1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Under attack with disabled system restore

Discussion in 'Malware and Virus Removal Archive' started by Watson, 2008/07/08.

  1. 2008/07/08
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    [Resolved] Under attack with disabled system restore

    Hi There,

    The following viruses have taken up residance on my pc and have been removed by NAV. But since then, things are not quite the same.

    All my *.doc files are not recognised by windows and they keep creating *.scv file extentions.

    I have tried to disable system restore and do a scan in safe mode, but system restore disable is greyed out (disabled by group policy). Windows Security Centre is also disabled. Below is the log from NAV and then below that is HiJackThis log which is appended to Deckard's System Scanner.

    Any help would be great as my pc is the heart of my small business.

    Thanks,

    Watson


    Norton Activity Log
    ***********
    Trojan.Packed.NsAnti
    Action taken: Blocked
    Affected Areas: c:\documents and settings\owner\local settings\temp\ovlx.dll
    ***********
    Risk category: Virus
    Overall Risk Impact: High
    Performance: High
    Privacy: High
    Removal: High
    Stealth: High
    Click for more information about this risk : W32.Gammima.AG
    Action taken: Fully removed
    Affected Areas:
    Registry Entries
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL->CheckedValue:1
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->Hidden:1
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->Hidden:1
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->Hidden:1
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->Hidden:1
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->Hidden:1
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->ShowSuperHidden:1
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->ShowSuperHidden:1
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->ShowSuperHidden:1
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->ShowSuperHidden:1
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced->ShowSuperHidden:1
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:149
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:149
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:149
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:149
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer->NoDriveTypeAutoRun:149
    ****************

    Risk category: Virus
    Overall Risk Impact: High
    Performance: High
    Privacy: High
    Removal: High
    Stealth: High
    Click for more information about this risk : W32.Rungbu
    Action taken: Fully removed
    Affected Areas:
    Files & Directories
    C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~$Normal.dot
    C:\Documents and Settings\Owner\Application Data\Microsoft\Proof\CUSTOM.DIC
    f:\bem lab.scr
    Registry Entries
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Word\Text Converters
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\->Shell:Explorer.exe
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1005\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\->Shell:Explorer.exe
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\->Shell:Explorer.exe
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\->Shell:Explorer.exe
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\->Shell:Explorer.exe
    HKEY_CLASSES_ROOT\*\->QuickTip:prop:Type;Size:Write
    HKEY_CLASSES_ROOT\*\->InfoTip:prop:Type;DocAuthor;DocTitle;DocSubject;DocCommnets;Write;Size
    HKEY_CLASSES_ROOT\scrfile\
    HKEY_CLASSES_ROOT\scrfile\shell\open\
    HKEY_CLASSES_ROOT\Word.Document.8\DefaultIcon\
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\->UncheckedValue:0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\->UncheckedValue:1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\->Userinit:C:\WINDOWS\system32\userinit.exe
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1003\Software\Microsoft\Office\11.0\Word\->MTTF:32
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1005\Software\Microsoft\Office\11.0\Word\->MTTF:32
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1003\Software\Microsoft\Office\11.0\Word\->MTTA:32
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1005\Software\Microsoft\Office\11.0\Word\->MTTA:32
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->HideFileExt:0
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->HideFileExt:0
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->ShowSuperHidden:1
    HKEY_USERS\S-1-5-21-1645522239-1004336348-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\->ShowSuperHidden:1
    Processes & Start-Up Items
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    Network & Browser Items
    Browser Cache
    -***************



    HiJackThis and Deckards System Scanner
    ****************************************************


    Deckard's System Scanner v20071014.68
    Run by Owner on 2008-07-08 15:55:15
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 2 Restore Point(s) --
    2: 2008-07-08 13:55:20 UTC - RP2 - Deckard's System Scanner Restore Point
    1: 2008-07-08 10:53:16 UTC - RP1 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Owner.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:58:11, on 08/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\System32\wudfhost.exe
    C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
    O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1645522239-1004336348-725345543-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Watson')
    O4 - HKUS\S-1-5-21-1645522239-1004336348-725345543-1005\..\RunOnce: [] (User 'Watson')
    O4 - HKUS\S-1-5-21-1645522239-1004336348-725345543-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26A94E28-7785-4C5D-A4FE-9257D234B2F7}: NameServer = 196.207.40.167 196.207.40.165
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26A94E28-7785-4C5D-A4FE-9257D234B2F7}: NameServer = 196.207.40.167 196.207.40.165
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 10446 bytes

    -- File Associations -----------------------------------------------------------

    .bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1 "
    .ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1 "
    .pif - piffile - shell\open\command - "%1" %* "
    .scr - scrfile - shell\open\command - unable to read value


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
    R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

    S3 AEXPAM (Philips SmartManage Service) - c:\windows\system32\drivers\aexpamdrv.sys <Not Verified; Philips Consumer Electronics Co.; Philips SmartManage>
    S3 CpqDtct - c:\windows\system32\drivers\cpqdtct.sys (file missing)
    S3 GVCplDrv - c:\windows\system32\drivers\gvcpldrv.sys


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
    R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

    S4 Iomega Activity Disk2 - " "


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/100 VM Network Connection
    Device ID: PCI\VEN_8086&DEV_103B&SUBSYS_00120E11&REV_81\4&25296D99&0&40F0
    Manufacturer: Intel
    Name: Intel(R) PRO/100 VM Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_103B&SUBSYS_00120E11&REV_81\4&25296D99&0&40F0
    Service: E100B

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\4&36B16CB7&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\4&36B16CB7&0
    Service: i8042prt

    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia Windows Portable Device Driver
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia 5140
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd

    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia Windows Portable Device Driver
    Device ID: ROOT\WPD\0001
    Manufacturer: Nokia
    Name: Nokia E90
    PNP Device ID: ROOT\WPD\0001
    Service: WUDFRd


    -- Scheduled Tasks -------------------------------------------------------------

    2008-07-08 12:55:03 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
    2008-07-07 21:07:04 622 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job


    -- Files created between 2008-06-08 and 2008-07-08 -----------------------------

    2008-07-08 15:35:55 0 d-------- C:\WINDOWS\MaxSecureBackup
    2008-07-08 15:35:05 63 --a------ C:\WINDOWS\system\SYSRegC.dll
    2008-07-08 15:34:32 143360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll <Not Verified; MaxSecure Software; MaxSecure Registration Module>
    2008-07-08 15:34:32 0 d-------- C:\Program Files\Max Registry Cleaner
    2008-07-08 15:17:11 0 d-------- C:\WINDOWS\LastGood
    2008-07-08 13:35:41 0 d-------- C:\Program Files\Trend Micro
    2008-07-08 12:28:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-07-08 12:28:01 0 d-------- C:\Program Files\SUPERAntiSpyware
    2008-07-08 12:28:01 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-07-08 11:11:55 0 d-------- C:\Documents and Settings\Administrator\Favorites
    2008-07-08 11:11:55 0 d-------- C:\Documents and Settings\Administrator\Desktop
    2008-07-08 11:11:55 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
    2008-07-08 11:11:55 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
    2008-07-08 11:11:55 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2008-07-08 11:11:54 0 d--h----- C:\Documents and Settings\Administrator\NetHood
    2008-07-08 11:11:54 0 d-------- C:\Documents and Settings\Administrator\My Documents
    2008-07-08 11:11:54 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
    2008-07-08 11:11:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
    2008-07-08 11:11:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
    2008-07-08 11:11:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
    2008-07-08 11:11:53 0 d--h----- C:\Documents and Settings\Administrator\Recent
    2008-07-08 11:11:53 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
    2008-07-08 11:11:53 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
    2008-07-08 10:54:59 0 d-------- C:\WINDOWS\pss
    2008-07-07 17:28:08 77312 -r-hs---- C:\WINDOWS\system32\amvo1.dll
    2008-06-08 18:40:08 0 d-------- C:\Program Files\Sun


    -- Find3M Report ---------------------------------------------------------------

    2008-07-08 15:58:31 0 d-------- C:\Program Files\Common Files\Symantec Shared
    2008-07-08 14:58:58 0 d-------- C:\Program Files\CutStudio
    2008-07-08 12:53:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
    2008-07-08 12:27:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-08 10:49:29 0 d-------- C:\Documents and Settings\Owner\Application Data\skypePM
    2008-07-07 17:17:16 0 d-------- C:\Program Files\Symantec
    2008-06-08 18:38:47 0 d-------- C:\Program Files\Java
    2008-05-21 17:23:02 0 d-------- C:\Program Files\MSECache
    2008-05-12 10:12:46 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
    30/06/2008 13:44 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
    27/02/2008 11:31 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} "= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [30/06/2008 13:44 349552]

    [-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
    [HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
    [HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp "= "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [05/05/2003 08:57]
    "DrvLsnr "= "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [08/05/2003 11:34]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [21/06/2005 16:48]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [21/06/2005 16:44]
    "Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 18:20]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
    "SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [28/09/2006 12:16]
    "OpwareSE4 "= "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [11/10/2006 11:45]
    "ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [16/02/2005 15:15]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [16/02/2005 15:15]
    "PCSuiteTrayApplication "= "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [18/06/2007 15:10]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [24/02/2005 01:32]
    "nwiz "= "nwiz.exe" [24/02/2005 01:32 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [24/02/2005 01:32]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [26/01/2008 03:47]
    "osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [07/02/2008 08:49]
    "MSConfig "= "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [27/09/2005 02:34]
    "RCAutoLiveUpdate "= "C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe" [03/07/2008 11:59]
    "RCSystemTray "= "C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe" [03/07/2008 11:59]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 18:24]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09/09/2007 08:34]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 14:00]
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [12/11/2007 15:48]
    "SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    @=

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Symantec NetDriver Warning "=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
    "Nokia.PCSync "=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [12/01/2007 14:02:09]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=NVDESK32.DLL


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Watson#Watson]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17d76c86-01e4-11dc-803d-aa82df8813bf}]
    AutoRun\command- F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33bbd5fe-a713-11dc-80d5-8431c80ef68c}]
    AutoRun\command- F:\VMC_PBStarter.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e3f5ac6-aac0-11db-bfe1-c54b0e6aef8c}]
    Auto\command- G:\prezoo.exe e
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL prezoo.exe e

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79d9af3b-a2f2-11db-bfc7-000802e1693e}]
    AutoRun\command- H:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaa4702f-a521-11db-bfd8-000802e1693e}]
    AutoRun\command- F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7646bbd-a22e-11db-bfb6-e86c177c9a9d}]
    AutoRun\command- F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7646bbf-a22e-11db-bfb6-e86c177c9a9d}]
    AutoRun\command- F:\AutoRun.exe

    *Newly Created Service* - COMHOST



    -- End of Deckard's System Scanner: finished at 2008-07-08 15:59:39 ------------
     
    Watson,
    #1
  2. 2008/07/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS Watson :)

    Lets first fix the broken file assocations. Highlight and copy the bolded command below.

    "%userprofile%\desktop\dss.exe" /daft
    • Click Start>Run and paste the command in, then hit enter.
    • An interface of Deckards file association fix will open.
    • Click Scan.
    • Check the box next to the following entries, then click Fix.
      • .bat
      • .ini
      • .pif
      • .scr
    • Exit when complete.


    You have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

    NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

    • Plug in your USB flash drive.
    • Double-click Flash_Disinfector.exe to run it.
    • Follow any prompts that may appear.
    • Your desktop will vanish for a while, and then reappear. This is normal.
    • Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.


    Now, lets go after the other infected files. Download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/07/09
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    Hi noahdfear,

    Thanks for the help. I got as far as downloading the flash_disinfector. When I run it NAV blocks the program and gives me the following message...

    Risk category: Virus
    Overall Risk Impact: High
    Performance: High
    Privacy: High
    Removal: High
    Stealth: High
    Click for more information about this risk : W32.SillyFDC
    Action taken: Blocked
    Affected Areas: c:\documents and settings\owner\local settings\temp\flash_disinfector.cmd
     
    Watson,
    #3
  5. 2008/07/09
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    Ok. Ignore above post. I checked out the USB disinfector from Subs. I have done all of the above and below is the logs. Thanks for your help so far.

    ComboFix 08-07-08.5 - Owner 2008-07-09 10:38:40.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022 [GMT 2:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\autorun.inf
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
    .

    2008-07-09 08:50 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-07-09 08:44 . 2008-07-09 09:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
    2008-07-08 15:54 . 2008-07-08 15:54 <DIR> d-------- C:\Deckard
    2008-07-08 15:35 . 2008-07-08 15:35 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
    2008-07-08 15:35 . 2008-07-08 15:35 63 --a------ C:\WINDOWS\system\SYSRegC.dll
    2008-07-08 15:34 . 2008-07-08 16:44 <DIR> d-------- C:\Program Files\Max Registry Cleaner
    2008-07-08 15:34 . 2007-05-24 16:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
    2008-07-08 13:35 . 2008-07-08 13:35 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-07-08 11:11 . 2008-07-08 11:11 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-06-22 09:28 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-22 09:28 . 2008-06-13 15:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
    2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
    2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
    2008-06-13 14:14 . 2008-06-13 14:14 31,280 --a------ C:\WINDOWS\system32\drivers\SymIM.sys
    2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
    2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
    2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
    2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
    2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
    2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\system32\drivers\symids.sys
    2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
    2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
    2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\system32\drivers\symdns.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-09 08:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
    2008-07-09 08:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
    2008-07-09 06:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-07-08 12:58 --------- d-----w C:\Program Files\CutStudio
    2008-07-08 10:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-07 15:17 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2008-07-07 15:17 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2008-07-07 15:17 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-07-07 15:17 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2008-07-07 15:17 --------- d-----w C:\Program Files\Symantec
    2008-06-08 16:40 --------- d-----w C:\Program Files\Sun
    2008-06-08 16:38 --------- d-----w C:\Program Files\Java
    2008-05-21 15:23 --------- d-----w C:\Program Files\MSECache
    2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2007-12-07 09:22 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2006-09-07 11:59 384 --sha-r C:\WINDOWS\inf\sdatabl.sav.bin
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-09 08:34 68856]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]
    "SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp "= "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
    "DrvLsnr "= "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 11:34 69632]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 12:16 185896]
    "OpwareSE4 "= "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 11:45 75304]
    "ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 15:15 221184]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 15:15 81920]
    "PCSuiteTrayApplication "= "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 01:32 5537792]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 01:32 86016]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-26 03:47 51048]
    "osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 08:49 718704]
    "nwiz "= "nwiz.exe" [2005-02-24 01:32 1495040 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 14:00 15360]
    "Symantec NetDriver Warning "= "C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]
    "Nokia.PCSync "= "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-12 14:02:09 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages "= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=NVDESK32.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\WINDOWS\\system32\\usmt\\migwiz.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=

    R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-26 03:47]
    S3 AEXPAM;Philips SmartManage Service;C:\WINDOWS\system32\Drivers\aexpamdrv.sys [2005-12-20 09:57]
    S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
    S3 CpqDtct;CpqDtct;C:\WINDOWS\system32\Drivers\Cpqdtct.sys []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Watson#Watson]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17d76c86-01e4-11dc-803d-aa82df8813bf}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33bbd5fe-a713-11dc-80d5-8431c80ef68c}]
    \Shell\AutoRun\command - F:\VMC_PBStarter.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e3f5ac6-aac0-11db-bfe1-c54b0e6aef8c}]
    \Shell\Auto\command - G:\prezoo.exe e
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL prezoo.exe e

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79d9af3b-a2f2-11db-bfc7-000802e1693e}]
    \Shell\AutoRun\command - H:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaa4702f-a521-11db-bfd8-000802e1693e}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7646bbd-a22e-11db-bfb6-e86c177c9a9d}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7646bbf-a22e-11db-bfb6-e86c177c9a9d}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    *Newly Created Service* - CATCHME
    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-09 08:12:30 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2008-07-07 19:07:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job "
    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-09 10:40:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
    "ImagePath "= "\ "\" "
    .
    Completion time: 2008-07-09 10:41:54
    ComboFix-quarantined-files.txt 2008-07-09 08:41:49

    Pre-Run: 9,214,377,984 bytes free
    Post-Run: 9,246,208,000 bytes free

    163 --- E O F --- 2008-06-26 12:14:41





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:47:51, on 09/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 8996 bytes
     
    Watson,
    #4
  6. 2008/07/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please make sure that drive G: is attached prior to doing the following.

    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    File::
G:\prezoo.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##Watson#Watson]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e3f5ac6-aac0-11db-bfe1-c54b0e6aef8c}]
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
     
    noahdfear,
    #5
  7. 2008/07/10
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    Hi noahdfear,

    Again thanks for your help and assistance. The pc did not reboot. Below is the combo fix log and hijackthis below it.


    ComboFix 08-07-08.5 - Owner 2008-07-10 8:16:55.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1035 [GMT 2:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    G:\prezoo.exe
    .

    ((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
    .

    2008-07-09 11:25 . 2008-07-09 11:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
    2008-07-09 08:50 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-07-09 08:44 . 2008-07-09 09:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
    2008-07-08 15:54 . 2008-07-08 15:54 <DIR> d-------- C:\Deckard
    2008-07-08 15:35 . 2008-07-08 15:35 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
    2008-07-08 15:35 . 2008-07-08 15:35 63 --a------ C:\WINDOWS\system\SYSRegC.dll
    2008-07-08 15:34 . 2008-07-08 16:44 <DIR> d-------- C:\Program Files\Max Registry Cleaner
    2008-07-08 15:34 . 2007-05-24 16:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
    2008-07-08 13:35 . 2008-07-08 13:35 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-07-08 11:11 . 2008-07-08 11:11 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-06-22 09:28 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-22 09:28 . 2008-06-13 15:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
    2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
    2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
    2008-06-13 14:14 . 2008-06-13 14:14 31,280 --a------ C:\WINDOWS\system32\drivers\SymIM.sys
    2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
    2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
    2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
    2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
    2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
    2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\system32\drivers\symids.sys
    2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
    2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
    2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\system32\drivers\symdns.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-10 02:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-07-09 09:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
    2008-07-09 08:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
    2008-07-08 12:58 --------- d-----w C:\Program Files\CutStudio
    2008-07-08 10:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-07 15:17 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2008-07-07 15:17 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2008-07-07 15:17 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-07-07 15:17 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2008-07-07 15:17 --------- d-----w C:\Program Files\Symantec
    2008-06-08 16:40 --------- d-----w C:\Program Files\Sun
    2008-06-08 16:38 --------- d-----w C:\Program Files\Java
    2008-05-21 15:23 --------- d-----w C:\Program Files\MSECache
    2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2007-12-07 09:22 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2006-09-07 11:59 384 --sha-r C:\WINDOWS\inf\sdatabl.sav.bin
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-09_10.41.33.32 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-07-09 08:09:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-07-09 09:54:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-09 08:34 68856]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]
    "SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp "= "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
    "DrvLsnr "= "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 11:34 69632]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 12:16 185896]
    "OpwareSE4 "= "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 11:45 75304]
    "ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 15:15 221184]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 15:15 81920]
    "PCSuiteTrayApplication "= "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 01:32 5537792]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 01:32 86016]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-26 03:47 51048]
    "osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 08:49 718704]
    "nwiz "= "nwiz.exe" [2005-02-24 01:32 1495040 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 14:00 15360]
    "Symantec NetDriver Warning "= "C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]
    "Nokia.PCSync "= "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-12 14:02:09 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages "= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=NVDESK32.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\WINDOWS\\system32\\usmt\\migwiz.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=

    R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-26 03:47]
    S3 AEXPAM;Philips SmartManage Service;C:\WINDOWS\system32\Drivers\aexpamdrv.sys [2005-12-20 09:57]
    S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
    S3 CpqDtct;CpqDtct;C:\WINDOWS\system32\Drivers\Cpqdtct.sys []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17d76c86-01e4-11dc-803d-aa82df8813bf}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{257b663c-a233-11db-bfb7-dba39e40f29b}]
    \Shell\AutoRun\command - qxbx9blb.com
    \Shell\explore\Command - qxbx9blb.com
    \Shell\open\Command - qxbx9blb.com

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33bbd5fe-a713-11dc-80d5-8431c80ef68c}]
    \Shell\AutoRun\command - F:\VMC_PBStarter.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79d9af3b-a2f2-11db-bfc7-000802e1693e}]
    \Shell\AutoRun\command - H:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaa4702f-a521-11db-bfd8-000802e1693e}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7646bbd-a22e-11db-bfb6-e86c177c9a9d}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7646bbf-a22e-11db-bfb6-e86c177c9a9d}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-10 00:26:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2008-07-07 19:07:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job "
    - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-10 08:18:44
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
    "ImagePath "= "\ "\" "
    .
    Completion time: 2008-07-10 8:20:09
    ComboFix-quarantined-files.txt 2008-07-10 06:19:50
    ComboFix2.txt 2008-07-09 08:41:56

    Pre-Run: 9,220,640,768 bytes free
    Post-Run: 9,289,043,968 bytes free

    166 --- E O F --- 2008-06-26 12:14:41


    ************************************************************************************************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:22:24, on 10/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26A94E28-7785-4C5D-A4FE-9257D234B2F7}: NameServer = 196.207.40.167 196.207.40.165
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26A94E28-7785-4C5D-A4FE-9257D234B2F7}: NameServer = 196.207.40.167 196.207.40.165
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 9272 bytes




    ************************************


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:22:24, on 10/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe "
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{26A94E28-7785-4C5D-A4FE-9257D234B2F7}: NameServer = 196.207.40.167 196.207.40.165
    O17 - HKLM\System\CS1\Services\Tcpip\..\{26A94E28-7785-4C5D-A4FE-9257D234B2F7}: NameServer = 196.207.40.167 196.207.40.165
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 9272 bytes
     
    Watson,
    #6
  8. 2008/07/10
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    Hi noahdfear,

    Something else that I have realized is that I can not connect to Symantec. The Web browser says "Internet Explorer cannot display the webpage ". Which leads me to the fact that I am possibly not able to get the most recent virus signatures through live update.

    Maybe I am paranoid and then a again this might be the state of affairs concerning a pc and being on line with MS ;-) and and and or symantec.

    My subscription as it would have it, runs out in 26 days. I have however run intelligent updater but NAV states that my subscription has expired although I have 26 days to go. Go figure....

    Maybe there is a bit of fine print that I missed on the way, but I guess the end result is that I am being royally shafted.

    But again thanks for your help mate. Thank you.

    Any advice or help you can give is welcome.

    Thank you.
     
    Watson,
    #7
  9. 2008/07/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You have another new entry that needs to go. Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{257b663c-a233-11db-bfb7-dba39e40f29b}]
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


    Please copy the following command and click Start>Run, paste the command in then hit Enter.

    notepad %systemroot%\system32\drivers\etc\hosts

    When the hosts file opens, copy it's content and post it here please.
     
    noahdfear,
    #8
  10. 2008/07/11
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    Hi there. Thanks. See below

    ComboFix 08-07-08.5 - Owner 2008-07-11 8:19:43.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1082 [GMT 2:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
    .

    2008-07-11 05:53 . 2008-07-11 07:38 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
    2008-07-10 15:09 . 2008-07-10 15:12 <DIR> d-------- C:\Program Files\Norton Internet Security
    2008-07-10 15:08 . 2006-01-06 17:54 107,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-07-10 15:08 . 2006-01-06 17:54 87,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2008-07-10 15:00 . 2008-07-10 15:00 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
    2008-07-09 11:25 . 2008-07-09 11:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nokia
    2008-07-09 08:44 . 2008-07-09 09:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
    2008-07-08 15:54 . 2008-07-08 15:54 <DIR> d-------- C:\Deckard
    2008-07-08 15:35 . 2008-07-08 15:35 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
    2008-07-08 15:35 . 2008-07-08 15:35 63 --a------ C:\WINDOWS\system\SYSRegC.dll
    2008-07-08 15:34 . 2008-07-08 16:44 <DIR> d-------- C:\Program Files\Max Registry Cleaner
    2008-07-08 15:34 . 2007-05-24 16:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
    2008-07-08 13:35 . 2008-07-08 13:35 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    2008-07-08 12:28 . 2008-07-08 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-07-08 11:11 . 2008-07-08 11:11 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-06-22 09:28 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-22 09:28 . 2008-06-13 15:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-11 06:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
    2008-07-11 06:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-07-11 06:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
    2008-07-10 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-07-10 13:11 --------- d-----w C:\Program Files\Symantec
    2008-07-08 12:58 --------- d-----w C:\Program Files\CutStudio
    2008-07-08 10:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-08 16:40 --------- d-----w C:\Program Files\Sun
    2008-06-08 16:38 --------- d-----w C:\Program Files\Java
    2008-05-21 15:23 --------- d-----w C:\Program Files\MSECache
    2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2007-12-07 09:22 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
    2006-09-07 11:59 384 --sha-r C:\WINDOWS\inf\sdatabl.sav.bin
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-09_10.41.33.32 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-07-09 08:09:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-07-11 03:06:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-05-02 12:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
    + 2008-07-10 13:00:54 22,016 ----a-w C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll
    + 2008-07-10 13:11:29 10,134 ----a-r C:\WINDOWS\Installer\{77772678-817F-4401-9301-ED1D01A8DA56}\ARPPRODUCTICON.exe
    - 2008-06-13 12:13:38 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
    + 2006-01-30 13:22:15 12,992 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
    - 2008-06-13 12:13:38 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
    + 2006-01-30 13:22:15 110,784 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
    - 2008-06-13 12:13:38 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
    + 2006-01-30 13:22:15 31,936 ----a-w C:\WINDOWS\system32\drivers\symids.sys
    - 2008-06-13 12:13:38 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
    + 2006-01-30 13:22:15 28,352 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
    - 2008-06-13 12:13:38 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
    + 2006-01-30 13:22:15 24,768 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
    - 2008-06-13 12:13:40 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
    + 2006-01-30 13:22:15 195,776 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
    + 2008-07-10 13:34:19 4,960 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
    - 2008-06-13 12:45:48 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
    + 2006-01-30 13:22:15 534,208 ----a-w C:\WINDOWS\system32\SymNeti.dll
    - 2008-06-13 12:45:44 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
    + 2006-01-30 13:22:15 161,472 ----a-w C:\WINDOWS\system32\SymRedir.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
    "swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-09 08:34 68856]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]
    "SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp "= "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
    "DrvLsnr "= "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 11:34 69632]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "SSBkgdUpdate "= "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 12:16 185896]
    "OpwareSE4 "= "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 11:45 75304]
    "ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 15:15 221184]
    "ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 15:15 81920]
    "PCSuiteTrayApplication "= "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 01:32 5537792]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 01:32 86016]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 17:30 517768]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-01-11 20:55 52896]
    "nwiz "= "nwiz.exe" [2005-02-24 01:32 1495040 C:\WINDOWS\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 14:00 15360]
    "Symantec NetDriver Warning "= "C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-10-29 08:52 218232]
    "Nokia.PCSync "= "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-12 14:02:09 113664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages "= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=NVDESK32.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\WINDOWS\\system32\\usmt\\migwiz.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=

    S3 AEXPAM;Philips SmartManage Service;C:\WINDOWS\system32\Drivers\aexpamdrv.sys [2005-12-20 09:57]
    S3 CpqDtct;CpqDtct;C:\WINDOWS\system32\Drivers\Cpqdtct.sys []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17d76c86-01e4-11dc-803d-aa82df8813bf}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33bbd5fe-a713-11dc-80d5-8431c80ef68c}]
    \Shell\AutoRun\command - F:\VMC_PBStarter.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79d9af3b-a2f2-11db-bfc7-000802e1693e}]
    \Shell\AutoRun\command - H:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaa4702f-a521-11db-bfd8-000802e1693e}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7646bbd-a22e-11db-bfb6-e86c177c9a9d}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7646bbf-a22e-11db-bfb6-e86c177c9a9d}]
    \Shell\AutoRun\command - F:\AutoRun.exe

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-11 03:09:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2008-07-10 13:20:38 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job "
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-11 08:21:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
    "ImagePath "= "\ "\" "
    .
    Completion time: 2008-07-11 8:23:21
    ComboFix-quarantined-files.txt 2008-07-11 06:23:11
    ComboFix2.txt 2008-07-10 06:20:11
    ComboFix3.txt 2008-07-09 08:41:56

    Pre-Run: 9,186,304,000 bytes free
    Post-Run: 9,400,307,712 bytes free

    168 --- E O F --- 2008-06-26 12:14:41




    *****************************************


    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
     
    Watson,
    #9
  11. 2008/07/11
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please upload the following files to my submission channel for analysis. Leave a link back to this topic.

    C:\WINDOWS\Installer\{77772678-817F-4401-9301-ED1D01A8DA56}\ARPPRODUCTICON.exe
    C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP << whatever files are in this folder

    Thanks!


    Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      • Recycle bin

    • The rest are optional - if you want it to remove everything check "Select All ". It would be good to clear cookies as well, but be warned - sites that automatically log you in use cookies to do so, and you will be required to enter your password again.
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.
    Reboot


    Now, lets see if we're missing something. Please scan with Kaspersky WebScanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Post the Kaspersky log here. Let me know if you can access the Symantec site now.
     
    noahdfear,
    #10
  12. 2008/07/15
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    Hi noahdfear,

    I posted a reply but was told that I was not logged in so I will post again. Sorry for the delay in posting but I have been very busy the last couple of days.

    Ok.

    1. C:\WINDOWS\Installer\{77772678-817F-4401-9301-ED1D01A8DA56}\ARPPRODUCTICON.exe

    This location does not exsist on my pc. I however found the program under "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA} ".
    This I have uploaded to "my submission channel "

    In this folder was another shortcut called "Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe" Do you want to see this file to?

    In properties it comes from Install Shield Corp. File size is 64kb.

    2. C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP

    The only file that is in this directory is "WiseCustomCall.dll ". This I have uploaded.

    I have run Kaspersky WebScanner. The log was to big to paste into this post (164 000 characters). I have uploaded it to "my submission channel ". Hope this works.

    Before receiving your last post I did a scan with Trend Micro House call, after which I was able to access symantec. Was unable to get a log from Trend Micro though.

    Thats it. Thanks
     
    Watson,
    #11
  13. 2008/07/15
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Thanks for the uploads. Files all appear related to the Wise installer and are fine.

    Kaspersky shows only a couple of infected files in Norton's quarantine. Remove those via the Norton interface.

    Lets finish up now. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

    Let me know how your computer is running now.
     
    noahdfear,
    #12
  14. 2008/07/16
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    Hi noahdfear,

    I have removed combo fix and deckard. My pc seems to be working normal again.

    I wonder why I got infected in the first place when Norton should have detected the threat. In any event I guess there is not always a reasonable explanation for it.

    Again thanks for your help and proffesional attitude, especially since it is for free!
     
    Watson,
    #13
  15. 2008/07/16
    Watson

    Watson Inactive Thread Starter

    Joined:
    2008/07/08
    Messages:
    9
    Likes Received:
    0
    Resolved!

    12345
     
    Last edited: 2008/07/16
    Watson,
    #14
  16. 2008/07/16
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    noahdfear,
    #15

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...