Need help dealing with some nasty Trojans

About a week ago my computer was infected by a multitude of spyware and trojans. I have since tried everything possible to clean them off of my computer. I've used ewido, ad-aware, Norton, Sysclean, and Spybot multiple times and they always seem to find something new. At first, I could only start my computer in safe mode without it freezing, however now I am able to log on normally but there is definitely still some issues. Somehow, my Norton AV was tampered with and now it won't auto-protect. Also, sometimes I get the message "This document contains no data" when trying to access a website.

EDIT: I just noticed that my device manager is completely empty as well.

Here's my current Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:25:13 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AlienAutopsy\Test_BS.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AlienAutopsy] "C:\Program Files\AlienAutopsy\Test_BS.exe" -h
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

Thanks in advance for any help.

 

Welcome to WindowsBBS Mandingos

An empty device manager is a sign of the Apropos infection.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

 

Alright I did exactly what you said, but it didn't seem to have any effect. Here's the logs:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:31 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AlienAutopsy\Test_BS.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\My Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AlienAutopsy] "C:\Program Files\AlienAutopsy\Test_BS.exe" -h
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe


And the Aproposfix log :

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Reginald.JARED\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!


I also received this message when scanning with HijackThis:

An unexpected error has occurred at procedure: modMain_CheckOther14Item()
Error #62 - Input past end of file

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

 

Just to make double sure, please do the following two things.

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in adchannel .......wait for it to complete the search, click ok at the prompt. Then when/if wordpad opens, copy that back here please.

Please download Rootkit Revealer (link is at the very bottom of the page)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Please tell us in detail exactly what symptoms/problems you are having.

 

The empty device manager is the biggest problem ive noticed. My sound is also not working, I get error messages when trying to play music or movies that says I don't have a working sound driver. My Norton Internet security is also working improperly, when I try to turn on auto-protect (which was turned off by the spyware), I get an error message saying that there is an internal problem. Until today, when I would turn on the computer it would only show the wallpaper, nothing else. When I was finally able to get to the desktop, webpages wouldn't load, it would say that the document contained no data. I think the first spyware I actually noticed when this began was SpySheriff, but I know it wasn't the only one. As a result, the symptoms the computer has been experiencing haven't really stayed the same, so it's hard to pinpoint them.

When I used the reg. search tool for adchannel, nothing was found and wordpad did not open. Here is the log from rootkitRevealer:

HKLM\SYSTEM\ControlSet001\Services\sysbus32 2/16/2006 6:50 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\d347prt\Cfg\0Jf40 12/17/2005 2:54 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sysbus32 2/20/2006 9:56 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sysbus32 2/20/2006 9:56 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 2/17/2006 12:19 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.google.com 2/17/2006 12:19 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.google.com\settings.sol 2/17/2006 12:19 AM 86 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 2/17/2006 12:19 AM 382 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 8/16/2005 4:28 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 2/16/2006 8:56 PM 300 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 2/13/2006 10:33 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#battleon.com 7/25/2005 6:53 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#battleon.com\settings.sol 7/25/2005 6:53 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bestbuy.com 1/3/2006 2:58 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bestbuy.com\settings.sol 1/3/2006 2:58 AM 81 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#dvlabs.com 11/23/2004 1:30 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#dvlabs.com\settings.sol 11/23/2004 1:30 PM 80 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#espn.go.com 12/24/2005 4:10 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#espn.go.com\settings.sol 12/24/2005 4:10 PM 81 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flattv.philips.com 12/25/2005 7:42 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flattv.philips.com\settings.sol 12/25/2005 7:42 PM 88 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#fullsail.com 1/17/2006 4:17 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#fullsail.com\settings.sol 1/17/2006 4:17 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#gorillaz.com 7/23/2005 4:04 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#gorillaz.com\settings.sol 7/23/2005 4:04 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local 9/3/2004 1:07 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol 9/3/2004 1:07 PM 75 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#maximonline.com 12/15/2005 2:45 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#maximonline.com\settings.sol 12/15/2005 2:45 PM 85 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#media.ebaumsworld.com 12/17/2003 11:20 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#media.ebaumsworld.com\settings.sol 3/15/2004 4:22 PM 91 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#media.ign.com 9/18/2005 6:22 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#media.ign.com\settings.sol 9/18/2005 6:22 PM 83 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#nec.com 1/3/2005 8:26 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#nec.com\settings.sol 1/3/2005 8:26 PM 77 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#newgrounds.com 9/7/2003 10:00 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#newgrounds.com\settings.sol 3/15/2004 4:22 PM 84 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#oddcast.com 1/11/2006 2:29 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#oddcast.com\settings.sol 1/11/2006 2:29 PM 81 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#pontiac.com 1/27/2005 12:53 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#pontiac.com\settings.sol 1/27/2005 12:53 PM 81 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#rn-video.rednova.com 7/12/2005 10:42 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#rn-video.rednova.com\settings.sol 7/12/2005 10:42 PM 90 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#serving-sys.com 2/7/2006 9:40 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#serving-sys.com\settings.sol 2/7/2006 9:40 AM 85 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ungrounded.net 2/7/2004 1:16 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ungrounded.net\settings.sol 3/15/2004 4:22 PM 84 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#winterfresh.com 6/21/2004 12:01 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#winterfresh.com\settings.sol 6/21/2004 12:01 AM 85 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.adultswim.com 1/20/2006 11:34 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.adultswim.com\settings.sol 1/20/2006 11:34 PM 87 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.fasco-csc.com 11/1/2004 11:38 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.fasco-csc.com\settings.sol 11/1/2004 11:38 PM 87 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.icq.com 11/22/2005 7:32 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.icq.com\settings.sol 11/22/2005 7:32 PM 81 bytes Hidden from Windows API.
C:\Documents and Settings\Reginald.JARED\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 2/13/2006 10:33 PM 759 bytes Hidden from Windows API.
C:\WINDOWS\Fonts\ega40857.fon 8/29/2002 6:00 AM 8.50 KB Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\Fonts\eg 2/20/2006 4:19 PM 8.50 KB Hidden from Windows API.
C:\WINDOWS\system32\avpe64.sys 2/14/2006 10:40 AM 21.33 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\sysbus32.sys 2/16/2006 9:51 PM 48.43 KB Hidden from Windows API.
C:\WINDOWS\system32\klgcptini.dat 2/14/2006 10:40 AM 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\qz.dll 2/14/2006 10:40 AM 40.33 KB Hidden from Windows API.
C:\WINDOWS\system32\qz.sys 2/14/2006 10:40 AM 21.33 KB Hidden from Windows API.
C:\WINDOWS\system32\stt82.ini 2/19/2006 11:19 PM 320 bytes Hidden from Windows API.

 

You have several rootkit infections. These can be very dangerous, as they run hidden from Windows and can sometimes make unknown/undetectable changes to the system. While we may be able to successfully remove them, there is really no way of knowing for positive what changes they may have made, and your system security could possibly be compromised. It is advisable that if you want to continue with cleanup/removal rather than reformat, you change all passwords to online banking, etc. from an uninfected computer. We will change them again once cleaned.

To continue, start with F-Secure Blacklight to see if they can be detected.

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Post this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there.

 

Wow, I had no idea it was gonna be that serious. I don't have time to do this tonight, but I definitely will tomorrow after I'm done with classes. Thanks alot for helping me through this, because I'd really rather not have to reformat.

 

Alright I just finished scanning with blacklight, and it found 6 items. However, I didn't see a check box for scan through Windows Explorer. Do you think that is going to be an issue? Either way, here is the log:

02/21/06 13:36:22 [Info]: BlackLight Engine 1.0.32 initialized
02/21/06 13:36:22 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/21/06 13:36:22 [Note]: 7019 4
02/21/06 13:36:22 [Note]: 7005 0
02/21/06 13:36:38 [Note]: 7006 0
02/21/06 13:36:38 [Note]: 7011 1864
02/21/06 13:36:38 [Note]: FSRAW library version 1.7.1015
02/21/06 13:37:56 [Info]: Hidden file: C:\WINDOWS\system32\drivers\sysbus32.sys
02/21/06 13:37:56 [Note]: 7002 0
02/21/06 13:37:56 [Note]: 7003 1
02/21/06 13:37:56 [Note]: 10002 1
02/21/06 13:37:59 [Info]: Hidden file: C:\WINDOWS\system32\avpe64.sys
02/21/06 13:37:59 [Note]: 10002 1
02/21/06 13:38:02 [Info]: Hidden file: C:\WINDOWS\system32\klgcptini.dat
02/21/06 13:38:02 [Note]: 10002 1
02/21/06 13:38:03 [Info]: Hidden file: C:\WINDOWS\system32\stt82.ini
02/21/06 13:38:03 [Note]: 10002 1
02/21/06 13:38:06 [Info]: Hidden file: C:\WINDOWS\system32\qz.dll
02/21/06 13:38:06 [Note]: 10002 1
02/21/06 13:38:06 [Info]: Hidden file: C:\WINDOWS\system32\qz.sys
02/21/06 13:38:06 [Note]: 10002 1
02/21/06 13:38:54 [Note]: 7007 0

 

Open Blacklight again and choose scan.
Select each of the following items and choose rename:

C:\WINDOWS\system32\drivers\sysbus32.sys
C:\WINDOWS\system32\avpe64.sys
C:\WINDOWS\system32\klgcptini.dat
C:\WINDOWS\system32\stt82.ini
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\qz.sys

The tool will ask if you want to reboot (restart) choose yes.
Check if the above files that you let Blacklight rename are still present in your windows-folder.
Most probably, they will have a 'ren' extension after them; C:\WINDOWS\system32\avpe64.sys.ren, C:\WINDOWS\system32\klgcptini.dat.ren, etc

If the files are there, please delete them manually.
Then reboot your computer. Run Blacklight again to verify they have been removed.

Check for a folder in C:\Windows named inet20003 and delete if present.

Click Start>Run and type or paste the following commands, hitting enter after each. Let me know what happens.

sc stop sysbus32
sc delete sysbus32

Make sure you are using current versions of Ad-aware, Spybot and Ewido, update and scan with each, removing anything they find. If Ewido finds anything, please save the log and post it here.

Check to see if Device Manager is displayed properly.

 

Alright, I successfully renamed and deleted the files blacklight detected. There was no inet20003 folder, but i did find one called inetsrv and it said access was denied when i tried to delete it . When I entered those commands into run, the command prompt popped up for a split second and disappeared right away each time. Ewido found 23 items, the other programs found none. My device manager is still empty, however . Here is the ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:23:01 PM, 2/21/2006
+ Report-Checksum: BAEF2F14

+ Scan result:

:mozilla.43:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Ne : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.453:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.478:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.481:C:\Documents and Settings\Reginald.JARED\Application Data\Mozilla\Firefox\Profiles\wwycwo61.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Reginald.JARED\Local Settings\Temp\W01804300\2420.tmp -> Downloader.VB.wy : Cleaned with backup
C:\Documents and Settings\Reginald.JARED\Local Settings\Temporary Internet Files\Content.IE5\QI1TLMEX\winsysupd9[1].exe -> Downloader.VB.wy : Cleaned with backup
C:\WINDOWS\system32\dcom_14.dll -> Backdoor.Agent.uu : Cleaned with backup
C:\WINDOWS\system32\hpprintdrv.sys -> Logger.Goldun.hn : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup


::Report End

 

Click Start>run and type regedt32 then hit enter. Expand the categories to get to the following key.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM
Right click the ENUM key and select Permissions.
If 'SYSTEM' is not listed, click Add. Type system in the 'enter the object names to select' window, then click Check Names. SYSTEM should appear in the window. Click OK. Now back on the permissions window, select SYSTEM and check the 'full control' box below, click Apply and OK. The group 'Everyone' may need to be added as well, but with 'read only' permissions. Close the registry editor.

Reboot and check Device Manager. If still empty, proceed as follows.

Click Start>run and type services.msc then hit enter. Locate Plug and Play, right click and select properties. It needs to be set to Automatic startup. Apply and OK out. Reboot.

Post back with the results.

 

Setting the plug and play to automatic did the trick, the device manager is back to normal, and my sound is finally working again. Everything else seems to be working just fine as well. The only problem I still notice is that Norton is telling me I have to activate it, something I did not too long ago. When I try to activate it, the program freezes. This isn't really a big issue, I think re-installing it will do the trick.

Thank you sooooo much for all the help, I'd be stuck with an empty harddrive if it wasn't for you. You are a master of your craft!

 

I'd like to have a look at 1 more HijackThis log. Have you gotten Norton working yet? Is the firewall working?