Infected PC needs some fixin!

odellius · 4th November 2006

I have some email proxy thing sending out spam or something, and my worthless symantec just keeps popping up constantly telling me the messages cannot send.
Every time I start up now an error pops up and tells me vmmdiag32.exe cannot be found. I think this is some kind of infection. Also some downloader (I think it is the same as the VMM thing) tries to do something constantly and my autoprotect stops it and deletes it, but it is CONSTANT.

I have tried downloading several different spyware removal programs, and even tried being discriminent when doing so. I know alot of them do not work, alot of them do not get most problems, alot of them give false results, and even some have their own virii and trojans interlaced. I only downloaded ones with solid user reviews and logical support.

They do not seem to be working though, but I do have HJT. I do not know what to do with the information it provides me. Will you tell me what to do please, as I have seen you helping others in a major way in various threads.

Here is a upfront HJT log if it might assist the process:

Logfile of HijackThis v1.99.1
Scan saved at 12:50:14 PM, on 11/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\services.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\geneodel\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WinMedia] C:\36110103225470766396.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

--------------------------------------------------------------------------------------------------------
Thanks for helping if you are able and willing to. I do not know where else to turn, seriously. I have no money so I cannot be purchasing full versions of reputable spyware removal programs. I have to sift through free solutions.

Also should I discontinue my usage of Internet Explorer and download a different browser? It seems as if everywhere I read things about what a security hazard IE is.

Erick "ODellius" O'Dell

odellius · 4th November 2006

I checked some other threads that seem to be from people with sinilar problems. It looks like I shold HexFix first off, so I did.

HAXFIX logfile - by Marckie
______________
version 4.28
Sat 11/04/2006 16:15:59.65

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
CmBatt

checking for matching safeboot services....
no matching safeboot services found

checking for other haxdoorfiles....

Checking for goldun
-------------------

checking for SSODL keys....
no ssodl keys found

checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....
wmdconf32.dll found

Finished

Then it looks like you want a fresh log from hjt, though I do not think that Hexfix took any action, other than scanning...
Here is a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:40 PM, on 11/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\services.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\geneodel\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WinMedia] C:\36110103225470766396.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

What is my best course of action to remedy this?

jj2512 · 4th November 2006

When I have big problems like you are discribing, i sometimes use system restore. So far I have been lucky in bringing my pc from the brink of death back to normal.

odellius · 4th November 2006

Well this is where the beginner in me comes up to over take the intermediate. I have grown up around computers and used them alot for 15 years or so. I used to consider myself somewhat knowledgable and still can do more than most, but as far as being an intermediate... I am not.

What exactly does the system restore do?

Will it remove programs I have installed recently? Will it erase word documents I have?

Also, even those this probably sounds really stupid, how do I do it?

Should I not just take appropriate measures on removing these existing threats, and resort to that system restore as a final option? Also I am not quite sure when some of these problems started exactly, so I would not know when to restore to. I think it may work, and I appreciate you being willing to offer me advice, but I am still where I was before. Confused.

Also, if I restore the system is that guaranteed to resolve these issues? If so perhaps that would be the best thing for me.

**TeMerc** · 4th November 2006

Lets leave system restore alone at this point. Should something out of the ordinary should happen, say I tell you to delete a system critical file or you delete one on your own, by mistake, without the back up of system restore your only option would be a reformat. System restore points cannot hurt you, unless you revert back to a previously infected point, which we won't be doing.

We need to run the second part of the HaxFix, removal.

Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

Close all open windows except the red dos window from haxfix and then press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile along with a new HijackThis log.

Please do not perform any other steps beyond what I have instructed, this is for your own(systems) safety.

odellius · 4th November 2006

HAXFIX logfile - by Marckie
--------------
version 4.28
Sat 11/04/2006 17:30:26.10

--- Auto Haxdoorfix ---

searching for files:

no infections found

--- Goldunfix ---

searching for files:
wmdconf32.dll

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found

.....rebooting the computer.....

searching for ssodlkeys

not needed

searching for notifykeys

not needed

searching for services

not needed

searching for safeboot services

not needed

searching for files

wmdconf32.dll exists
deleting wmdconf32.dll
wmdconf32.dll has been deleted

checking for other files

No other files found

checking for a3d files

no a3d files found

Finished

--------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:45:43 PM, on 11/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\services.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\geneodel\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [WinMedia] C:\36110103225470766396.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

**TeMerc** · 5th November 2006

OK, looks like we're heading down the stretch.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot", and then select "All files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
vmmdiag32.exe
C:\36110103225470766396.exe
C:\36110103225470771834.exe
C:\WINNT\SYSTEM32\nwprovau.dll

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot the system, run ComboFix as instructed below and then a new HJT log please.

Download combofix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

odellius · 5th November 2006

I moved HJT to C:\HJT like you asked, though it was already in it's own permanent folder, and was not on the desktop at all to be removed.

I understand that you have a crapload of responses to dish out so these are likely a sort of preconstituted response to me for what to do, but this next anomilee was weirder.

When I followed instructions for the KillBox where you say:

"5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt."

I got no "Pending Operations Prompt." I stopped it where it was counting down to reboot, and repeated the steps, but the same thing happened, and it rebooted.

Next I downloaded ComboFix.exe and ran it. Here is the log from that program, followed with a fresh HJT.

geneodel - Sun 11/05/2006 12:39:42.95 Service Pack 4
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\geneodel\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))

2006-11-04 19:17 24,576 --a------ C:\msupd01441574.exe
2006-11-04 19:16 3,072 --a------ C:\msupd01407035.exe
2006-11-04 19:16 16,384 --a------ C:\msupd01434474.exe
2006-11-04 17:42 81,920 --a------ C:\WINNT\SYSTEM32\wmdconf32.dll
2006-11-04 16:15 90,112 --a------ C:\WINNT\SYSTEM32\RegDACL.exe
2006-11-04 16:15 7,483 --a------ C:\clean.bat
2006-11-04 16:15 40,960 --a------ C:\WINNT\SYSTEM32\swsc.exe
2006-11-04 16:15 4,096 --a------ C:\WINNT\SYSTEM32\reboot.exe
2006-11-04 16:15 38,400 --a------ C:\WINNT\SYSTEM32\moveex.exe
2006-11-04 01:41 0 --a------ C:\WINNT\YOURAPP.EXE
2006-11-03 22:11 24,576 --a------ C:\36110103225470777902.exe
2006-10-25 15:01 3,072 --a------ C:\msupd01.exe
2006-10-18 19:13 679,936 --a------ C:\WINNT\SYSTEM32\libeay32.dll
2006-10-18 19:13 432,579 --a------ C:\WINNT\SYSTEM32\Ole2Plgin.dll
2006-10-18 19:13 3,923,200 --a------ C:\WINNT\SYSTEM32\DRIVERS\redlight.sys
2006-10-18 19:13 217,088 --a------ C:\WINNT\SYSTEM32\AM.dll
2006-10-18 19:13 147,456 --a------ C:\WINNT\SYSTEM32\ssleay32.dll
2006-10-18 19:13 124,416 --a------ C:\WINNT\SYSTEM32\madCHook.dll
2006-10-18 19:13 1,580,032 --a------ C:\WINNT\SYSTEM32\RlShellExt.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-05 12:30 -------- d-------- C:\Program Files\BufferZone
2006-11-04 17:32 -------- d-------- C:\Program Files\HaxFix
2006-11-04 01:30 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-11-04 01:30 -------- d-------- C:\Documents and Settings\geneodel\Application Data\SUPERAntiSpyware.com
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files
2006-10-28 13:26 -------- d---s---- C:\Documents and Settings\geneodel\Application Data\Microsoft
2006-10-26 19:38 -------- d-------- C:\Documents and Settings\geneodel\Application Data\AdobeUM
2006-10-26 19:37 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Adobe
2006-10-26 01:14 -------- d-------- C:\Program Files\PKWARE
2006-10-26 01:14 -------- d-------- C:\Program Files\Common Files\PKWARE
2006-10-17 14:48 -------- d-------- C:\Program Files\BitTorrent
2006-10-09 15:43 -------- d-------- C:\Documents and Settings\geneodel\Application Data\BitTorrent
2006-10-09 10:58 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Macromedia

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Winsto"="C:\\36110103225470771834.exe"
"Winstd"="C:\\36110103225470771834.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"Winstp"="C:\\msupd01434474.exe"
"Winstf"="C:\\msupd01434474.exe"
"Winstv"="C:\\msupd01434474.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LTWinModem1"="ltmsg.exe 9"
"eabconfg.cpl"="C:\\Program Files\\Compaq\\EAB\\EabServr.exe /Start"
"CreateCD50"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"WinVNC"="\"C:\\Program Files\\RealVNC\\WinVNC\\WinVNC.exe\" -servicehelper"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ComcastSUPPORT"="C:\\Program Files\\Support.com\\bin\\tgkill.exe /cleaneahtioga /start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~3\\SYMANT~2\\VPTray.exe"
"AeXAgentLogon"="\"C:\\Program Files\\Altiris\\Altiris Agent\\AeXAgentActivate.exe\" /logon"
"BufferZone"="\"C:\\Program Files\\BufferZone\\CLIENTGUI.EXE\" /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif"
"SubscribedURL"="http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif"
"FriendlyName"=""
"Flags"=dword:00002001
"Position"=hex:2c,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff, e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff, ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:b4,f0,4f,7c,38,c4,4f,7c,ff,ff,ff,ff,2c,5d,28,0e,ea, 1c,\
34,70,e0,be,1a,09

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00, ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff, ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e, 00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\share dtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"="c:\\winnt\\dgoc.bmp"
"WallpaperStyle"="0"
"NoDispCPL"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceob jectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MSISer ver

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Sun 2006-11-05 12:44:04.28
C:\ComboFix.txt ... 06-11-05 12:44

=========================================================================== =========================================

Logfile of HijackThis v1.99.1
Scan saved at 1:02:37 PM, on 11/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\msupd01434474.exe
C:\msupd01434474.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Winsto] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Winstp] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstf] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstv] C:\msupd01434474.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

**TeMerc** · 5th November 2006

Guess we need to try the manual fix on this sucker.

Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 3. Run manual fix by typing 3 and then pressing Enter

This message will appear:

Quote:

echo Insert the haxdoorkey,
and then press Enter:

Type the following: wmdconf
When this is a valid choice, the key will be added to delete.
There is the possibility to add a new key: Yes (type Y) or No (type N).
Followed by this message:

Quote:

Haxdoorkey wmdconf added to delete.

Do you want to add a new haxdoorkey?

Press Y for YES or N for NO and then press Enter:
(if necessary press Y and insert an other one)In this case add:
vmmdiag
press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of the logfile together, run ComboFix then a new HijackThis log and post both here

odellius · 5th November 2006

On both of the entries it seemed to find neither, but after I selected no, it did find something and deleted it on the reboot, but it was not that **** vmmdiag thing.

Here is the log from that after the reboot:

HAXFIX logfile - by Marckie
--------------
version 4.28
Sun 11/05/2006 14:53:54.11

--- Manual Haxdoorfix ---

Adding haxdoorkeys to delete...
no infections found

--- Goldunfix ---

searching for files:
wmdconf32.dll

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found

.....rebooting the computer.....

searching for ssodlkeys

not needed

searching for notifykeys

not needed

searching for services

not needed

searching for safeboot services

not needed

searching for files

wmdconf32.dll exists
deleting wmdconf32.dll
wmdconf32.dll has been deleted

checking for other files

No other files found

checking for a3d files

no a3d files found

Finished

I will run Combox fix now and the HJT and return to post

odellius · 5th November 2006

Combofix:

geneodel - Sun 11/05/2006 15:12:06.38 Service Pack 4
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\geneodel\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))

2006-11-04 19:17 24,576 --a------ C:\msupd01441574.exe
2006-11-04 19:16 3,072 --a------ C:\msupd01407035.exe
2006-11-04 19:16 16,384 --a------ C:\msupd01434474.exe
2006-11-04 16:15 90,112 --a------ C:\WINNT\SYSTEM32\RegDACL.exe
2006-11-04 16:15 7,483 --a------ C:\clean.bat
2006-11-04 16:15 40,960 --a------ C:\WINNT\SYSTEM32\swsc.exe
2006-11-04 16:15 4,096 --a------ C:\WINNT\SYSTEM32\reboot.exe
2006-11-04 16:15 38,400 --a------ C:\WINNT\SYSTEM32\moveex.exe
2006-11-04 01:41 0 --a------ C:\WINNT\YOURAPP.EXE
2006-11-03 22:11 24,576 --a------ C:\36110103225470777902.exe
2006-10-25 15:01 3,072 --a------ C:\msupd01.exe
2006-10-18 19:13 679,936 --a------ C:\WINNT\SYSTEM32\libeay32.dll
2006-10-18 19:13 432,579 --a------ C:\WINNT\SYSTEM32\Ole2Plgin.dll
2006-10-18 19:13 3,923,200 --a------ C:\WINNT\SYSTEM32\DRIVERS\redlight.sys
2006-10-18 19:13 217,088 --a------ C:\WINNT\SYSTEM32\AM.dll
2006-10-18 19:13 147,456 --a------ C:\WINNT\SYSTEM32\ssleay32.dll
2006-10-18 19:13 124,416 --a------ C:\WINNT\SYSTEM32\madCHook.dll
2006-10-18 19:13 1,580,032 --a------ C:\WINNT\SYSTEM32\RlShellExt.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-05 15:01 -------- d-------- C:\Program Files\BufferZone
2006-11-05 14:57 -------- d-------- C:\Program Files\HaxFix
2006-11-04 01:30 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-11-04 01:30 -------- d-------- C:\Documents and Settings\geneodel\Application Data\SUPERAntiSpyware.com
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files
2006-10-28 13:26 -------- d---s---- C:\Documents and Settings\geneodel\Application Data\Microsoft
2006-10-26 19:38 -------- d-------- C:\Documents and Settings\geneodel\Application Data\AdobeUM
2006-10-26 19:37 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Adobe
2006-10-26 01:14 -------- d-------- C:\Program Files\PKWARE
2006-10-26 01:14 -------- d-------- C:\Program Files\Common Files\PKWARE
2006-10-17 14:48 -------- d-------- C:\Program Files\BitTorrent
2006-10-09 15:43 -------- d-------- C:\Documents and Settings\geneodel\Application Data\BitTorrent
2006-10-09 10:58 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Macromedia

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"Winsto"="C:\\msupd01434474.exe"
"Winstd"="C:\\36110103225470771834.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"Winstp"="C:\\msupd01434474.exe"
"Winstf"="C:\\msupd01434474.exe"
"Winstv"="C:\\msupd01434474.exe"
"Winsty"="C:\\msupd01434474.exe"
"Winsts"="C:\\msupd01434474.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LTWinModem1"="ltmsg.exe 9"
"eabconfg.cpl"="C:\\Program Files\\Compaq\\EAB\\EabServr.exe /Start"
"CreateCD50"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"WinVNC"="\"C:\\Program Files\\RealVNC\\WinVNC\\WinVNC.exe\" -servicehelper"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ComcastSUPPORT"="C:\\Program Files\\Support.com\\bin\\tgkill.exe /cleaneahtioga /start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~3\\SYMANT~2\\VPTray.exe"
"AeXAgentLogon"="\"C:\\Program Files\\Altiris\\Altiris Agent\\AeXAgentActivate.exe\" /logon"
"BufferZone"="\"C:\\Program Files\\BufferZone\\CLIENTGUI.EXE\" /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif"
"SubscribedURL"="http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif"
"FriendlyName"=""
"Flags"=dword:00002001
"Position"=hex:2c,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff, e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff, ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:b4,f0,4f,7c,38,c4,4f,7c,ff,ff,ff,ff,2c,5d,28,0e,ea, 1c,\
34,70,e0,be,1a,09

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00, ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff, ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e, 00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\share dtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"="c:\\winnt\\dgoc.bmp"
"WallpaperStyle"="0"
"NoDispCPL"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceob jectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MSISer ver

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Sun 2006-11-05 15:14:07.90
C:\ComboFix.txt ... 06-11-05 15:14
C:\ComboFix2.txt ... 06-11-05 12:44

==========================================================

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:16:27 PM, on 11/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\msupd01434474.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\msupd01434474.exe
C:\msupd01434474.exe
C:\msupd01434474.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Winsto] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Winstp] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstf] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winstv] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winsty] C:\msupd01434474.exe
O4 - HKCU\..\Run: [Winsts] C:\msupd01434474.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Once again, I appreciate your help here man, this frickin infection is persistant, and I hate it. I am glad you are here to help me through this.

**TeMerc** · 6th November 2006

Quote:

I moved HJT to C:\HJT like you asked, though it was already in it's own permanent folder, and was not on the desktop at all to be removed.

Sorry for not noticing, I saw the long file path, and my head went into 'auto' mode without really reading.

Well, we have gotten the most difficult part of the infection removed, the rest should be relatively easy.

Lets use Kilbox again, inserting the following files, with the same instructions.
C:\msupd01441574.exe
C:\msupd01407035.exe
C:\msupd01434474.exe
C:\36110103225470777902.exe
C:\msupd01.exe

Don't reboot yet tho.

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O4 - HKCU\..\Run: [Winsto] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winstd] C:\36110103225470771834.exe

O4 - HKCU\..\Run: [Winstp] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winstf] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winstv] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winsty] C:\msupd01434474.exe

O4 - HKCU\..\Run: [Winsts] C:\msupd01434474.exe

Reboot the system, run ComboFix first, then HJT and post both logs back here for me to review.

odellius · 6th November 2006

Weird stuff is going on.

Symantec is stopping processes while I am taking those steps, and the Downloader stuff that had stopped a few steps ago, started again. While I was posting these logs and stuff, this window randomly closed down. Also BufferZone keeps trying to do something, but Symantec stops it.

I cannot even type this to you right now, becase literally hundreds upon hundreds of spam messages are popping up saying unable to send. It seem as though Symantec is doing this even. How do I stop this? This is the worst it has ever been. Every few letters i type, it stops me and pops another one up. Please Help me.

GOD
This is horrible. What the f*%$# is the purpose of this stupid SH#@$@#$ Why is this happening? I do not even download things.
M
y system tray has a hundred envelopes and growing, my windows bar has hundreds of Symantec Email Proxy messages. It has never been this bad? What should I do when this happens?

geneodel - Mon 11/06/2006 15:17:30.77 Service Pack 4
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\geneodel\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-06 to 2006-11-06 ))))))))))))))))))))))))))))))))))

2006-11-06 15:14 81,920 --a------ C:\WINNT\SYSTEM32\wmdconf32.dll
2006-11-06 15:13 3,072 -r-hs---- C:\msupd01416148.exe
2006-11-06 15:13 24,576 --a------ C:\msupd01428245.exe
2006-11-06 15:13 16,384 --a------ C:\msupd01422707.exe
2006-11-04 16:15 90,112 --a------ C:\WINNT\SYSTEM32\RegDACL.exe
2006-11-04 16:15 7,483 --a------ C:\clean.bat
2006-11-04 16:15 40,960 --a------ C:\WINNT\SYSTEM32\swsc.exe
2006-11-04 16:15 4,096 --a------ C:\WINNT\SYSTEM32\reboot.exe
2006-11-04 16:15 38,400 --a------ C:\WINNT\SYSTEM32\moveex.exe
2006-11-04 01:41 0 --a------ C:\WINNT\YOURAPP.EXE
2006-10-18 19:13 679,936 --a------ C:\WINNT\SYSTEM32\libeay32.dll
2006-10-18 19:13 432,579 --a------ C:\WINNT\SYSTEM32\Ole2Plgin.dll
2006-10-18 19:13 3,923,200 --a------ C:\WINNT\SYSTEM32\DRIVERS\redlight.sys
2006-10-18 19:13 217,088 --a------ C:\WINNT\SYSTEM32\AM.dll
2006-10-18 19:13 147,456 --a------ C:\WINNT\SYSTEM32\ssleay32.dll
2006-10-18 19:13 124,416 --a------ C:\WINNT\SYSTEM32\madCHook.dll
2006-10-18 19:13 1,580,032 --a------ C:\WINNT\SYSTEM32\RlShellExt.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-06 15:08 -------- d-------- C:\Program Files\BufferZone
2006-11-05 14:57 -------- d-------- C:\Program Files\HaxFix
2006-11-04 01:30 -------- d-------- C:\Program Files\SUPERAntiSpyware
2006-11-04 01:30 -------- d-------- C:\Documents and Settings\geneodel\Application Data\SUPERAntiSpyware.com
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-11-04 01:29 -------- d-------- C:\Program Files\Common Files
2006-10-28 13:26 -------- d---s---- C:\Documents and Settings\geneodel\Application Data\Microsoft
2006-10-26 19:38 -------- d-------- C:\Documents and Settings\geneodel\Application Data\AdobeUM
2006-10-26 19:37 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Adobe
2006-10-26 01:14 -------- d-------- C:\Program Files\PKWARE
2006-10-26 01:14 -------- d-------- C:\Program Files\Common Files\PKWARE
2006-10-17 14:48 -------- d-------- C:\Program Files\BitTorrent
2006-10-09 15:43 -------- d-------- C:\Documents and Settings\geneodel\Application Data\BitTorrent
2006-10-09 10:58 -------- d-------- C:\Documents and Settings\geneodel\Application Data\Macromedia

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"Winstj"="c:\\msupd01422707.exe"
"WinMedia"="c:\\msupd01416148.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"LTWinModem1"="ltmsg.exe 9"
"eabconfg.cpl"="C:\\Program Files\\Compaq\\EAB\\EabServr.exe /Start"
"CreateCD50"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"WinVNC"="\"C:\\Program Files\\RealVNC\\WinVNC\\WinVNC.exe\" -servicehelper"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ComcastSUPPORT"="C:\\Program Files\\Support.com\\bin\\tgkill.exe /cleaneahtioga /start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~3\\SYMANT~2\\VPTray.exe"
"AeXAgentLogon"="\"C:\\Program Files\\Altiris\\Altiris Agent\\AeXAgentActivate.exe\" /logon"
"BufferZone"="\"C:\\Program Files\\BufferZone\\CLIENTGUI.EXE\" /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalCo mponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif"
"SubscribedURL"="http://www.tv-tokyo.co.jp/anime/naruto/images/naruto_back.gif"
"FriendlyName"=""
"Flags"=dword:00002001
"Position"=hex:2c,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff, e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,10,03,00,00,1f,01,00,00,ff,ff,ff,ff,ff, ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:b4,f0,4f,7c,38,c4,4f,7c,ff,ff,ff,ff,2c,5d,28,0e,ea, 1c,\
34,70,e0,be,1a,09

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00, ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff, ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e, 00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\share dtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"="c:\\winnt\\dgoc.bmp"
"WallpaperStyle"="0"
"NoDispCPL"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceob jectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MSISer ver

Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\Symantec NetDetect.job

Completion time: Mon 2006-11-06 15:21:39.97
C:\ComboFix.txt ... 06-11-06 15:21
C:\ComboFix2.txt ... 06-11-05 15:14
C:\ComboFix3.txt ... 06-11-05 12:44

Logfile of HijackThis v1.99.1
Scan saved at 3:33:47 PM, on 11/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\BufferZone\ClntSvc.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\BufferZone\CLIENTGUI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\services.exe
c:\msupd01422707.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*;treev*.*;*.donegalgroup.com
F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~3\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BufferZone] "C:\Program Files\BufferZone\CLIENTGUI.EXE" /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Winstj] c:\msupd01422707.exe
O4 - HKCU\..\Run: [WinMedia] c:\msupd01416148.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uninstall.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: ComcastHSI - {159D3960-4CB5-4ED7-A92B-7BFD1B92E504} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {5BE2276A-99C5-4CAA-A028-6A6930C2526A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {938BB3D4-A394-423A-9AC1-2ADE840555F9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/gam...ts/y/pt3_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = donegalgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = donegalgroup.com
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: BufferZone Service (BufferZoneSvc) - Unknown owner - C:\Program Files\BufferZone\ClntSvc.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

**TeMerc** · 6th November 2006

I can certainly understand your frustration, believe me, I am just as frustrated.

These latest Goldun\Hax variants are being tweaked more and more. Some go away easily and quickly, while others are more persistent, like this one.

The key is finding the re-infecting file or back up file watching the main files. That's how many of these advanced infections work.

The idea behind this infection and any sort of malware is money, plain and simple.

At this point we need to look else where on the system. I cannot offer any sort of time frame for detection and removal. Depending on what data is on the machine, it may be easier, from a time stand point, to save your data and reformat. That would take a few hours, but it certainly rids the system of anything malicious.

If you decide to go that route, ignore the following and I'll recommend a good guide for re-formatting the drive, provided of course you have the original XP CD.

We'll get a couple of fact finding scans and a rootkit scan as well.

Lets get a start up list from HJT:
Open HJT, click the 'None of the above, just start the program' button.
Then click the 'Config' button in the lower right hand of the program.
Then select the 'Misc Tools' button.
In the upper left hand side of the program tick the two boxes 'List also minor sections (full)' button and the 'List empty sections (complete)' button and select 'Yes' when prompted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.

Then an rk scan:
Download GMER from here

Right Click the Zip and Select "Extract All"
Double-click gmer.exe to launch the program.
Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.

odellius · 7th November 2006

Please lets fix this. I cannot reformat. We can overcome.

A week or two ago there was NO infection. Nothing at all, in the way of problems. Now there is a crazy seige going on.

Look I do not know anything about this or anything, but this particular problem seems to most dangerous because the infection somehow rooted itself within Symantec software or something, as soon as I opened that last program you told me to, and clicked scan, I got thes error thing from AntiVirus Notification

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:36:24 PM

It happened earlier with one of the other prgrams causing it instead of gmer. This ccProxy... what is it?

Another thing popped up:
Target: C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:42:09 PM
What is this stuff?

and
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:45:00 PM

I appreciate you sympathising with my plight, I really really hate this sh1t, and I would love to get my neanderthal hands around the neck of whoever crafted this incidious software.

here is this other fricken log from the gmer thing:

GMER 1.0.12.11879 - http://www.gmer.net
Rootkit scan 2006-11-06 19:47:57
Windows 5.0.2195 Service Pack 4

---- System - GMER 1.0.12 ----

SSDT 814F9928 ZwConnectPort
SSDT 814E4C28 ZwDuplicateObject
SSDT 814E4A28 ZwOpenProcess
SSDT 814E4D28 ZwOpenThread

---- EOF - GMER 1.0.12 ----

That cannot be what you wanted right? So I clicked show all and re=did, registry still has been unticked.

This popped up just now:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:50:57 PM

and this:

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:51:32 PM

and

SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 7760)
Time: Monday, November 06, 2006 7:51:32 PM

Heres that new log from gmer:

There seems to be far too much to post when I Show all:

What should I do?

Is there anything besides registry I should try unchecking?
Should we just do something else besides the gmer?
It is still running the scan I will post that momentarily or at least attempt to.