Solved Popup: Windows Has Deteceted Spyware

I didn't have a cftscript on the desktop so I just created a new one

 

That's fine.

 

ComboFix 07-08-14.4 - "Owner" 2007-08-19 9:53:10.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT -8:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-19 08:47 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 06:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-18 17:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-18 17:07 4,304 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-18 16:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-18 15:44 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-18 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-18 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-18 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-18 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-08-18 14:47 65,536 --a------ C:\WINDOWS\system32\bpssc1.1.dll
2007-08-18 14:00 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-18 14:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-18 14:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-18 14:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\interMute
2007-08-18 13:36 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-08-18 13:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-18 13:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-18 11:32 5 --a------ C:\WINDOWS\C1EB-FC77-A607-F544.dat
2007-08-18 10:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-08-05 09:32 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-08-04 08:23 <DIR> d-------- C:\Program Files\KVS Availability Tool


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 07:09 --------- d-------- C:\Program Files\Winamp
2007-08-19 07:08 --------- d-------- C:\Program Files\SmartFTP Client 2.0
2007-08-19 07:07 --------- d-------- C:\Program Files\Picasa2
2007-08-19 07:06 --------- d-------- C:\Program Files\Multimedia Card Reader
2007-08-19 07:03 --------- d-------- C:\Program Files\Messenger
2007-08-19 06:58 --------- d-------- C:\Program Files\Common Files\aolshare
2007-08-19 06:58 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-19 06:57 --------- d-------- C:\Program Files\America Online 9.0b
2007-08-19 06:57 --------- d-------- C:\Program Files\America Online 9.0a
2007-08-18 20:03 --------- d-------- C:\Program Files\oneworldflights
2007-08-18 20:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-25 22:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 22:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 05:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 05:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 02:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 02:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2002-08-29 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04]
"HotKeysCmds "= "C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 06:07]
"CamMonitor "= "c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 06:23]
"HPHUPD05 "= "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 02:03]
"HPHmon05 "= "C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 01:55]
"KBD "= "C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 22:36]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 01:56]
"nwiz "= "nwiz.exe" [2003-08-19 01:56 C:\WINDOWS\system32\nwiz.exe]
"PS2 "= "C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57]
"Sunkist2k "= "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 19:11]
"AOLDialer "= "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 04:50]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ezShieldProtector for Px "= "C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29]
"HostManager "= "C:\Program Files\Common Files\AOL\1102102323\ee\AOLSoftware.exe" [2007-04-12 13:23]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 08:11]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-16 08:33]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 15:15]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2007-05-14 14:22]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW "= "nview.dll,nViewLoadHook" []
"BackupNotify "= "c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-22 20:25]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"AOL Fast Start "= "C:\Program Files\America Online 9.0b\AOL.exe" [2005-07-12 06:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
HPAiODevice(hp officejet v series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-04-25 17:43:32]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\system32\hanonvt.ini

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys


Contents of the 'Scheduled Tasks' folder
2004-10-03 14:35:03 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 09:55:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 9:57:14
C:\ComboFix-quarantined-files.txt ... 2007-08-19 09:57
C:\ComboFix2.txt ... 2007-08-19 08:51
C:\ComboFix3.txt ... 2007-08-18 19:32

--- E O F ---

 

Please go to jotti and submit the following file, then wait for the analysis results. Copy and paste the results back here please.

C:\WINDOWS\system32\drivers\tmcomm.sys

 

Scan taken on 19 Aug 2007 17:12:32 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

Thanks. Just to make sure, please right click that file and select Properties. Check the Version tab and let me know what info is there, eg; Company name, Version, etc.

Are you familiar or comfortable with working in the registry? Ever set permissions on an object?

 

1.5.0.1052
TrendMicro Common Module
Copyright (C) 2005-2006 Trend Micro Incorporated. All rights reserved.

I'm not real familiar with registry.

Be back in about an hour

 

OK. Thanks.

I may be gone for a while as well.

 

Anything else i should do?

 

Yes. Click Start>Run, type regedit and hit enter. Navigate to the following registry key.

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows

Click on the windows key once to select it, then right click on it and select Permissions. If you get any kind of message that you don't have permissions, click OK, then right click and select Permissions again. Make note of the listed users with permissions. Is your user account listed? If so, click on it and see if Full Control is selected in the lower pane.

Stop there, leave regedit open and let me know what you find.

 

Administrators(Gary\Administrators) Full control, Read
Creator Owner, Special Permisiions is checked
system, Full control, Read
Users (Gary\Users) Read

I'm the only user of the computer for the most part

 

Good. Close out of the Permissions dialog. Right click the appinit_dlls entry in the right pane and select delete.

Press F5 and let me know if the appinit_dlls value comes back.

 

It didn't come back

 

Close the registry editor and reboot. Either check the value manually or do a HijackThis scan to see if it returns.

 

It came back

 

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Rootkit::
C:\WINDOWS\system32\hanonvt.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "appinit_dlls "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

 

I have some errands to run. I'll be back in a bit.

 

ComboFix 07-08-14.4 - "Owner" 2007-08-19 11:50:44.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.274 [GMT -8:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hanonvt.ini


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-19 08:47 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 06:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-18 17:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-18 17:07 4,304 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-18 16:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-18 15:44 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-18 15:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-18 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-18 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-18 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-08-18 14:47 65,536 --a------ C:\WINDOWS\system32\bpssc1.1.dll
2007-08-18 14:00 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-18 14:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-18 14:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-18 14:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\interMute
2007-08-18 13:36 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-08-18 13:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-18 13:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-18 11:32 5 --a------ C:\WINDOWS\C1EB-FC77-A607-F544.dat
2007-08-18 10:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-08-05 09:32 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-08-04 08:23 <DIR> d-------- C:\Program Files\KVS Availability Tool


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 07:09 --------- d-------- C:\Program Files\Winamp
2007-08-19 07:08 --------- d-------- C:\Program Files\SmartFTP Client 2.0
2007-08-19 07:07 --------- d-------- C:\Program Files\Picasa2
2007-08-19 07:06 --------- d-------- C:\Program Files\Multimedia Card Reader
2007-08-19 07:03 --------- d-------- C:\Program Files\Messenger
2007-08-19 06:58 --------- d-------- C:\Program Files\Common Files\aolshare
2007-08-19 06:58 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-19 06:57 --------- d-------- C:\Program Files\America Online 9.0b
2007-08-19 06:57 --------- d-------- C:\Program Files\America Online 9.0a
2007-08-18 20:03 --------- d-------- C:\Program Files\oneworldflights
2007-08-18 20:02 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-25 22:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 22:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 05:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 05:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 02:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 02:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2002-08-29 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04]
"HotKeysCmds "= "C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 06:07]
"CamMonitor "= "c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 06:23]
"HPHUPD05 "= "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 02:03]
"HPHmon05 "= "C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 01:55]
"KBD "= "C:\HP\KBD\KBD.EXE" [2003-02-11 19:02]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 22:36]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 01:56]
"nwiz "= "nwiz.exe" [2003-08-19 01:56 C:\WINDOWS\system32\nwiz.exe]
"PS2 "= "C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57]
"Sunkist2k "= "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 19:11]
"AOLDialer "= "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 04:50]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ezShieldProtector for Px "= "C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29]
"HostManager "= "C:\Program Files\Common Files\AOL\1102102323\ee\AOLSoftware.exe" [2007-04-12 13:23]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 08:11]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-16 08:33]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 15:15]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2007-05-14 14:22]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW "= "nview.dll,nViewLoadHook" []
"BackupNotify "= "c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-22 20:25]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"AOL Fast Start "= "C:\Program Files\America Online 9.0b\AOL.exe" [2005-07-12 06:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]
HPAiODevice(hp officejet v series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-04-25 17:43:32]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys


Contents of the 'Scheduled Tasks' folder
2004-10-03 14:35:03 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 11:54:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ATWPKT2]
"ImagePath "= "\??\C:\WINDOWS\system32\drivers\ATWPKT2.SYS "

Completion time: 2007-08-19 11:57:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 11:57
C:\ComboFix2.txt ... 2007-08-19 09:57
C:\ComboFix3.txt ... 2007-08-19 08:51

--- E O F ---

 

Looks like we got it that time.

Reboot 1 more time, then create and post a fresh HijackThis log.

 

Logfile of HijackThis v1.99.1
Scan saved at 12:32:07 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\AOL\1102102323\ee\AOLSoftware.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\hjt\analthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/p?k=pf_5
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102102323\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Anonymization - C:\WINDOWS\system32\sys32.htm
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Anonymization.Net - {8B466019-1E6E-4552-A096-7C0A2876E50E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/14.18/uploader2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pantech&Curitel Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\UTStarcom\Sprint\Sprint PCS Connection Manager\PnCUtilityService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe