Infected PC needs some fixin!

I have some email proxy thing sending out spam or something, and my worthless symantec just keeps popping up constantly telling me the messages cannot send.
Every time I start up now an error pops up and tells me vmmdiag32.exe cannot be found. I think this is some kind of infection. Also some downloader (I think it is the same as the VMM thing) tries to do something constantly and my autoprotect stops it and deletes it, but it is CONSTANT.

I have tried downloading several different spyware removal programs, and even tried being discriminent when doing so. I know alot of them do not work, alot of them do not get most problems, alot of them give false results, and even some have their own virii and trojans interlaced. I only downloaded ones with solid user reviews and logical support.

They do not seem to be working though, but I do have HJT. I do not know what to do with the information it provides me. Will you tell me what to do please, as I have seen you helping others in a major way in various threads.

Here is a upfront HJT log if it might assist the process:

Logfile of HijackThis v1.99.1
Scan saved at 12:50:14 PM, on 11/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\services.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\geneodel\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WinMedia] C:\36110103225470766396.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


--------------------------------------------------------------------------------------------------------
Thanks for helping if you are able and willing to. I do not know where else to turn, seriously. I have no money so I cannot be purchasing full versions of reputable spyware removal programs. I have to sift through free solutions.

Also should I discontinue my usage of Internet Explorer and download a different browser? It seems as if everywhere I read things about what a security hazard IE is.

Erick "ODellius" O'Dell

 

next step...


I checked some other threads that seem to be from people with sinilar problems. It looks like I shold HexFix first off, so I did.


HAXFIX logfile - by Marckie
______________
version 4.28
Sat 11/04/2006 16:15:59.65

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
CmBatt

checking for matching safeboot services....
no matching safeboot services found

checking for other haxdoorfiles....


Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....
wmdconf32.dll found


Finished


Then it looks like you want a fresh log from hjt, though I do not think that Hexfix took any action, other than scanning...
Here is a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:40 PM, on 11/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\services.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\geneodel\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WinMedia] C:\36110103225470766396.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


What is my best course of action to remedy this?

 

Infected pc needs some fixin

When I have big problems like you are discribing, i sometimes use system restore. So far I have been lucky in bringing my pc from the brink of death back to normal.

 

To helpful member

Well this is where the beginner in me comes up to over take the intermediate. I have grown up around computers and used them alot for 15 years or so. I used to consider myself somewhat knowledgable and still can do more than most, but as far as being an intermediate... I am not.

What exactly does the system restore do?

Will it remove programs I have installed recently? Will it erase word documents I have?

Also, even those this probably sounds really stupid, how do I do it?

Should I not just take appropriate measures on removing these existing threats, and resort to that system restore as a final option? Also I am not quite sure when some of these problems started exactly, so I would not know when to restore to. I think it may work, and I appreciate you being willing to offer me advice, but I am still where I was before. Confused.

Also, if I restore the system is that guaranteed to resolve these issues? If so perhaps that would be the best thing for me.

 

Lets leave system restore alone at this point. Should something out of the ordinary should happen, say I tell you to delete a system critical file or you delete one on your own, by mistake, without the back up of system restore your only option would be a reformat. System restore points cannot hurt you, unless you revert back to a previously infected point, which we won't be doing.

We need to run the second part of the HaxFix, removal.

• Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
• Close all other open windows since this step requires a reboot
• Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

• Close all open windows except the red dos window from haxfix and then press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of that logfile along with a new HijackThis log.

Please do not perform any other steps beyond what I have instructed, this is for your own(systems) safety.

 

Step two complete

HAXFIX logfile - by Marckie
--------------
version 4.28
Sat 11/04/2006 17:30:26.10

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:
wmdconf32.dll

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

not needed


searching for services

not needed


searching for safeboot services

not needed


searching for files

wmdconf32.dll exists
deleting wmdconf32.dll
wmdconf32.dll has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished




--------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:45:43 PM, on 11/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\services.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\geneodel\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WinMedia] C:\36110103225470766396.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

 

OK, looks like we're heading down the stretch.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.


1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
vmmdiag32.exe
C:\36110103225470766396.exe
C:\36110103225470771834.exe
C:\WINNT\SYSTEM32\nwprovau.dll


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot the system, run ComboFix as instructed below and then a new HJT log please.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

Down this stretch

I moved HJT to C:\HJT like you asked, though it was already in it's own permanent folder, and was not on the desktop at all to be removed.

I understand that you have a crapload of responses to dish out so these are likely a sort of preconstituted response to me for what to do, but this next anomilee was weirder.

When I followed instructions for the KillBox where you say:

"5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. "

I got no "Pending Operations Prompt." I stopped it where it was counting down to reboot, and repeated the steps, but the same thing happened, and it rebooted.

Next I downloaded ComboFix.exe and ran it. Here is the log from that program, followed with a fresh HJT.




geneodel - Sun 11/05/2006 12:39:42.95 Service Pack 4
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\geneodel\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))


2006-11-04 19:17 24,576 --a------ C:\msupd01441574.exe
2006-11-04 19:16 3,072 --a------ C:\msupd01407035.exe
2006-11-04 19:16 16,384 --a------ C:\msupd01434474.exe
2006-11-04 17:42 81,920 --a------ C:\WINNT\SYSTEM32\wmdconf32.dll
2006-11-04 16:15 90,112 --a------ C:\WINNT\SYSTEM32\RegDACL.exe
2006-11-04 16:15 7,483 --a------ C:\clean.bat
2006-11-04 16:15 40,960 --a------ C:\WINNT\SYSTEM32\swsc.exe
2006-11-04 16:15 4,096 --a------ C:\WINNT\SYSTEM32\reboot.exe
2006-11-04 16:15 38,400 --a------ C:\WINNT\SYSTEM32\moveex.exe
2006-11-04 01:41 0 --a------ C:\WINNT\YOURAPP.EXE
2006-11-03 22:11 24,576 --a------ C:\36110103225470777902.exe
2006-10-25 15:01 3,072 --a------ C:\msupd01.exe
2006-10-18 19:13 679,936 --a------ C:\WINNT\SYSTEM32\libeay32.dll
2006-10-18 19:13 432,579 --a------ C:\WINNT\SYSTEM32\Ole2Plgin.dll
2006-10-18 19:13 3,923,200 --a------ C:\WINNT\SYSTEM32\DRIVERS\redlight.sys
2006-10-18 19:13 217,088 --a------ C:\WINNT\SYSTEM32\AM.dll
2006-10-18 19:13 147,456 --a------ C:\WINNT\SYSTEM32\ssleay32.dll
2006-10-18 19:13 124,416 --a------ C:\WINNT\SYSTEM32\madCHook.dll
2006-10-18 19:13 1,580,032 --a------ C:\WINNT\SYSTEM32\RlShellExt.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-05 12:30 -------- d-------- C:\Program Files\BufferZone
2006-11-04 17:32 -------- d-------- C:\Program Files\HaxFix
2006-11-04 01:30 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-11-04 01:30 -------- d-------- C:\Documents and Settings\geneodel\Application Data\SUPERAntiSpyware.com
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files
2006-10-28 13:26 -------- d---s---- C:\Documents and Settings\geneodel\Application Data\Microsoft
2006-10-26 19:38 -------- d-------- C:\Documents and Settings\geneodel\Application Data\AdobeUM
2006-10-26 19:37 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Adobe
2006-10-26 01:14 -------- d-------- C:\Program Files\PKWARE
2006-10-26 01:14 -------- d-------- C:\Program Files\Common Files\PKWARE
2006-10-17 14:48 -------- d-------- C:\Program Files\BitTorrent
2006-10-09 15:43 -------- d-------- C:\Documents and Settings\geneodel\Application Data\BitTorrent
2006-10-09 10:58 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Macromedia


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitTorrent "= "\ "C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized "
"Winsto "= "C:\\36110103225470771834.exe "
"Winstd "= "C:\\36110103225470771834.exe "
"SUPERAntiSpyware "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"Winstp "= "C:\\msupd01434474.exe "
"Winstf "= "C:\\msupd01434474.exe "
"Winstv "= "C:\\msupd01434474.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager "= "mobsync.exe /logon "
"ATIModeChange "= "Ati2mdxx.exe "
"AtiPTA "= "atiptaxx.exe "
"SynTPLpr "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"LTWinModem1 "= "ltmsg.exe 9 "
"eabconfg.cpl "= "C:\\Program Files\\Compaq\\EAB\\EabServr.exe /Start "
"CreateCD50 "= "\ "C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r "
"AdaptecDirectCD "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\" "
"WinVNC "= "\ "C:\\Program Files\\RealVNC\\WinVNC\\WinVNC.exe\" -servicehelper "
"BJCFD "= "C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe "
"ComcastSUPPORT "= "C:\\Program Files\\Support.com\\bin\\tgkill.exe /cleaneahtioga /start "
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"vptray "= "C:\\PROGRA~1\\SYMANT~3\\SYMANT~2\\VPTray.exe "
"AeXAgentLogon "= "\ "C:\\Program Files\\Altiris\\Altiris Agent\\AeXAgentActivate.exe\" /logon "
"BufferZone "= "\ "C:\\Program Files\\BufferZone\\CLIENTGUI.EXE\" /STARTUP "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000003
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif "
"SubscribedURL "= "http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif "
"FriendlyName "=" "
"Flags "=dword:00002001
"Position "=hex:2c,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo "=hex:b4,f0,4f,7c,38,c4,4f,7c,ff,ff,ff,ff,2c,5d,28,0e,ea,1c,\
34,70,e0,be,1a,09

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00002002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "= "C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper "= "c:\\winnt\\dgoc.bmp "
"WallpaperStyle "= "0 "
"NoDispCPL "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=dword:00000000
"ForceActiveDesktopOn "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray "= "{7007ACCF-3202-11D1-AAD2-00805FC1270E} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MSIServer

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Sun 2006-11-05 12:44:04.28
C:\ComboFix.txt ... 06-11-05 12:44


====================================================================================================================

Logfile of HijackThis v1.99.1
Scan saved at 1:02:37 PM, on 11/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\msupd01434474.exe
C:\msupd01434474.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Winsto] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Winstp] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstf] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstv] C:\msupd01434474.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

 

Guess we need to try the manual fix on this sucker.

• Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
• Close all other open windows since this step requires a reboot
• Select option 3. Run manual fix by typing 3 and then pressing Enter

This message will appear:

• Type the following: wmdconf
  When this is a valid choice, the key will be added to delete.
• There is the possibility to add a new key: Yes (type Y) or No (type N).
  Followed by this message:
  
• (if necessary press Y and insert an other one)In this case add:
  vmmdiag
• press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of the logfile together, run ComboFix then a new HijackThis log and post both here

 

Next

On both of the entries it seemed to find neither, but after I selected no, it did find something and deleted it on the reboot, but it was not that **** vmmdiag thing.

Here is the log from that after the reboot:

HAXFIX logfile - by Marckie
--------------
version 4.28
Sun 11/05/2006 14:53:54.11

--- Manual Haxdoorfix ---

Adding haxdoorkeys to delete...
no infections found


--- Goldunfix ---


searching for files:
wmdconf32.dll

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

not needed


searching for services

not needed


searching for safeboot services

not needed


searching for files

wmdconf32.dll exists
deleting wmdconf32.dll
wmdconf32.dll has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished


I will run Combox fix now and the HJT and return to post

 

Combo and HJT logs

Combofix:

geneodel - Sun 11/05/2006 15:12:06.38 Service Pack 4
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\geneodel\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))


2006-11-04 19:17 24,576 --a------ C:\msupd01441574.exe
2006-11-04 19:16 3,072 --a------ C:\msupd01407035.exe
2006-11-04 19:16 16,384 --a------ C:\msupd01434474.exe
2006-11-04 16:15 90,112 --a------ C:\WINNT\SYSTEM32\RegDACL.exe
2006-11-04 16:15 7,483 --a------ C:\clean.bat
2006-11-04 16:15 40,960 --a------ C:\WINNT\SYSTEM32\swsc.exe
2006-11-04 16:15 4,096 --a------ C:\WINNT\SYSTEM32\reboot.exe
2006-11-04 16:15 38,400 --a------ C:\WINNT\SYSTEM32\moveex.exe
2006-11-04 01:41 0 --a------ C:\WINNT\YOURAPP.EXE
2006-11-03 22:11 24,576 --a------ C:\36110103225470777902.exe
2006-10-25 15:01 3,072 --a------ C:\msupd01.exe
2006-10-18 19:13 679,936 --a------ C:\WINNT\SYSTEM32\libeay32.dll
2006-10-18 19:13 432,579 --a------ C:\WINNT\SYSTEM32\Ole2Plgin.dll
2006-10-18 19:13 3,923,200 --a------ C:\WINNT\SYSTEM32\DRIVERS\redlight.sys
2006-10-18 19:13 217,088 --a------ C:\WINNT\SYSTEM32\AM.dll
2006-10-18 19:13 147,456 --a------ C:\WINNT\SYSTEM32\ssleay32.dll
2006-10-18 19:13 124,416 --a------ C:\WINNT\SYSTEM32\madCHook.dll
2006-10-18 19:13 1,580,032 --a------ C:\WINNT\SYSTEM32\RlShellExt.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-05 15:01 -------- d-------- C:\Program Files\BufferZone
2006-11-05 14:57 -------- d-------- C:\Program Files\HaxFix
2006-11-04 01:30 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-11-04 01:30 -------- d-------- C:\Documents and Settings\geneodel\Application Data\SUPERAntiSpyware.com
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files
2006-10-28 13:26 -------- d---s---- C:\Documents and Settings\geneodel\Application Data\Microsoft
2006-10-26 19:38 -------- d-------- C:\Documents and Settings\geneodel\Application Data\AdobeUM
2006-10-26 19:37 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Adobe
2006-10-26 01:14 -------- d-------- C:\Program Files\PKWARE
2006-10-26 01:14 -------- d-------- C:\Program Files\Common Files\PKWARE
2006-10-17 14:48 -------- d-------- C:\Program Files\BitTorrent
2006-10-09 15:43 -------- d-------- C:\Documents and Settings\geneodel\Application Data\BitTorrent
2006-10-09 10:58 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Macromedia


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitTorrent "= "\ "C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized "
"Winsto "= "C:\\msupd01434474.exe "
"Winstd "= "C:\\36110103225470771834.exe "
"SUPERAntiSpyware "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"Winstp "= "C:\\msupd01434474.exe "
"Winstf "= "C:\\msupd01434474.exe "
"Winstv "= "C:\\msupd01434474.exe "
"Winsty "= "C:\\msupd01434474.exe "
"Winsts "= "C:\\msupd01434474.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager "= "mobsync.exe /logon "
"ATIModeChange "= "Ati2mdxx.exe "
"AtiPTA "= "atiptaxx.exe "
"SynTPLpr "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"LTWinModem1 "= "ltmsg.exe 9 "
"eabconfg.cpl "= "C:\\Program Files\\Compaq\\EAB\\EabServr.exe /Start "
"CreateCD50 "= "\ "C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r "
"AdaptecDirectCD "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\" "
"WinVNC "= "\ "C:\\Program Files\\RealVNC\\WinVNC\\WinVNC.exe\" -servicehelper "
"BJCFD "= "C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe "
"ComcastSUPPORT "= "C:\\Program Files\\Support.com\\bin\\tgkill.exe /cleaneahtioga /start "
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"vptray "= "C:\\PROGRA~1\\SYMANT~3\\SYMANT~2\\VPTray.exe "
"AeXAgentLogon "= "\ "C:\\Program Files\\Altiris\\Altiris Agent\\AeXAgentActivate.exe\" /logon "
"BufferZone "= "\ "C:\\Program Files\\BufferZone\\CLIENTGUI.EXE\" /STARTUP "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000003
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif "
"SubscribedURL "= "http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif "
"FriendlyName "=" "
"Flags "=dword:00002001
"Position "=hex:2c,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo "=hex:b4,f0,4f,7c,38,c4,4f,7c,ff,ff,ff,ff,2c,5d,28,0e,ea,1c,\
34,70,e0,be,1a,09

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00002002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "= "C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper "= "c:\\winnt\\dgoc.bmp "
"WallpaperStyle "= "0 "
"NoDispCPL "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=dword:00000000
"ForceActiveDesktopOn "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray "= "{7007ACCF-3202-11D1-AAD2-00805FC1270E} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MSIServer

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Sun 2006-11-05 15:14:07.90
C:\ComboFix.txt ... 06-11-05 15:14
C:\ComboFix2.txt ... 06-11-05 12:44

==========================================================

HJT:


Logfile of HijackThis v1.99.1
Scan saved at 3:16:27 PM, on 11/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\msupd01434474.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\msupd01434474.exe
C:\msupd01434474.exe
C:\msupd01434474.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Winsto] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Winstp] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstf] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstv] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winsty] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winsts] C:\msupd01434474.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)



Once again, I appreciate your help here man, this frickin infection is persistant, and I hate it. I am glad you are here to help me through this.

 

Sorry for not noticing, I saw the long file path, and my head went into 'auto' mode without really reading.

Well, we have gotten the most difficult part of the infection removed, the rest should be relatively easy.

Lets use Kilbox again, inserting the following files, with the same instructions.
C:\msupd01441574.exe
C:\msupd01407035.exe
C:\msupd01434474.exe
C:\36110103225470777902.exe
C:\msupd01.exe

Don't reboot yet tho.

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':


O4 - HKCU\..\Run: [Winsto] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe

O4 - HKCU\..\Run: [Winstp] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winstf] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winstv] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winsty] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winsts] C:\msupd01434474.exe

Reboot the system, run ComboFix first, then HJT and post both logs back here for me to review.

 

***

Weird stuff is going on.

Symantec is stopping processes while I am taking those steps, and the Downloader stuff that had stopped a few steps ago, started again. While I was posting these logs and stuff, this window randomly closed down. Also BufferZone keeps trying to do something, but Symantec stops it.

I cannot even type this to you right now, becase literally hundreds upon hundreds of spam messages are popping up saying unable to send. It seem as though Symantec is doing this even. How do I stop this? This is the worst it has ever been. Every few letters i type, it stops me and pops another one up. Please Help me.

GOD
This is horrible. What the f*%$# is the purpose of this stupid SH#@$@#$ Why is this happening? I do not even download things.
M
y system tray has a hundred envelopes and growing, my windows bar has hundreds of Symantec Email Proxy messages. It has never been this bad? What should I do when this happens?


geneodel - Mon 11/06/2006 15:17:30.77 Service Pack 4
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\geneodel\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-10-06 to 2006-11-06 ))))))))))))))))))))))))))))))))))


2006-11-06 15:14 81,920 --a------ C:\WINNT\SYSTEM32\wmdconf32.dll
2006-11-06 15:13 3,072 -r-hs---- C:\msupd01416148.exe
2006-11-06 15:13 24,576 --a------ C:\msupd01428245.exe
2006-11-06 15:13 16,384 --a------ C:\msupd01422707.exe
2006-11-04 16:15 90,112 --a------ C:\WINNT\SYSTEM32\RegDACL.exe
2006-11-04 16:15 7,483 --a------ C:\clean.bat
2006-11-04 16:15 40,960 --a------ C:\WINNT\SYSTEM32\swsc.exe
2006-11-04 16:15 4,096 --a------ C:\WINNT\SYSTEM32\reboot.exe
2006-11-04 16:15 38,400 --a------ C:\WINNT\SYSTEM32\moveex.exe
2006-11-04 01:41 0 --a------ C:\WINNT\YOURAPP.EXE
2006-10-18 19:13 679,936 --a------ C:\WINNT\SYSTEM32\libeay32.dll
2006-10-18 19:13 432,579 --a------ C:\WINNT\SYSTEM32\Ole2Plgin.dll
2006-10-18 19:13 3,923,200 --a------ C:\WINNT\SYSTEM32\DRIVERS\redlight.sys
2006-10-18 19:13 217,088 --a------ C:\WINNT\SYSTEM32\AM.dll
2006-10-18 19:13 147,456 --a------ C:\WINNT\SYSTEM32\ssleay32.dll
2006-10-18 19:13 124,416 --a------ C:\WINNT\SYSTEM32\madCHook.dll
2006-10-18 19:13 1,580,032 --a------ C:\WINNT\SYSTEM32\RlShellExt.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-06 15:08 -------- d-------- C:\Program Files\BufferZone
2006-11-05 14:57 -------- d-------- C:\Program Files\HaxFix
2006-11-04 01:30 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-11-04 01:30 -------- d-------- C:\Documents and Settings\geneodel\Application Data\SUPERAntiSpyware.com
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files
2006-10-28 13:26 -------- d---s---- C:\Documents and Settings\geneodel\Application Data\Microsoft
2006-10-26 19:38 -------- d-------- C:\Documents and Settings\geneodel\Application Data\AdobeUM
2006-10-26 19:37 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Adobe
2006-10-26 01:14 -------- d-------- C:\Program Files\PKWARE
2006-10-26 01:14 -------- d-------- C:\Program Files\Common Files\PKWARE
2006-10-17 14:48 -------- d-------- C:\Program Files\BitTorrent
2006-10-09 15:43 -------- d-------- C:\Documents and Settings\geneodel\Application Data\BitTorrent
2006-10-09 10:58 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Macromedia


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SUPERAntiSpyware "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"Winstj "= "c:\\msupd01422707.exe "
"WinMedia "= "c:\\msupd01416148.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager "= "mobsync.exe /logon "
"ATIModeChange "= "Ati2mdxx.exe "
"AtiPTA "= "atiptaxx.exe "
"SynTPLpr "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe "
"SynTPEnh "= "C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe "
"LTWinModem1 "= "ltmsg.exe 9 "
"eabconfg.cpl "= "C:\\Program Files\\Compaq\\EAB\\EabServr.exe /Start "
"CreateCD50 "= "\ "C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r "
"AdaptecDirectCD "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\" "
"WinVNC "= "\ "C:\\Program Files\\RealVNC\\WinVNC\\WinVNC.exe\" -servicehelper "
"BJCFD "= "C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe "
"ComcastSUPPORT "= "C:\\Program Files\\Support.com\\bin\\tgkill.exe /cleaneahtioga /start "
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"vptray "= "C:\\PROGRA~1\\SYMANT~3\\SYMANT~2\\VPTray.exe "
"AeXAgentLogon "= "\ "C:\\Program Files\\Altiris\\Altiris Agent\\AeXAgentActivate.exe\" /logon "
"BufferZone "= "\ "C:\\Program Files\\BufferZone\\CLIENTGUI.EXE\" /STARTUP "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000003
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif "
"SubscribedURL "= "http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif "
"FriendlyName "=" "
"Flags "=dword:00002001
"Position "=hex:2c,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo "=hex:b4,f0,4f,7c,38,c4,4f,7c,ff,ff,ff,ff,2c,5d,28,0e,ea,1c,\
34,70,e0,be,1a,09

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00002002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "= "C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper "= "c:\\winnt\\dgoc.bmp "
"WallpaperStyle "= "0 "
"NoDispCPL "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095
"CDRAutoRun "=dword:00000000
"ForceActiveDesktopOn "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray "= "{7007ACCF-3202-11D1-AAD2-00805FC1270E} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MSIServer

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Mon 2006-11-06 15:21:39.97
C:\ComboFix.txt ... 06-11-06 15:21
C:\ComboFix2.txt ... 06-11-05 15:14
C:\ComboFix3.txt ... 06-11-05 12:44






Logfile of HijackThis v1.99.1
Scan saved at 3:33:47 PM, on 11/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\services.exe
c:\msupd01422707.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Winstj] c:\msupd01422707.exe
O4 - HKCU\..\Run: [WinMedia] c:\msupd01416148.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

 

I can certainly understand your frustration, believe me, I am just as frustrated.

These latest Goldun\Hax variants are being tweaked more and more. Some go away easily and quickly, while others are more persistent, like this one.

The key is finding the re-infecting file or back up file watching the main files. That's how many of these advanced infections work.

The idea behind this infection and any sort of malware is money, plain and simple.

At this point we need to look else where on the system. I cannot offer any sort of time frame for detection and removal. Depending on what data is on the machine, it may be easier, from a time stand point, to save your data and reformat. That would take a few hours, but it certainly rids the system of anything malicious.

If you decide to go that route, ignore the following and I'll recommend a good guide for re-formatting the drive, provided of course you have the original XP CD.

We'll get a couple of fact finding scans and a rootkit scan as well.

Lets get a start up list from HJT:
Open HJT, click the 'None of the above, just start the program' button.
Then click the 'Config' button in the lower right hand of the program.
Then select the 'Misc Tools' button.
In the upper left hand side of the program tick the two boxes 'List also minor sections (full)' button and the 'List empty sections (complete)' button and select 'Yes' when prompted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.

Then an rk scan:
Download GMER from here

• Right Click the Zip and Select "Extract All "
• Double-click gmer.exe to launch the program.
• Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.

 

Please lets fix this. I cannot reformat. We can overcome.

A week or two ago there was NO infection. Nothing at all, in the way of problems. Now there is a crazy seige going on.



Look I do not know anything about this or anything, but this particular problem seems to most dangerous because the infection somehow rooted itself within Symantec software or something, as soon as I opened that last program you told me to, and clicked scan, I got thes error thing from AntiVirus Notification

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:36:24 PM

It happened earlier with one of the other prgrams causing it instead of gmer. This ccProxy... what is it?

Another thing popped up:
Target: C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:42:09 PM
What is this stuff?

and
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:45:00 PM


I appreciate you sympathising with my plight, I really really hate this sh1t, and I would love to get my neanderthal hands around the neck of whoever crafted this incidious software.


here is this other fricken log from the gmer thing:

GMER 1.0.12.11879 - http://www.gmer.net
Rootkit scan 2006-11-06 19:47:57
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT 814F9928 ZwConnectPort
SSDT 814E4C28 ZwDuplicateObject
SSDT 814E4A28 ZwOpenProcess
SSDT 814E4D28 ZwOpenThread

---- EOF - GMER 1.0.12 ----


That cannot be what you wanted right? So I clicked show all and re=did, registry still has been unticked.


This popped up just now:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:50:57 PM

and this:

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:51:32 PM

and

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:51:32 PM


Heres that new log from gmer:



There seems to be far too much to post when I Show all:

What should I do?

Is there anything besides registry I should try unchecking?
Should we just do something else besides the gmer?
It is still running the scan I will post that momentarily or at least attempt to.

 

HJT startup log part 1

StartupList report, 11/6/2006, 7:31:23 PM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\services.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ccEmFlSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\geneodel\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Uninstall.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
LTWinModem1 = ltmsg.exe 9
eabconfg.cpl = C:\Program Files\Compaq\EAB\EabServr.exe /Start
CreateCD50 = "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
WinVNC = "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
ComcastSUPPORT = C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
vptray = C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
AeXAgentLogon = "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{578B3FA6-6B04-4709-908B-DD1B08F565F2}C0022D] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i: "S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=AMInit.dll

--------------------------------------------------

 

HJT startup log part 2

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssbezier.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Yahoo! Poker]
CODEBASE = http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
OSD = C:\WINNT\Downloaded Program Files\Yahoo! Poker.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash8a.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: vlsp.dll (file MISSING)
Protocol #2: vlsp.dll (file MISSING)
Protocol #3: vlsp.dll (file MISSING)
Protocol #4: C:\WINNT\system32\msafd.dll
Protocol #5: C:\WINNT\system32\msafd.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\rsvpsp.dll
Protocol #8: C:\WINNT\system32\rsvpsp.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll
Protocol #18: C:\WINNT\system32\msafd.dll
Protocol #19: C:\WINNT\system32\msafd.dll
Protocol #20: C:\WINNT\system32\msafd.dll
Protocol #21: C:\WINNT\system32\msafd.dll
Protocol #22: C:\WINNT\system32\msafd.dll
Protocol #23: C:\WINNT\system32\msafd.dll
Protocol #24: vlsp.dll (file MISSING)

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Altiris Agent: C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe (autostart)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Altiris Carbon Copy: C:\WINNT\system32\ccsrvc.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Network Proxy: "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Xircom CreditCard Ethernet Adapter 10/100 Driver: System32\DRIVERS\ce3n5.sys (manual start)
cirrus: System32\DRIVERS\cirrus.sys (manual start)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
ClntMgmt.sys: \SystemRoot\System32\Drivers\ClntMgmt.sys (system)
Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
Kodak Camera Proxy: system32\DRIVERS\DcCam.sys (system)
DcFpoint: system32\DRIVERS\DcFpoint.sys (manual start)
DCFS2K: system32\drivers\dcfs2k.sys (autostart)
Dcfssvc: %SystemRoot%\system32\drivers\dcfssvc.exe (autostart)
Legacy Polling Service: system32\DRIVERS\DcLps.sys (manual start)
dcptp: system32\DRIVERS\DcPTP.sys (manual start)
Symantec AntiVirus Definition Watcher: "C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe" (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Print Class Driver for IEEE-1284.4 hpoipr07: system32\DRIVERS\hpoipr07.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100bnt5.sys (manual start)
EABFiltr: \??\C:\WINNT\System32\drivers\EABFiltr.sys (system)
EABUsb: \??\C:\WINNT\System32\drivers\EABUsb.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
EraserUtilRebootDrv: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Exportit: system32\DRIVERS\exportit.sys (system)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
FBIKB_NT: \??\C:\WINNT\System32\Drivers\FBIKB_NT.Sys (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
IEEE-1284.4 Driver hpoid407: system32\DRIVERS\hpoid407.sys (manual start)
USB to IEEE-1284.4 Translation Driver hpoius07: system32\DRIVERS\hpoius07.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
IS Service: C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Wireless-B Notebook Adapter Driver: system32\DRIVERS\rtl8180.sys (manual start)
Lucent Modem Driver: System32\DRIVERS\ltmdmxp.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Compaq Ethernet or Fast Ethernet NIC NT Driver: System32\DRIVERS\n100nt5.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061105.018\naveng.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061105.018\navex15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NSC Infrared Device Driver: System32\DRIVERS\nscirda.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Microsoft USB Open Host Controller Driver: System32\DRIVERS\openhci.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCANDIS5 Protocol Driver: \??\C:\WINNT\system32\PCANDIS5.SYS (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
ptssvc: C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe (autostart)
Curitel PC Card Composite Device driver (WDM): system32\DRIVERS\pwi_bus.sys (manual start)
Curitel PC Card Filter: system32\DRIVERS\pwi_mdfl.sys (manual start)
Curitel PC Card Drivers: system32\DRIVERS\pwi_mdm.sys (manual start)
Curitel PC Card OHCI Filter: system32\DRIVERS\pwi_oflt.sys (manual start)
Curitel PC Card Diagnostic Serial Port (WDM): system32\DRIVERS\pwi_serd.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA Modem): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
SAVRoam: "C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe" (autostart)
SAVRT: \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys (system)
SAVRTPEL: \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys (system)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
SMC IrCC Miniport Device Driver: System32\DRIVERS\smcirda.sys (manual start)
SMNDIS5 NDIS Protocol Driver: \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Symantec SPBBCSvc: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Symantec AntiVirus: "C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe" (autostart)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20060317.001\symidsco.sys (manual start)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
Symantec SecurePort: "C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe" (autostart)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
Synaptics TouchPad Driver: System32\DRIVERS\SynTP.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB 2.0 Root Hub Support: System32\DRIVERS\usbhub20.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
Venturi Client: c:\program files\verizon wireless\venturi\Client\ventc.exe (autostart)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
VNC Server: "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 35,366 bytes
Report generated in 0.641 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



Whenever task manager is used to try to stop those weird CCapp or ccProxy processes or any of that ****, Norton stops it from being stopped, but I used that process ender in Gmer and it seemed to momentarily disrupt the endless flow of spam that this malware is trying to send from my PC.

There is something infecting the symantec or using it to protect itself rather than correct itself or something, I swear.

 

You need to allow the tool to run, let Norton allow GMER run.

And the Norton app is designed to prevent anything from killing it. That's because many malware target the more popular av products.

The GMER log is rather long. I'm looking at the start up list, but won't get any reply back until later tonite.

 

a thought

How can I stop Semantec from killing Gmer than? It will not seem to allow me to disable it ever in that capacity. I can disable the firewall but that is it. That worrys me though since I am under constant attack right now.

Why is it that none of these **** programs work? I have just installed and run the highly regarded AVG program, and it took an hour and half to scan almost 40,000 files to return NO THREATS FOUND. It did see one of those
Msupd things we tried to get rid of, but it reported it's type as ERROR, gave me no information about it, did not deem it a threat, and did nothing to resolve it. Is there anything I can do?

Oh and for that Gmer log, it is far far too long for me to post here as it almost caused my computer to lock up just in the process of copying it to clipboard
(Keep in mind that it is not due to the inability of my computer to process, but rather a byproduct of being under constant seige right now).

Should we start over? I await your word. Thanks for the patience you are exercising for me, since mine is running extremely thin. I want to crush this laptop and burn it. I hate what the internet became a half decade ago. Before that the nusences we had to deal with were banner ads, and occasional popups. Now since then there is constant popups EVERYWHERE and all kinds of nasty spyware and virii and malware and this, that, and the other... It is so frustrating, when we are talking about a coumputer that got virtually no use for months (thusly it is quite fresh) and has only been used consistantly for a few weeks. No downloading is done, and any infection that could have come in had to be from internet browsing. It must have been. I do not understand how it even got here, especially when this computer is supposedly protected by firewall and semantec anti-virus software.

I am not impressed whatsoever with this AVware. It seems to work as well as any of this freeware that removes infections. I would rather get some free software to do nothing, than costly software that offers the same value.

I am really not sure how to progress with this situation, but there are several work related programs on here, for which I do not have a master copy, and I am also without the XP disk. That is the reason I would like to keep Reformatting a distant island, to which we should never have to visit. I do not understand how, out of no where, this infection can take such a strong grip on this computer, and if we are even able to finally manage it's safe apprehnsion and removal, how can we prevent it in the future?

 

It's imperitive we get that GMER log. I'm hoping this will show us what we are dealing with.

I suppose we can try another rk tool and see what it finds as well.

Please download RootKitRevealer from here

Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire log file back into this thread for me to view.

You should also begin to disconnect from the Net for any more instructions, unplug the machine at the cable in the back or from the modem.

Also, use the Norton firewall to discern what programs have access to the Net when hoooked up and configure it to block access for those programs or files.