.exe
2006-10-11 20:36 24,576 --a------ C:\WINDOWS\SYSTEM32\IPEA.exe
2006-10-11 20:36 24,576 --a------ C:\WINDOWS\SYSTEM32\ativcoxx.exe
2006-10-11 20:36 2,589 --a------ C:\WINDOWS\SYSTEM32\4.exe
2006-10-11 20:36 153,632 --a------ C:\WINDOWS\SYSTEM32\9.exe
2006-10-11 20:36 133,152 --a------ C:\WINDOWS\SYSTEM32\dmintf.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-23 19:12 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-23 19:09 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-22 20:03 -------- d-------- C:\Program Files\Grisoft
2006-10-22 18:35 -------- d-------- C:\Program Files\Common Files
2006-10-22 11:48 -------- d-------- C:\Program Files\Internet Explorer
2006-10-17 13:33 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 13:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-10-17 13:00 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-10-17 12:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-10-11 20:43 -------- d---s---- C:\Documents and Settings\Zachary Ritter\Application Data\Microsoft
2006-10-10 19:50 -------- d-------- C:\Documents and Settings\Zachary Ritter\Application Data\U3
2006-10-06 23:33 -------- d-------- C:\Program Files\iTunes
2006-10-06 23:33 -------- d-------- C:\Program Files\iPod
2006-10-06 23:32 -------- d-------- C:\Program Files\QuickTime
2006-10-06 23:31 -------- d-------- C:\Program Files\Apple Software Update
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-12 22:29 -------- d-------- C:\Program Files\Allway Sync
2006-09-12 22:29 -------- d-------- C:\Documents and Settings\Zachary Ritter\Application Data\Sync App Settings
2006-09-06 17:43 22752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-09-04 19:38 -------- d-------- C:\Program Files\PokerStars
2006-08-31 20:22 -------- d-------- C:\Program Files\Java
2006-08-27 23:09 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-27 23:08 -------- d-------- C:\Program Files\Symantec
2006-08-27 23:08 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-27 23:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-27 23:03 -------- d-------- C:\Program Files\Creative
2006-08-25 10:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"WNSI"="C:\\WINDOWS\\System32\\wnscpsv.exe"
"Steam"="\"c:\\program files\\valve\\steam\\steam.exe\" -silent"
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\7.bin\\mwsoemon.exe"
"dsdmo"="C:\\WINDOWS\\system32\\dsdmo.exe"
"certmgr"="C:\\WINDOWS\\system32\\certmgr.exe"
"dmintf"="C:\\WINDOWS\\system32\\dmintf.exe"
"mswebdvd"="C:\\WINDOWS\\system32\\mswebdvd.exe"
"modex"="C:\\WINDOWS\\system32\\modex.exe"
"msjetoledb40"="C:\\WINDOWS\\system32\\msjetoledb40.exe"
"vga64k"="C:\\WINDOWS\\system32\\vga64k.exe"
"mimefilt"="C:\\WINDOWS\\system32\\mimefilt.exe"
"d3d8"="C:\\WINDOWS\\system32\\d3d8.exe"
"FIREFOX"="C:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE"
"rpcns4"="C:\\WINDOWS\\system32\\rpcns4.exe"
"sclgntfy"="C:\\WINDOWS\\system32\\sclgntfy.exe"
"psnppagn"="C:\\WINDOWS\\system32\\psnppagn.exe"
"umandlg"="C:\\WINDOWS\\system32\\umandlg.exe"
"mlwn2m8"="C:\\WINDOWS\\system32\\mlnwinmc3.exe"
"SvcManager"="restore1.exe"
"wdigest"="C:\\WINDOWS\\system32\\wdigest.exe"
"ipxrip"="C:\\WINDOWS\\system32\\ipxrip.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
C:\sUBs\aa.txt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"MyWebSearch Email Plugin"="C:\\PROGRA~1\\MYWEBS~1\\bar\\7.bin\\mwsoemon.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="c:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Enterprise"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SvcManager"="restore1.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"="c:\\windows\\system32\\_mzu_stonedrv2.exe"
C:\sUBs\aa.txt

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"="c:\\windows\\system32\\_mzu_stonedrv2.exe"
C:\sUBs\aa.txt

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"
C:\sUBs\aa.txt
C:\sUBs\aa.txt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"
C:\sUBs\aa.txt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
C:\sUBs\aa.txt
C:\sUBs\aa.txt

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
C:\sUBs\aa.txt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
C:\sUBs\aa.txt
C:\sUBs\aa.txt

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
C:\sUBs\aa.txt
C:\sUBs\aa.txt

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
C:\sUBs\aa.txt

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"DCOM Server 2240"="{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt
C:\sUBs\aa.txt

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
C:\sUBs\aa.txt

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-23 19:16:47.06
C:\ComboFix.txt ... 06-10-23 19:16

Here is the HiJackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:07 PM, on 10/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Zachary Ritter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage (http://\"http://securityresponse.symantec.com/avcenter/fix_homepage\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b= (http://\"http://www.eyeseek.com/firstsite.asp?b=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\7.bin\MWSSRCAS.DLL (file missing)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - C:\WINDOWS\system32\lqe2z.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SvcManager] restore1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKCU\..\Run: [dsdmo] C:\WINDOWS\system32\dsdmo.exe
O4 - HKCU\..\Run: [certmgr] C:\WINDOWS\system32\certmgr.exe
O4 - HKCU\..\Run: [dmintf] C:\WINDOWS\system32\dmintf.exe
O4 - HKCU\..\Run: [mswebdvd] C:\WINDOWS\system32\mswebdvd.exe
O4 - HKCU\..\Run: [modex] C:\WINDOWS\system32\modex.exe
O4 - HKCU\..\Run: [msjetoledb40] C:\WINDOWS\system32\msjetoledb40.exe
O4 - HKCU\..\Run: [vga64k] C:\WINDOWS\system32\vga64k.exe
O4 - HKCU\..\Run: [mimefilt] C:\WINDOWS\system32\mimefilt.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\system32\d3d8.exe
O4 - HKCU\..\Run: [FIREFOX] C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
O4 - HKCU\..\Run: [rpcns4] C:\WINDOWS\system32\rpcns4.exe
O4 - HKCU\..\Run: [sclgntfy] C:\WINDOWS\system32\sclgntfy.exe
O4 - HKCU\..\Run: [psnppagn] C:\WINDOWS\system32\psnppagn.exe
O4 - HKCU\..\Run: [umandlg] C:\WINDOWS\system32\umandlg.exe
O4 - HKCU\..\Run: [mlwn2m8] C:\WINDOWS\system32\mlnwinmc3.exe
O4 - HKCU\..\Run: [SvcManager] restore1.exe
O4 - HKCU\..\Run: [wdigest] C:\WINDOWS\system32\wdigest.exe
O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\system32\ipxrip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000 (http://\"http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O18 - Filter: text/html - {8660A526-27A4-4FBD-85B2-857E82A25971} - C:\WINDOWS\system32\lqe2z.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\msiilt.dll
O23 - Service: adptif.exe - Unknown owner - C:\WINDOWS\system32\adptif.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: bthci.exe - Unknown owner - C:\WINDOWS\system32\bthci.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cmpbk32.exe - Unknown owner - C:\WINDOWS\system32\cmpbk32.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kbdcan.exe - Unknown owner - C:\WINDOWS\system32\kbdcan.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: msw3prt.exe - Unknown owner - C:\WINDOWS\system32\msw3prt.exe (file missing)
O23 - Service: mswstr10.exe - Unknown owner - C:\WINDOWS\system32\mswstr10.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: secur32.exe - Unknown owner - C:\WINDOWS\system32\secur32.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: tcpmib.exe - Unknown owner - C:\WINDOWS\system32\tcpmib.exe (file missing)
O23 - Service: tsbyuv.exe - Unknown owner - C:\WINDOWS\system32\tsbyuv.exe (file missing)
O23 - Service: xpsp2res.exe - Unknown owner - C:\WINDOWS\system32\xpsp2res.exe (file missing)

Title: Malware Problem
Post by: guestolo on October 23, 2006, 09:39:56 PM

Can you do the following
We have to clean some of those files from your computer

Download [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

I'll need to see that log later

Could you next do the following
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:(http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
(http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Back in Windows, I need to see ALL the following, even it take more than one reply to post it all

1. Post a fresh Hijackthis log>>One from Normal windows, the last one looked like it was taken in Safe mode
2. Post the log from SDFIX>>Report.txt located in the SDFix folder
3. The log from Dr. Web>>DrWeb.csv
4. Could you run Combofix again and post the fresh log that opens

Title: Malware Problem
Post by: Blender on October 23, 2006, 11:04:37 PM

SDFix: Version 1.31
-------------------

Scan run on:
Mon 10/23/2006

Time:
10:46 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Zachary Ritter\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

MZU_RK

Path:
----

\??\C:\WINDOWS\system32\MZU_DRV.sys

MZU_RK Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\MC44A34.EXE
C:\WINDOWS\Prefetch\DRSMARTLOAD.EXE-018D1B1E.pf
C:\WINDOWS\system32\mini2tone.ini
C:\WINDOWS\system32\mini7tone.ini
C:\uniq
C:\WINDOWS\system32\atiphexx.exe
C:\WINDOWS\system32\t3st.bmp

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Any files removed are saved to the SDFix\backups Folder

FINISHED

Title: Malware Problem
Post by: guestolo on October 23, 2006, 11:55:11 PM

That's one of the 4 logs, I hope your planning on posting all of them
I'll hold tight till then

/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

Title: Malware Problem
Post by: Blender on October 24, 2006, 12:03:09 AM

The Dr. Web Anti-Virus scan is taking a long time. I will post it in the morning if I can.

Title: Malware Problem
Post by: guestolo on October 24, 2006, 12:08:50 AM

That's ok Blender, let it run and follow the instructions with it please
I'm about to pack it in also

When I see the logs, we'll go after the remainder problems
Things should look better tomorrow

Title: Malware Problem
Post by: Blender on October 24, 2006, 07:31:26 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:23:45 AM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\program files\valve\steam\steam.exe
c:\windows\system32\svhost6.exe
C:\WINDOWS\system32\ctfmon.exe
c:\nwnmff_e35.exe
c:\dfndrff_e35.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dmintf.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dumprep.exe
C:\Documents and Settings\Zachary Ritter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage (http://\"http://securityresponse.symantec.com/avcenter/fix_homepage\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b= (http://\"http://www.eyeseek.com/firstsite.asp?b=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\7.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {B026CEAD-351D-42A5-AA5B-59FC071818CB} - C:\Program Files\MSN Gaming Zone\woledat.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - C:\WINDOWS\system32\lqe2z.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SvcManager] svhost6.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e35.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKCU\..\Run: [dsdmo] C:\WINDOWS\system32\dsdmo.exe
O4 - HKCU\..\Run: [certmgr] C:\WINDOWS\system32\certmgr.exe
O4 - HKCU\..\Run: [dmintf] C:\WINDOWS\system32\dmintf.exe
O4 - HKCU\..\Run: [mswebdvd] C:\WINDOWS\system32\mswebdvd.exe
O4 - HKCU\..\Run: [modex] C:\WINDOWS\system32\modex.exe
O4 - HKCU\..\Run: [msjetoledb40] C:\WINDOWS\system32\msjetoledb40.exe
O4 - HKCU\..\Run: [vga64k] C:\WINDOWS\system32\vga64k.exe
O4 - HKCU\..\Run: [mimefilt] C:\WINDOWS\system32\mimefilt.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\system32\d3d8.exe
O4 - HKCU\..\Run: [FIREFOX] C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
O4 - HKCU\..\Run: [rpcns4] C:\WINDOWS\system32\rpcns4.exe
O4 - HKCU\..\Run: [sclgntfy] C:\WINDOWS\system32\sclgntfy.exe
O4 - HKCU\..\Run: [psnppagn] C:\WINDOWS\system32\psnppagn.exe
O4 - HKCU\..\Run: [umandlg] C:\WINDOWS\system32\umandlg.exe
O4 - HKCU\..\Run: [SvcManager] restore1.exe
O4 - HKCU\..\Run: [wdigest] C:\WINDOWS\system32\wdigest.exe
O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\system32\ipxrip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000 (http://\"http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O20 - AppInit_DLLs: ZÃ¤â€šâ€ 2kFÂ¤RÃ´~8<â€¡Ã¥Ã‰*,27Ã“Ã¬#Ã†Ã„(2ÂÂ¹â€™â€™Å“,â€žÂqÃ©gÃžÂ?cKzAÂ¢
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\msiilt.dll
O23 - Service: adptif.exe - Unknown owner - C:\WINDOWS\system32\adptif.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: bthci.exe - Unknown owner - C:\WINDOWS\system32\bthci.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cmpbk32.exe - Unknown owner - C:\WINDOWS\system32\cmpbk32.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kbdcan.exe - Unknown owner - C:\WINDOWS\system32\kbdcan.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: msw3prt.exe - Unknown owner - C:\WINDOWS\system32\msw3prt.exe (file missing)
O23 - Service: mswstr10.exe - Unknown owner - C:\WINDOWS\system32\mswstr10.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: secur32.exe - Unknown owner - C:\WINDOWS\system32\secur32.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: tcpmib.exe - Unknown owner - C:\WINDOWS\system32\tcpmib.exe (file missing)
O23 - Service: tsbyuv.exe - Unknown owner - C:\WINDOWS\system32\tsbyuv.exe (file missing)
O23 - Service: xpsp2res.exe - Unknown owner - C:\WINDOWS\system32\xpsp2res.exe (file missing)

I won't have the rest until later tonight. The Dr. Web stopped responding before I could get a log.

Title: Malware Problem
Post by: guestolo on October 24, 2006, 08:02:30 AM

Try disabling Norton's autoprotect before running it, it may help

Title: Malware Problem
Post by: Blender on October 24, 2006, 08:15:37 PM

I don't think I have Norton running on my computer.

Can the Combofix and Dr. Web be run in Safe mode?

My regular mode is so swamped with these pop-ups notifying virus/malware found and e-mail not able to be sent that there is no CPU left and nothing is running at a reasonable speed.

Title: Malware Problem
Post by: guestolo on October 24, 2006, 08:46:19 PM

Can you do the following if you can
If at all possible, Redownload Dr.Web cureit from the link I posted earlier
as it has been updated since you first downloaded it

Print all the directions to run it for use in safe mode

Don't reboot in safe mode yet

Instead, Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b= (http://\"http://www.eyeseek.com/firstsite.asp?b=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\7.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: (no name) - {B026CEAD-351D-42A5-AA5B-59FC071818CB} - C:\Program Files\MSN Gaming Zone\woledat.dll
O2 - BHO: Glwcick Class - {BDF4E4DF-B6BB-4ECE-8CD9-1880DEC7B82F} - C:\WINDOWS\system32\lqe2z.dll

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe

O4 - HKLM\..\Run: [SvcManager] svhost6.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e35.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsoemon.exe
O4 - HKCU\..\Run: [dsdmo] C:\WINDOWS\system32\dsdmo.exe
O4 - HKCU\..\Run: [certmgr] C:\WINDOWS\system32\certmgr.exe
O4 - HKCU\..\Run: [dmintf] C:\WINDOWS\system32\dmintf.exe
O4 - HKCU\..\Run: [mswebdvd] C:\WINDOWS\system32\mswebdvd.exe
O4 - HKCU\..\Run: [modex] C:\WINDOWS\system32\modex.exe
O4 - HKCU\..\Run: [msjetoledb40] C:\WINDOWS\system32\msjetoledb40.exe
O4 - HKCU\..\Run: [vga64k] C:\WINDOWS\system32\vga64k.exe
O4 - HKCU\..\Run: [mimefilt] C:\WINDOWS\system32\mimefilt.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\system32\d3d8.exe
O4 - HKCU\..\Run: [FIREFOX] C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
O4 - HKCU\..\Run: [rpcns4] C:\WINDOWS\system32\rpcns4.exe
O4 - HKCU\..\Run: [sclgntfy] C:\WINDOWS\system32\sclgntfy.exe
O4 - HKCU\..\Run: [psnppagn] C:\WINDOWS\system32\psnppagn.exe
O4 - HKCU\..\Run: [umandlg] C:\WINDOWS\system32\umandlg.exe
O4 - HKCU\..\Run: [SvcManager] restore1.exe
O4 - HKCU\..\Run: [wdigest] C:\WINDOWS\system32\wdigest.exe
O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\system32\ipxrip.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000 (http://\"http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000\")

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O20 - AppInit_DLLs: ZÃ¤â€šâ€ 2kFÂ¤RÃ´~8<â€¡Ã¥Ã‰*,27Ã“Ã¬#Ã†Ã„(2ÂÂ¹â€™â€™Å“,â€žÂqÃ©gÃžÂ?cKzAÂ¢
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\msiilt.dll
O23 - Service: adptif.exe - Unknown owner - C:\WINDOWS\system32\adptif.exe

O23 - Service: bthci.exe - Unknown owner - C:\WINDOWS\system32\bthci.exe (file missing)
O23 - Service: cmpbk32.exe - Unknown owner - C:\WINDOWS\system32\cmpbk32.exe (file missing)
O23 - Service: kbdcan.exe - Unknown owner - C:\WINDOWS\system32\kbdcan.exe (file missing)
O23 - Service: msw3prt.exe - Unknown owner - C:\WINDOWS\system32\msw3prt.exe (file missing)
O23 - Service: mswstr10.exe - Unknown owner - C:\WINDOWS\system32\mswstr10.exe (file missing)
O23 - Service: secur32.exe - Unknown owner - C:\WINDOWS\system32\secur32.exe (file missing)
O23 - Service: tcpmib.exe - Unknown owner - C:\WINDOWS\system32\tcpmib.exe (file missing)
O23 - Service: tsbyuv.exe - Unknown owner - C:\WINDOWS\system32\tsbyuv.exe (file missing)
O23 - Service: xpsp2res.exe - Unknown owner - C:\WINDOWS\system32\xpsp2res.exe (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot into safe mode
Run Dr. Web Cureit with previous instruction

Reboot to Normal windows

Run Combofix again and post the log along with a fresh Hijackthis log
Also include the log from Dr.Web

Title: Malware Problem
Post by: Blender on October 24, 2006, 11:08:54 PM

Dr. Web log (from safe mode)

drsmartload.exe;C:\;Adware.DollarRevenue;Incurable.Moved.; gofp.exe\data001;C:\gofp.exe;Trojan.PWS.Snap;; gofp.exe\data002;C:\gofp.exe;Trojan.PWS.Snap;; gofp.exe;C:\;Archive contains infected objects;Moved.; mc44a36.exe;C:\;Adware.DollarRevenue;Incurable.Moved.; cmdinst.exe;C:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.Proxy.493;Incurable.Moved.; stdrun6.exe;C:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.MulDrop.3843;Deleted.; stdrun7.exe;C:\Documents and Settings\LocalService\Local Settings\Temp;Trojan.MulDrop.3843;Deleted.; cmdinst.exe;C:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.Proxy.493;Incurable.Moved.; stdrun11.exe;C:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.MulDrop.3843;Deleted.; stdrun13.exe;C:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.MulDrop.3843;Deleted.; stdrun14.exe;C:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.MulDrop.3843;Deleted.; stdrun15.exe;C:\Documents and Settings\NetworkService\Local Settings\Temp;Trojan.MulDrop.3843;Deleted.; installer[1].exe;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FMCSMFD3;Trojan.Proxy.493;Incurable.Moved.; Process.exe;C:\Documents and Settings\Zachary Ritter\SDFix\apps;Tool.Prockill;Incurable.Moved.; MiniBugTransporter.EXE;C:\Program Files\AIM95;Adware.Aws;Incurable.Moved.; WxBug.EXE;C:\Program Files\AIM95;Adware.Aws;Incurable.Moved.; mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.; NPMyWebS.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Msearch;Incurable.Moved.; offun.exe;C:\WINDOWS;Adware.Bagon;Incurable.Moved.; f3PSSavr.scr;C:\WINDOWS\SYSTEM32;Adware.Msearch;Incurable.Moved.; 35_bn2b.exe;C:\WINDOWS\Temp;Adware.Give4Free;Incurable.Moved.; cr52.exe;C:\WINDOWS\Temp;Adware.Give4Free;Incurable.Moved.; i4FF.tmp;C:\WINDOWS\Temp;Adware.Surfside;Incurable.Moved.; stampede0011.exe;C:\WINDOWS\Temp;Adware.Give4Free;Incurable.Moved.; stdrun10.exe;C:\WINDOWS\Temp;Trojan.MulDrop.3843;Deleted.; stdrun11.exe;C:\WINDOWS\Temp;Trojan.MulDrop.3843;Deleted.; stdrun3.exe;C:\WINDOWS\Temp;Trojan.MulDrop.3843;Deleted.; stdrun5.exe;C:\WINDOWS\Temp;Adware.Ykemi;Incurable.Moved.; stdrun6.exe;C:\WINDOWS\Temp;Adware.Nexus;Incurable.Moved.; stdrun7.exe\data001;C:\WINDOWS\Temp\stdrun7.exe;Adware.Give4Free;; stdrun7.exe\data002;C:\WINDOWS\Temp\stdrun7.exe;Adware.Give4Free;; stdrun7.exe\data003;C:\WINDOWS\Temp\stdrun7.exe;Adware.Give4Free;; stdrun7.exe;C:\WINDOWS\Temp;Archive contains infected objects;Moved.;

Title: Malware Problem
Post by: Blender on October 24, 2006, 11:22:05 PM

Here are the remaining 2 logs:

Thanks for your patience.

Zachary Ritter - 06-10-24 23:17:18.75 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Zachary Ritter\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\drsmartload2.dat
C:\dfndrff_e36.exe
C:\MTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\nwnmff_e36.exe
C:\mte3ndi6odoxng.exe
C:\RDFX4.exe

((((((((((((((((((((((((((((((( Files Created from 2006-09-24 to 2006-10-24 ))))))))))))))))))))))))))))))))))

2006-10-24 21:00 183,476 --a------ C:\WINDOWS\srvggjvmdu.exe
2006-10-24 19:49 277,505 --a------ C:\WINDOWS\SYSTEM32\durvil1.exe
2006-10-24 19:48 167,936 --ah----- C:\WINDOWS\SYSTEM32\gtool.dll
2006-10-24 19:43 55,808 --a------ C:\WINDOWS\ieredir.exe
2006-10-24 19:43 33,792 --a------ C:\WINDOWS\dsrss.exe
2006-10-24 19:43 31,232 --a------ C:\WINDOWS\preredir.exe
2006-10-24 19:41 57,370 --a------ C:\WINDOWS\SYSTEM32\osdsregl.exe
2006-10-24 07:43 9,767 --a------ C:\dollarrev.exe
2006-10-24 07:43 69 --a------ C:\dmahfxwv.bat
2006-10-24 07:41 21,504 --a------ C:\WINDOWS\SYSTEM32\catsrvps.exe
2006-10-24 07:41 21,504 --a------ C:\Documents and Settings\Zachary Ritter\URLU.exe
2006-10-23 23:01 40,960 --a------ C:\WINDOWS\SYSTEM32\svhost6.exe
2006-10-23 23:01 21,504 --a------ C:\WINDOWS\SYSTEM32\cabinet.exe
2006-10-23 23:01 21,504 --a------ C:\Documents and Settings\Zachary Ritter\KFJU.exe
2006-10-23 23:01 0 --a------ C:\WINDOWS\SYSTEM32\dataclen.exe
2006-10-23 19:07 9,767 --a------ C:\cphp.exe
2006-10-23 19:07 40,960 --a------ C:\mapwdngk.exe
2006-10-23 19:06 21,504 --a------ C:\Documents and Settings\Zachary Ritter\LNEB.exe
2006-10-23 19:05 21,504 --a------ C:\WINDOWS\SYSTEM32\adsnt.exe
2006-10-23 18:41 27,136 --a------ C:\WINDOWS\SYSTEM32\41209062ld.exe
2006-10-22 21:12 1,024 --a------ C:\teqjvb.exe
2006-10-22 21:11 21,504 --a------ C:\WINDOWS\SYSTEM32\hsfcisp2.exe
2006-10-22 21:11 21,504 --a------ C:\Documents and Settings\Zachary Ritter\KHIR.exe
2006-10-22 20:03 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-22 19:51 21,504 --a------ C:\WINDOWS\SYSTEM32\atioglxx.exe
2006-10-22 19:51 21,504 --a------ C:\Documents and Settings\Zachary Ritter\MTTA.exe
2006-10-22 19:42 21,504 --a------ C:\WINDOWS\SYSTEM32\dpwsock.exe
2006-10-22 19:42 21,504 --a------ C:\Documents and Settings\Zachary Ritter\QLIJ.exe
2006-10-22 11:38 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2006-10-21 19:53 21,504 --a------ C:\Documents and Settings\Zachary Ritter\PIQJ.exe
2006-10-21 19:50 10,479 --a------ C:\hycf.exe
2006-10-21 19:49 21,504 --a------ C:\WINDOWS\SYSTEM32\KGGT.exe
2006-10-21 19:49 21,504 --a------ C:\WINDOWS\SYSTEM32\dpwsockx.exe
2006-10-21 19:49 21,504 --a------ C:\Documents and Settings\Zachary Ritter\KDNN.exe
2006-10-21 17:54 21,504 --a------ C:\WINDOWS\SYSTEM32\OMMB.exe
2006-10-21 17:53 21,504 --a------ C:\WINDOWS\SYSTEM32\dpnet.exe
2006-10-21 17:53 21,504 --a------ C:\Documents and Settings\Zachary Ritter\ANAA.exe
2006-10-19 21:24 40,960 --a------ C:\ouxx.exe
2006-10-19 21:24 2,560 ---hs---- C:\WINDOWS\SYSTEM32\hlpwinmlt4.exe
2006-10-19 21:22 18,944 --a------ C:\WINDOWS\SYSTEM32\fltlib.exe
2006-10-19 21:22 18,944 --a------ C:\Documents and Settings\Zachary Ritter\PNQQ.exe
2006-10-19 19:49 45,056 --a------ C:\WINDOWS\SYSTEM32\uaw5wah6a.exe
2006-10-19 19:49 28,672 --a------ C:\WINDOWS\system32drei.exe
2006-10-19 19:49 28,672 --a------ C:\WINDOWS\SYSTEM32\lkyaekrrr.exe
2006-10-19 19:49 28,672 --a------ C:\WINDOWS\SYSTEM32\drei.exe
2006-10-19 19:49 26,112 --a------ C:\WINDOWS\SYSTEM32\rpcc.dll
2006-10-19 19:49 160,768 --a------ C:\WINDOWS\SYSTEM32\msiilt.dll
2006-10-19 19:49 135,168 --a------ C:\WINDOWS\SYSTEM32\ujtnzbw.exe
2006-10-19 19:49 1,134,592 --a------ C:\WINDOWS\SYSTEM32\ovauma1ep.exe
2006-10-19 19:49 0 --a------ C:\WINDOWS\system32uaw5wah6a.exe
2006-10-19 19:48 18,944 --a------ C:\WINDOWS\SYSTEM32\d3dramp.exe
2006-10-19 19:48 18,944 --a------ C:\Documents and Settings\Zachary Ritter\ASFN.exe
2006-10-18 22:43 18,944 --a------ C:\WINDOWS\SYSTEM32\atipdlxx.exe
2006-10-18 22:43 18,944 --a------ C:\Documents and Settings\Zachary Ritter\JHLJ.exe
2006-10-18 22:41 21,504 --a------ C:\WINDOWS\SYSTEM32\cryptdlg.exe
2006-10-18 22:41 18,944 --a------ C:\WINDOWS\SYSTEM32\atippaxx.exe
2006-10-18 22:41 18,944 --a------ C:\Documents and Settings\Zachary Ritter\NUPU.exe
2006-10-17 20:08 45,056 --a------ C:\WINDOWS\SYSTEM32\EPDI.exe
2006-10-17 20:07 45,056 --a------ C:\WINDOWS\SYSTEM32\dpvacm.exe
2006-10-17 20:07 45,056 --a------ C:\Documents and Settings\Zachary Ritter\HJRE.exe
2006-10-17 13:33 6,049,280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-10-17 13:33 50,688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-10-17 13:33 458,752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-10-17 13:33 180,736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-10-17 13:05 206,336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 13:01 13,312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-10-17 12:58 61,952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 12:58 12,288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 12:57 266,752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 12:27 380,928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-10-16 19:44 45,056 --a------ C:\WINDOWS\SYSTEM32\RJRE.exe
2006-10-16 19:43 45,056 --a------ C:\WINDOWS\SYSTEM32\cic.exe
2006-10-16 19:43 45,056 --a------ C:\Documents and Settings\Zachary Ritter\KEIB.exe
2006-10-15 19:26 45,056 --a------ C:\WINDOWS\SYSTEM32\QHDH.exe
2006-10-15 19:25 45,056 --a------ C:\Documents and Settings\Zachary Ritter\CCBK.exe
2006-10-15 19:25 21,504 --a------ C:\WINDOWS\SYSTEM32\cdrtc.exe
2006-10-15 11:21 45,056 --a------ C:\WINDOWS\SYSTEM32\cmdial32.exe
2006-10-15 11:21 45,056 --a------ C:\Documents and Settings\Zachary Ritter\GALR.exe
2006-10-15 11:14 45,056 --a------ C:\WINDOWS\SYSTEM32\BJPJ.exe
2006-10-15 11:13 48,640 --a------ C:\Documents and Settings\Zachary Ritter\7.exe
2006-10-15 11:13 45,056 --a------ C:\WINDOWS\SYSTEM32\ati2dvag.exe
2006-10-15 11:13 45,056 --a------ C:\Documents and Settings\Zachary Ritter\MNAG.exe
2006-10-14 13:24 45,056 --a------ C:\WINDOWS\SYSTEM32\LRLD.exe
2006-10-14 13:23 45,056 --a------ C:\WINDOWS\SYSTEM32\atl71.exe
2006-10-14 13:23 45,056 --a------ C:\Documents and Settings\Zachary Ritter\NRUL.exe
2006-10-12 21:20 45,056 --a------ C:\Documents and Settings\Zachary Ritter\IHCR.exe
2006-10-12 21:20 21,504 --a------ C:\WINDOWS\SYSTEM32\audiosrv.exe
2006-10-12 20:33 45,056 --a------ C:\WINDOWS\SYSTEM32\SGJS.exe
2006-10-12 20:33 13,824 --a------ C:\fudi.exe
2006-10-12 20:32 45,056 --a------ C:\WINDOWS\SYSTEM32\dhcpcsvc.exe
2006-10-12 20:32 45,056 --a------ C:\Documents and Settings\Zachary Ritter\BFNC.exe
2006-10-11 20:43 24,576 --a------ C:\WINDOWS\SYSTEM32\cnbjmon.exe
2006-10-11 20:43 24,576 --a------ C:\Documents and Settings\Zachary Ritter\EMIR.exe
2006-10-11 20:36 24,576 --a------ C:\WINDOWS\SYSTEM32\RCFE.exe
2006-10-11 20:36 24,576 --a------ C:\WINDOWS\SYSTEM32\IPEA.exe
2006-10-11 20:36 24,576 --a------ C:\WINDOWS\SYSTEM32\ativcoxx.exe
2006-10-11 20:36 2,589 --a------ C:\WINDOWS\SYSTEM32\4.exe
2006-10-11 20:36 153,632 --a------ C:\WINDOWS\SYSTEM32\9.exe
2006-10-11 20:36 133,152 --a------ C:\WINDOWS\SYSTEM32\dmintf.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-24 23:10 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-24 23:10 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-24 23:06 -------- d-------- C:\Program Files\AIM95
2006-10-24 21:00 -------- d-------- C:\Program Files\PSDream
2006-10-24 19:52 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-22 20:03 -------- d-------- C:\Program Files\Grisoft
2006-10-22 18:35 -------- d-------- C:\Program Files\Common Files
2006-10-22 11:48 -------- d-------- C:\Program Files\Internet Explorer
2006-10-17 13:33 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 13:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-10-17 13:00 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-10-17 12:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-10-11 20:43 -------- d---s---- C:\Documents and Settings\Zachary Ritter\Application Data\Microsoft
2006-10-10 19:50 -------- d-------- C:\Documents and Settings\Zachary Ritter\Application Data\U3
2006-10-06 23:33 -------- d-------- C:\Program Files\iTunes
2006-10-06 23:33 -------- d-------- C:\Program Files\iPod
2006-10-06 23:32 -------- d-------- C:\Program Files\QuickTime
2006-10-06 23:31 -------- d-------- C:\Program Files\Apple Software Update
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-12 22:29 -------- d-------- C:\Program Files\Allway Sync
2006-09-12 22:29 -------- d-------- C:\Documents and Settings\Zachary Ritter\Application Data\Sync App Settings
2006-09-06 17:43 22752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-09-04 19:38 -------- d-------- C:\Program Files\PokerStars
2006-08-31 20:22 -------- d-------- C:\Program Files\Java
2006-08-27 23:09 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-27 23:08 -------- d-------- C:\Program Files\Symantec
2006-08-27 23:08 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-27 23:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-27 23:03 -------- d-------- C:\Program Files\Creative
2006-08-25 10:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Steam"="\"c:\\program files\\valve\\steam\\steam.exe\" -silent"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="c:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Enterprise"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Microsoft Windows Session Manager Subsystem"="C:\\WINDOWS\\smss.exe"
"Microsoft Windows Logon Process"="C:\\WINDOWS\\winlogon.exe"
"WinSysModule"="dsrss.exe"
"IE Redir"="C:\\WINDOWS\\ieredir.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"{C5-57-78-88-ZN}"="C:\\WINDOWS\\SYSTEM32\\osdsregl.exe SED001"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"="c:\\windows\\system32\\_mzu_stonedrv2.exe"
"PSDream"="\"C:\\Program Files\\PSDream\\PSDream.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"="c:\\windows\\system32\\_mzu_stonedrv2.exe"
"PSDream"="\"C:\\Program Files\\PSDream\\PSDream.exe\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-24 23:18:12.45
C:\ComboFix.txt ... 06-10-24 23:18
C:\ComboFix2.txt ... 06-10-24 23:12
C:\ComboFix3.txt ... 06-10-23 19:16

__________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 11:18:45 PM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\dsrss.exe
C:\WINDOWS\ieredir.exe
C:\Program Files\AIM95\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\osdsregl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Zachary Ritter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage (http://\"http://securityresponse.symantec.com/avcenter/fix_homepage\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ib4.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib14.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\SYSTEM32\durvil1.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Happytofind Toolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\system32\gtool.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{C5-57-78-88-ZN}] C:\WINDOWS\SYSTEM32\osdsregl.exe SED001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\osdsregl.exe
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: secur32.exe - Unknown owner - C:\WINDOWS\system32\secur32.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe

So far, being logged into my normal account for the last 10 minutes, I have not had any of the various pop-up problems that have been plaguing me. It looks like either the Dr. Web from safe mode or the HijackThis fixes may have cleared up the biggest problem.

Title: Malware Problem
Post by: guestolo on October 24, 2006, 11:38:29 PM

Give me a few minutes to look thru these logs, we'll run a couple more tools on your computer
Not to worry, they don't take that long to run them

/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

Title: Malware Problem
Post by: guestolo on October 25, 2006, 12:56:07 AM

Can you do the following, we're not out of the woods yet
Print these instructions or save them too a text file on desktop please

We MUST update your version of Sun Java to plug up security holes that malware can exploit
==Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 (http://\"http://java.sun.com/javase/downloads/index.jsp\")

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement[/i]".
The page will refresh.
Click on the link to download Windows Offline Installation Multi-language

Save the file to your Desktop.
Don't install it yet

Access your Add/remove programs via Control Panel
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
eg..J2SE Runtime Environment 5.0 Update 7
They should have the following icon next to it: (http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Select it and click Remove them

Download Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\") and unzip it too a folder of it's own
We'll need it later

Download [color=\"#FF0000\"]ATF-Cleaner[/color] (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.
====================================================
Download The Avenger.zip (http://\"http://swandog46.geekstogo.com/avenger.zip\") by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\WINDOWS\srvggjvmdu.exe
C:\WINDOWS\SYSTEM32\durvil1.exe
C:\WINDOWS\SYSTEM32\gtool.dll
C:\WINDOWS\ieredir.exe
C:\WINDOWS\dsrss.exe
C:\WINDOWS\preredir.exe
C:\WINDOWS\SYSTEM32\osdsregl.exe
C:\dollarrev.exe
C:\dmahfxwv.bat
C:\WINDOWS\SYSTEM32\catsrvps.exe
C:\Documents and Settings\Zachary Ritter\URLU.exe
C:\WINDOWS\SYSTEM32\svhost6.exe
C:\Documents and Settings\Zachary Ritter\KFJU.exe
C:\WINDOWS\SYSTEM32\dataclen.exe
C:\cphp.exe
C:\mapwdngk.exe
C:\Documents and Settings\Zachary Ritter\LNEB.exe
C:\WINDOWS\SYSTEM32\adsnt.exe
C:\WINDOWS\SYSTEM32\41209062ld.exe
C:\teqjvb.exe
C:\WINDOWS\SYSTEM32\hsfcisp2.exe
C:\Documents and Settings\Zachary Ritter\KHIR.exe
C:\WINDOWS\SYSTEM32\atioglxx.exe
C:\Documents and Settings\Zachary Ritter\MTTA.exe
C:\WINDOWS\SYSTEM32\dpwsock.exe
C:\Documents and Settings\Zachary Ritter\QLIJ.exe
C:\Documents and Settings\Zachary Ritter\PIQJ.exe
C:\hycf.exe
C:\WINDOWS\SYSTEM32\KGGT.exe
C:\WINDOWS\SYSTEM32\dpwsockx.exe
C:\Documents and Settings\Zachary Ritter\KDNN.exe
C:\WINDOWS\SYSTEM32\OMMB.exe
C:\WINDOWS\SYSTEM32\dpnet.exe
C:\Documents and Settings\Zachary Ritter\ANAA.exe
C:\ouxx.exe
C:\WINDOWS\SYSTEM32\hlpwinmlt4.exe
C:\WINDOWS\SYSTEM32\fltlib.exe
C:\Documents and Settings\Zachary Ritter\PNQQ.exe
C:\WINDOWS\SYSTEM32\uaw5wah6a.exe
C:\WINDOWS\system32drei.exe
C:\WINDOWS\SYSTEM32\lkyaekrrr.exe
C:\WINDOWS\SYSTEM32\drei.exe
C:\WINDOWS\SYSTEM32\rpcc.dll
C:\WINDOWS\SYSTEM32\msiilt.dll
C:\WINDOWS\SYSTEM32\ujtnzbw.exe
C:\WINDOWS\SYSTEM32\ovauma1ep.exe
C:\WINDOWS\system32uaw5wah6a.exe
C:\WINDOWS\SYSTEM32\d3dramp.exe
C:\Documents and Settings\Zachary Ritter\ASFN.exe
C:\WINDOWS\SYSTEM32\atipdlxx.exe
C:\Documents and Settings\Zachary Ritter\JHLJ.exe
C:\WINDOWS\SYSTEM32\cryptdlg.exe
C:\WINDOWS\SYSTEM32\atippaxx.exe
C:\Documents and Settings\Zachary Ritter\NUPU.exe
C:\WINDOWS\SYSTEM32\EPDI.exe
C:\WINDOWS\SYSTEM32\dpvacm.exe
C:\Documents and Settings\Zachary Ritter\HJRE.exe
C:\WINDOWS\SYSTEM32\RJRE.exe
C:\WINDOWS\SYSTEM32\cic.exe
C:\Documents and Settings\Zachary Ritter\KEIB.exe
C:\WINDOWS\SYSTEM32\QHDH.exe
C:\Documents and Settings\Zachary Ritter\CCBK.exe
C:\WINDOWS\SYSTEM32\cdrtc.exe
C:\WINDOWS\SYSTEM32\cmdial32.exe
C:\Documents and Settings\Zachary Ritter\GALR.exe
C:\WINDOWS\SYSTEM32\BJPJ.exe
C:\Documents and Settings\Zachary Ritter\7.exe
C:\WINDOWS\SYSTEM32\ati2dvag.exe
C:\Documents and Settings\Zachary Ritter\MNAG.exe
C:\WINDOWS\SYSTEM32\LRLD.exe
C:\WINDOWS\SYSTEM32\atl71.exe
C:\Documents and Settings\Zachary Ritter\NRUL.exe
C:\Documents and Settings\Zachary Ritter\IHCR.exe
C:\WINDOWS\SYSTEM32\audiosrv.exe
C:\WINDOWS\SYSTEM32\SGJS.exe
C:\fudi.exe
C:\WINDOWS\SYSTEM32\dhcpcsvc.exe
C:\Documents and Settings\Zachary Ritter\BFNC.exe
C:\WINDOWS\SYSTEM32\cnbjmon.exe
C:\Documents and Settings\Zachary Ritter\EMIR.exe
C:\WINDOWS\SYSTEM32\RCFE.exe
C:\WINDOWS\SYSTEM32\IPEA.exe
C:\WINDOWS\SYSTEM32\ativcoxx.exe
C:\WINDOWS\SYSTEM32\4.exe
C:\WINDOWS\SYSTEM32\9.exe
C:\WINDOWS\SYSTEM32\dmintf.exe
C:\WINDOWS\system32\adptif.exe
C:\WINDOWS\system32\bthci.exe
C:\WINDOWS\system32\cmpbk32.exe
C:\WINDOWS\system32\kbdcan.exe
C:\WINDOWS\system32\msw3prt.exe
C:\WINDOWS\system32\mswstr10.exe
C:\WINDOWS\system32\secur32.exe
C:\WINDOWS\system32\tcpmib.exe
C:\WINDOWS\system32\tsbyuv.exe
C:\WINDOWS\system32\xpsp2res.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\ib14.dll
C:\WINDOWS\system\ctldlg32.dll
C:\WINDOWS\winlogon.exe
C:\Documents and Settings\Zachary Ritter\Start Menu\Programs\Startup\TA_Start.lnk
c:\windows\system32\ldcore.dll

Folders to delete:
C:\Program Files\PSDream

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | Microsoft Windows Session Manager Subsystem
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | Microsoft Windows Logon Process
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | WinSysModule
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | IE Redir
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | {C5-57-78-88-ZN}
HKEY_USERS\.default\software\microsoft\windows\currentversion\run | _mzu_stonedrv2
HKEY_USERS\.default\software\microsoft\windows\currentversion\run | PSDream
HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run | _mzu_stonedrv2
HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run | PSDream
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler |
{2C1CD3D7-86AC-4068-93BC-A02304BB2240}[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Open Hoster
Then select the "Restore Original Hosts" button
OK any prompts

Double click on installer of the latest version of Java
follow the prompts
After installation you can delete the installer from your desktop

Can you run ATF-Cleaner again with the instructions I gave you earlier, close any browser windows before running it please

Can you post back the following please

1. Post a fresh hijackthis log
2. Post the log from Avenger>>Located here, C:\Avenger.txt
3. Again, can I have you run Combofix and post a new log

Let's see what we're left with after doing the above

Title: Malware Problem
Post by: Blender on October 25, 2006, 09:29:22 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:26:04 PM, on 10/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\j2re1.4.2_12\bin\jusched.exe
C:\Program Files\AIM95\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Zachary Ritter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage (http://\"http://securityresponse.symantec.com/avcenter/fix_homepage\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ib4.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib14.dll (file missing)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\SYSTEM32\durvil1.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Happytofind Toolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\system32\gtool.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll (file missing)
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: secur32.exe - Unknown owner - C:\WINDOWS\system32\secur32.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe

___________

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line. Line will be ignored.
Error code: 0
Line: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler |

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: {2C1CD3D7-86AC-4068-93BC-A02304BB2240}

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\safdgpys

*******************

Script file located at: \??\C:\WINDOWS\rqodpvhc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\srvggjvmdu.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\durvil1.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\gtool.dll deleted successfully.
File C:\WINDOWS\ieredir.exe deleted successfully.
File C:\WINDOWS\dsrss.exe deleted successfully.
File C:\WINDOWS\preredir.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\osdsregl.exe deleted successfully.
File C:\dollarrev.exe deleted successfully.
File C:\dmahfxwv.bat deleted successfully.
File C:\WINDOWS\SYSTEM32\catsrvps.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\URLU.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\svhost6.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\KFJU.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dataclen.exe deleted successfully.
File C:\cphp.exe deleted successfully.
File C:\mapwdngk.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\LNEB.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\adsnt.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\41209062ld.exe deleted successfully.
File C:\teqjvb.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\hsfcisp2.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\KHIR.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\atioglxx.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\MTTA.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dpwsock.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\QLIJ.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\PIQJ.exe deleted successfully.
File C:\hycf.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\KGGT.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dpwsockx.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\KDNN.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\OMMB.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dpnet.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\ANAA.exe deleted successfully.
File C:\ouxx.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\hlpwinmlt4.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\fltlib.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\PNQQ.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\uaw5wah6a.exe deleted successfully.
File C:\WINDOWS\system32drei.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\lkyaekrrr.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\drei.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\rpcc.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\msiilt.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\ujtnzbw.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ovauma1ep.exe deleted successfully.
File C:\WINDOWS\system32uaw5wah6a.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\d3dramp.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\ASFN.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\atipdlxx.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\JHLJ.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\cryptdlg.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\atippaxx.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\NUPU.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\EPDI.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dpvacm.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\HJRE.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\RJRE.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\cic.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\KEIB.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\QHDH.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\CCBK.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\cdrtc.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\cmdial32.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\GALR.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\BJPJ.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\7.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ati2dvag.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\MNAG.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\LRLD.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\atl71.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\NRUL.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\IHCR.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\audiosrv.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\SGJS.exe deleted successfully.
File C:\fudi.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dhcpcsvc.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\BFNC.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\cnbjmon.exe deleted successfully.
File C:\Documents and Settings\Zachary Ritter\EMIR.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\RCFE.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\IPEA.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ativcoxx.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\4.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\9.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dmintf.exe deleted successfully.
File C:\WINDOWS\system32\adptif.exe deleted successfully.

File C:\WINDOWS\system32\bthci.exe not found!
Deletion of file C:\WINDOWS\system32\bthci.exe failed!

Could not process line:
C:\WINDOWS\system32\bthci.exe
Status: 0xc0000034

File C:\WINDOWS\system32\cmpbk32.exe not found!
Deletion of file C:\WINDOWS\system32\cmpbk32.exe failed!

Could not process line:
C:\WINDOWS\system32\cmpbk32.exe
Status: 0xc0000034

File C:\WINDOWS\system32\kbdcan.exe not found!
Deletion of file C:\WINDOWS\system32\kbdcan.exe failed!

Could not process line:
C:\WINDOWS\system32\kbdcan.exe
Status: 0xc0000034

File C:\WINDOWS\system32\msw3prt.exe not found!
Deletion of file C:\WINDOWS\system32\msw3prt.exe failed!

Could not process line:
C:\WINDOWS\system32\msw3prt.exe
Status: 0xc0000034

File C:\WINDOWS\system32\mswstr10.exe not found!
Deletion of file C:\WINDOWS\system32\mswstr10.exe failed!

Could not process line:
C:\WINDOWS\system32\mswstr10.exe
Status: 0xc0000034

File C:\WINDOWS\system32\secur32.exe not found!
Deletion of file C:\WINDOWS\system32\secur32.exe failed!

Could not process line:
C:\WINDOWS\system32\secur32.exe
Status: 0xc0000034

File C:\WINDOWS\system32\tcpmib.exe not found!
Deletion of file C:\WINDOWS\system32\tcpmib.exe failed!

Could not process line:
C:\WINDOWS\system32\tcpmib.exe
Status: 0xc0000034

File C:\WINDOWS\system32\tsbyuv.exe not found!
Deletion of file C:\WINDOWS\system32\tsbyuv.exe failed!

Could not process line:
C:\WINDOWS\system32\tsbyuv.exe
Status: 0xc0000034

File C:\WINDOWS\system32\xpsp2res.exe not found!
Deletion of file C:\WINDOWS\system32\xpsp2res.exe failed!

Could not process line:
C:\WINDOWS\system32\xpsp2res.exe
Status: 0xc0000034

File C:\WINDOWS\smss.exe deleted successfully.
File C:\WINDOWS\system32\ib14.dll deleted successfully.
File C:\WINDOWS\system\ctldlg32.dll deleted successfully.

File C:\WINDOWS\winlogon.exe not found!
Deletion of file C:\WINDOWS\winlogon.exe failed!

Could not process line:
C:\WINDOWS\winlogon.exe
Status: 0xc0000034

File C:\Documents and Settings\Zachary Ritter\Start Menu\Programs\Startup\TA_Start.lnk deleted successfully.

File c:\windows\system32\ldcore.dll not found!
Deletion of file c:\windows\system32\ldcore.dll failed!

Could not process line:
c:\windows\system32\ldcore.dll
Status: 0xc0000034

Folder C:\Program Files\PSDream deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|Microsoft Windows Session Manager Subsystem deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|Microsoft Windows Logon Process deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|WinSysModule deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|IE Redir deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|{C5-57-78-88-ZN} deleted successfully.
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run|_mzu_stonedrv2 deleted successfully.
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run|PSDream deleted successfully.

Could not delete registry value HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run|_mzu_stonedrv2
Deletion of registry value HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run|_mzu_stonedrv2 failed!
Status: 0xc0000034

Could not delete registry value HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run|PSDream
Deletion of registry value HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run|PSDream failed!
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

________________

Zachary Ritter - 06-10-25 21:26:49.85 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Zachary Ritter\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\dwdsregt.exe

((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))

2006-10-23 23:01 21,504 --a------ C:\WINDOWS\SYSTEM32\cabinet.exe
2006-10-22 20:03 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-22 11:38 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2006-10-17 13:33 6,049,280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-10-17 13:33 50,688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-10-17 13:33 458,752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-10-17 13:33 180,736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-10-17 13:05 206,336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 13:01 13,312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-10-17 12:58 61,952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 12:58 12,288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 12:57 266,752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 12:27 380,928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-25 21:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-25 21:22 -------- d-------- C:\Program Files\Java
2006-10-25 21:18 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-24 23:06 -------- d-------- C:\Program Files\AIM95
2006-10-24 19:52 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-22 20:03 -------- d-------- C:\Program Files\Grisoft
2006-10-22 18:35 -------- d-------- C:\Program Files\Common Files
2006-10-22 11:48 -------- d-------- C:\Program Files\Internet Explorer
2006-10-17 13:33 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 13:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-10-17 13:00 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-10-17 12:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-10-11 20:43 -------- d---s---- C:\Documents and Settings\Zachary Ritter\Application Data\Microsoft
2006-10-10 19:50 -------- d-------- C:\Documents and Settings\Zachary Ritter\Application Data\U3
2006-10-06 23:33 -------- d-------- C:\Program Files\iTunes
2006-10-06 23:33 -------- d-------- C:\Program Files\iPod
2006-10-06 23:32 -------- d-------- C:\Program Files\QuickTime
2006-10-06 23:31 -------- d-------- C:\Program Files\Apple Software Update
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-12 22:29 -------- d-------- C:\Program Files\Allway Sync
2006-09-12 22:29 -------- d-------- C:\Documents and Settings\Zachary Ritter\Application Data\Sync App Settings
2006-09-06 17:43 22752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-09-04 19:38 -------- d-------- C:\Program Files\PokerStars
2006-08-27 23:09 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-27 23:08 -------- d-------- C:\Program Files\Symantec
2006-08-27 23:08 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-27 23:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-27 23:03 -------- d-------- C:\Program Files\Creative
2006-08-25 10:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Steam"="\"c:\\program files\\valve\\steam\\steam.exe\" -silent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="c:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Enterprise"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"="DCOM Server 2240"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-25 21:28:32.32
C:\ComboFix.txt ... 06-10-25 21:28
C:\ComboFix2.txt ... 06-10-24 23:18
C:\ComboFix3.txt ... 06-10-24 23:12

Title: Malware Problem
Post by: guestolo on October 26, 2006, 09:48:40 PM

Sorry for the delay, can you do the following
I see an older verision of Sun Java still running on your computer
Can you access your add/remove programs and remove it
j2re1.4.2_12

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2240}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2240}"=-

Double click on fix.reg and allow to add/merge to the registry at the prompt

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll (file missing)
O2 - BHO: ib4.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib14.dll (file missing)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\SYSTEM32\durvil1.dll (file missing)
O3 - Toolbar: Happytofind Toolbar - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\system32\gtool.dll (file missing)

O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll (file missing)
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O23 - Service: secur32.exe - Unknown owner - C:\WINDOWS\system32\secur32.exe (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in Windows
Can you do the following, Go to START>>RUN
In the open field, copy>>Paste the following lines in bold below, selecting OK after each

sc delete "cmpbk32.exe"

sc delete "kbdcan.exe"

sc delete "msw3prt.exe"

sc delete "mswstr10.exe"

sc delete "secur32.exe"

sc delete "tcpmib.exe"

sc delete "tsbyuv.exe"

sc delete "xpsp2res.exe"

Afterwards, because of the presence of a keylogger on your computer
Can you change your passwords to the following
Eg.. Email>>Gaming online>>IM>>Banking, etc....

Since you have AVG-Antispyware installed
Can you also do the following

Load AVG-antispyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Select the "Scanner" tab
Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected
Click back to the "Scan" tab and then click on Complete System Scan.
Let this scan complete
AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Reboot your computer one more time

Back in Windows, can you do one more quick scan for me please
Download and save too desktop
F-Secure Blacklight(blbeta.exe) (http://\"https://europe.f-secure.com/exclude/blacklight/blbeta.exe\")

Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".

Post that log, along with
a Fresh hijackthis log and the report from AVG-Antispyware
Let me know how things are running please

Could you also
Go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")

Use the browse button and navigate to the file on your harddrive if you can find it

C:\WINDOWS\SYSTEM32\cabinet.exe <-this file, don't confuse it with cabinet.dll which will be in the same folder
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please