Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsJob BoardISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security Cleanup » [Vundo] Vundo Infection
Search Topic:
Uniqs:
333		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona
[Trojan] AVWA.DLL Removal »
AuthorAll Replies


fundamentalz
The Basics
Premium
join:2004-04-30
Moorpark, CA

edit:
May 13th, @06:00PM
[Vundo] Vundo Infection

I am having numerous issues with my computer as a result of a Vundo infection, from firefox crashing and not copy and pasting, IE 7's refusal to start, to a network process "SVCHOST.exe" 90% cpu usage. i have been trying to remove it for the better part of 3 weeks now, but new issues keep popping up.

I've run:
1) Kaspersky full system scan
2) Spybot
3) MS Malicious Software tool
4) ESET online scan
5) VundoFix

of these all except Spybot came back clean. I was unable to run the computer associates scan, and the Windows Defender.
Spybot detected Vundo, which I removed, yet i still keep getting the same problems. All of these except HJT were run in Safe Mode.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:44 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\program files\valve\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
D:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Digsby\Digsby.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20E95981-4968-41D6-9CF4-9EB5544B908D} - C:\WINDOWS\system32\pmnkJASm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] "d:\program files\valve\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKUS\S-1-5-21-682003330-1767777339-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-682003330-1767777339-725345543-1003\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide (User '?')
O4 - HKUS\S-1-5-21-682003330-1767777339-725345543-1003\..\Run: [Steam] "d:\program files\valve\steam.exe" -silent (User '?')
O4 - HKUS\S-1-5-21-682003330-1767777339-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-682003330-1767777339-725345543-1003\..\Run: [SetDefaultMIDI] MIDIDef.exe (User '?')
O4 - HKUS\S-1-5-21-682003330-1767777339-725345543-1003\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash (User '?')
O4 - Global Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »www.ca.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »a1540.g.akamai.net/7/1540/52/200···ugin.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - »cdn.scan.onecare.live.com/resour···e370.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - »www.nvidia.com/content/DriverDow···lab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »download.divx.com/player/DivXBro···ugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 9432 bytes

edit: fixed HJT log
to forum · permalink · · 2008-05-13 17:58:00 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

 Let's use this free tool called ComboFix.

Please visit this webpage for download links, and instructions for running the tool: »www.bleepingcomputer.com/combofi···combofix

If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it.

When, the tool is finished, it will produce a report for you.
Please post that report located at: C:\ComboFix.txt along with a new HijackThis log.

Note: Kaspersky may alert on the ComboFix tool as a "risk tool" or similar. Please either disable KAV while running it or ignore any of those alerts.

Spybot's teatimer may also interfere. Best to turn that off during the scan as it will try to make fixes to malware found, if any, and Teatimer with throw up some alerts on that.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-05-14 20:47:45 · Reply to this


fundamentalz
The Basics
Premium
join:2004-04-30
Moorpark, CA

log.txt 10,445 bytes
ComboFix		hijackthis.log 8,432 bytes
HJT
Thanks for your help, CJ
to forum · permalink · · 2008-05-14 23:27:55 · Reply to this


lilhurricane
Crunchin' for CURES
Premium,Mod
join:2003-01-11
Purple Zone
clubs:
·Comcast

Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
 Let's open that up for easier viewing:

ComboFix 08-05-12.1 - Hady 2008-05-14 20:13:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1177 [GMT -7:00]
Running from: C:\Documents and Settings\Hady\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gihOYJjl.ini
C:\WINDOWS\system32\gihOYJjl.ini2
C:\WINDOWS\system32\iijhhlay.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mSAJknmp.ini
C:\WINDOWS\system32\mSAJknmp.ini2
C:\WINDOWS\system32\tuwmmxdm.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-14 20:13 . 2008-05-14 20:13 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 14:59 . 2008-05-13 14:59 d-------- C:\Program Files\Trend Micro
2008-05-12 23:34 . 2008-05-12 23:36 d-------- C:\Program Files\EsetOnlineScanner
2008-05-12 22:36 . 2008-05-12 22:37 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-21 18:39 . 2008-04-21 18:39 d-------- C:\Program Files\Hamachi
2008-04-21 18:39 . 2008-04-21 21:15 d-------- C:\Documents and Settings\Hady\Application Data\Hamachi
2008-04-21 18:39 . 2008-04-21 18:39 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-16 20:26 . 2008-04-18 20:17 d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-16 20:10 . 2008-04-16 20:10 d-------- C:\VundoFix Backups
2008-04-16 20:01 . 2008-04-16 20:03 d-------- C:\Program Files\Windows Live Safety Center
2008-04-16 19:37 . 2008-04-16 19:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-16 19:29 . 2008-04-16 19:55 500 --a------ C:\WINDOWS\wininit.ini
2008-04-16 18:58 . 2008-04-16 18:58 d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-16 18:58 . 2008-04-16 19:04 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-16 03:40 . 2008-04-16 15:00 101,165 --a------ C:\WINDOWS\BM671f7a6f.xml
2008-04-15 13:19 . 2008-04-15 13:19 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-15 13:19 . 2008-04-15 13:19 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 03:18 1,639,200 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-15 03:17 52,957,216 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-15 03:16 716,492 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-15 03:16 191,216 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-14 20:37 --------- d-----w C:\Program Files\Digsby
2008-05-14 09:22 --------- d-----w C:\Documents and Settings\Hady\Application Data\Azureus
2008-05-01 06:51 --------- d-----w C:\Documents and Settings\Hady\Application Data\Skype
2008-04-30 23:40 --------- d-----w C:\Documents and Settings\Hady\Application Data\skypePM
2008-04-17 03:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 01:27 --------- d-----w C:\Documents and Settings\Hady\Application Data\Move Networks
2008-04-15 20:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-14 23:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-14 23:38 --------- d-----w C:\Program Files\Skype
2008-04-14 23:38 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-14 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-12 21:34 --------- d-----w C:\Documents and Settings\Hady\Application Data\Digsby
2008-04-10 16:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-10 16:14 --------- d-----w C:\Program Files\THQ
2008-04-10 16:12 --------- d-----w C:\Program Files\Gadwin Systems
2008-04-09 14:48 --------- d-----w C:\Program Files\Java
2008-04-09 11:29 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-08 22:19 --------- d-----w C:\Documents and Settings\Hady\Application Data\SEGA
2008-04-08 22:18 --------- d-----w C:\Program Files\Sonic
2008-04-08 19:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-08 19:19 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-29 03:59 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-15 02:22 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-03-15 02:22 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-03-15 02:22 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-03-15 02:09 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-03-15 02:09 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-17 08:08 22,328 ----a-w C:\Documents and Settings\Hady\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-08-18 06:15 1359872]
"Steam"="d:\program files\valve\steam.exe" [2008-03-28 20:46 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SetDefaultMIDI"="MIDIDef.exe" [2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.EXE]
"Gadwin PrintScreen"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 01:42 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 19:09 139367]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2005-07-07 15:17 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-31 01:30 286720]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Last.fm Helper.lnk - D:\Program Files\Last.fm\LastFMHelper.exe [2007-11-11 23:05:06 110592]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-09 20:17:59 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\642c49f3]
C:\WINDOWS\system32\yalhhjii.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM671f7a6f]
C:\WINDOWS\system32\myancbov.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Valve\\Steam.exe"=
"D:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys []
S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 02:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-05-14 20:18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-14 20:22:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 03:22:45

Pre-Run: 13,354,393,600 bytes free
Post-Run: 13,882,781,696 bytes free

163 --- E O F --- 2008-04-11 09:34:09


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:50 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\program files\valve\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
D:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] "d:\program files\valve\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »www.ca.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »a1540.g.akamai.net/7/1540/52/200···ugin.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - »cdn.scan.onecare.live.com/resour···e370.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - »www.nvidia.com/content/DriverDow···lab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »download.divx.com/player/DivXBro···ugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 8431 bytes
--
~Safe Hex~ Team Discovery ~ Project Hope ~ Like A Hurricane~
to forum · permalink · · 2008-05-15 02:23:40 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL		reply to fundamentalz
That put a good sized dent in it. Just some remnants left I think. Give me a few minutes to review the results entirely and I'll post back with some final steps to take.
to forum · permalink · · 2008-05-15 08:49:19 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

reply to fundamentalz
1. Please open Notepad - don't use any other texteditor than notepad or the script will fail.

2. Now copy/paste the entire content of the text you see in the black box below into the Notepad window
registry code:
File::
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\BM671f7a6f.xml
C:\WINDOWS\system32\yalhhjii.dll
C:\WINDOWS\system32\myancbov.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\642c49f3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM671f7a6f]

3. Save the notepad file above as: CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

* Combofix.txt
* A new HijackThis log.

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-05-15 09:17:42 · Reply to this


fundamentalz
The Basics
Premium
join:2004-04-30
Moorpark, CA

 ComboFix 08-05-12.1 - Hady 2008-05-15 11:31:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1498 [GMT -7:00]
Running from: C:\Documents and Settings\Hady\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hady\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
C:\WINDOWS\BM671f7a6f.xml
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\myancbov.dll
C:\WINDOWS\system32\yalhhjii.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM671f7a6f.xml
C:\WINDOWS\system32\d3d9caps.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-14 20:13 . 2008-05-14 20:13 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 14:59 . 2008-05-13 14:59 d-------- C:\Program Files\Trend Micro
2008-05-12 23:34 . 2008-05-12 23:36 d-------- C:\Program Files\EsetOnlineScanner
2008-05-12 22:36 . 2008-05-12 22:37 d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-21 18:39 . 2008-04-21 18:39 d-------- C:\Program Files\Hamachi
2008-04-21 18:39 . 2008-04-21 21:15 d-------- C:\Documents and Settings\Hady\Application Data\Hamachi
2008-04-21 18:39 . 2008-04-21 18:39 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-16 20:26 . 2008-04-18 20:17 d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-16 20:10 . 2008-04-16 20:10 d-------- C:\VundoFix Backups
2008-04-16 20:01 . 2008-04-16 20:03 d-------- C:\Program Files\Windows Live Safety Center
2008-04-16 19:29 . 2008-04-16 19:55 500 --a------ C:\WINDOWS\wininit.ini
2008-04-16 18:58 . 2008-04-16 18:58 d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-16 18:58 . 2008-04-16 19:04 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 13:19 . 2008-04-15 13:19 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-15 13:19 . 2008-04-15 13:19 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 18:35 53,184,800 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-15 18:34 1,645,344 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-15 08:33 718,820 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-15 08:33 191,624 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-15 03:22 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-14 20:37 --------- d-----w C:\Program Files\Digsby
2008-05-14 09:22 --------- d-----w C:\Documents and Settings\Hady\Application Data\Azureus
2008-05-01 06:51 --------- d-----w C:\Documents and Settings\Hady\Application Data\Skype
2008-04-30 23:40 --------- d-----w C:\Documents and Settings\Hady\Application Data\skypePM
2008-04-17 03:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 01:27 --------- d-----w C:\Documents and Settings\Hady\Application Data\Move Networks
2008-04-15 20:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-14 23:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-14 23:38 --------- d-----w C:\Program Files\Skype
2008-04-14 23:38 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-14 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-04-12 21:34 --------- d-----w C:\Documents and Settings\Hady\Application Data\Digsby
2008-04-10 16:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-10 16:14 --------- d-----w C:\Program Files\THQ
2008-04-10 16:12 --------- d-----w C:\Program Files\Gadwin Systems
2008-04-09 14:48 --------- d-----w C:\Program Files\Java
2008-04-08 22:19 --------- d-----w C:\Documents and Settings\Hady\Application Data\SEGA
2008-04-08 22:18 --------- d-----w C:\Program Files\Sonic
2008-04-08 19:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-08 19:19 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-29 03:59 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-15 02:22 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-03-15 02:22 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-03-15 02:22 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-03-15 02:09 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-03-15 02:09 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-17 08:08 22,328 ----a-w C:\Documents and Settings\Hady\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-14_20.22.10.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2008-05-15 03:17:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 18:18:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-04 04:56:44 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2004-08-04 04:56:44 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-04 04:56:44 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2004-08-04 04:56:44 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-07-17 15:34:48 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-04 04:56:44 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-04 04:56:44 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-04 04:56:44 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-04 04:56:44 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-04 04:56:44 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2004-08-04 04:56:44 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-04 04:56:44 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-04 04:56:44 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-04 04:56:44 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2004-08-04 04:56:46 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-04 04:56:46 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-04 04:56:46 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2004-08-04 04:56:44 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 04:56:44 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 04:56:44 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-07-17 15:34:48 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 04:56:44 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 04:56:44 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 04:56:44 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 04:56:44 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 04:56:44 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 04:56:44 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 04:56:44 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 04:56:44 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-04 04:56:46 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 04:56:46 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 04:56:46 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 15:29 165784]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2005-08-18 06:15 1359872]
"Steam"="d:\program files\valve\steam.exe" [2008-03-28 20:46 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"SetDefaultMIDI"="MIDIDef.exe" [2006-08-11 14:42 25600 C:\WINDOWS\MIDIDEF.EXE]
"Gadwin PrintScreen"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 01:42 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 19:09 139367]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2005-07-07 15:17 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-31 01:30 286720]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Last.fm Helper.lnk - D:\Program Files\Last.fm\LastFMHelper.exe [2007-11-11 23:05:06 110592]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-09 20:17:59 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Valve\\Steam.exe"=
"D:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys []
S3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 02:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-05-15 11:34:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-15 11:37:48
ComboFix-quarantined-files.txt 2008-05-15 18:37:44
ComboFix2.txt 2008-05-15 03:22:51

Pre-Run: 13,813,342,208 bytes free
Post-Run: 13,757,509,632 bytes free

242 --- E O F --- 2008-05-15 08:32:58

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:34 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\program files\valve\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
D:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digsby\Digsby.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] "d:\program files\valve\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: »www.ca.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »a1540.g.akamai.net/7/1540/52/200···ugin.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - »www.eset.eu/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - »cdn.scan.onecare.live.com/resour···e370.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - »www.nvidia.com/content/DriverDow···lab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »download.divx.com/player/DivXBro···ugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 8357 bytes
--
I subscribe to the theory of intellectual osmosis. Unfortunately, I must now cease our conversation and move away from you before my intelligence begins to drop. Good day.
to forum · permalink · · 2008-05-15 14:43:49 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL		reply to fundamentalz
Looks good now

How is your computer acting at this point?

Don't forget to turn back on your Security Programs.
to forum · permalink · · 2008-05-15 16:26:50 · Reply to this


fundamentalz
The Basics
Premium
join:2004-04-30
Moorpark, CA
said by CalamityJane See Profile :

Looks good now

How is your computer acting at this point?

Don't forget to turn back on your Security Programs.
It feels like things are back to normal now. Thanks a lot.
By the way, do you know what it was that I was infected with, such as a keylogger?

Anyways, your efforts are very much appreciated.
--
I subscribe to the theory of intellectual osmosis. Unfortunately, I must now cease our conversation and move away from you before my intelligence begins to drop. Good day.
to forum · permalink · · 2008-05-15 18:38:44 · Reply to this


CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL

 What we removed was mostly Vundo related. It doesn't usually involve a keylogger (and the logs you posted didn't show signs of one), but I don't know what the other pre-cleaning you used may have removed.

Some final cleanup and prevention recommendations follow.

This step will uninstall the ComboFix tool, delete any remaining quarantined files, and reset your Windows Folder options to default (to rehide operating system files, etc), since it isn't needed anymore:

Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
»support.microsoft.com/default.as···s;310405
......................

Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
»update.microsoft.com/microsoftupdate/

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

A word about shared computers and networks.
Share Your PC
»www.microsoft.com/windowsxp/usin···tro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
»www.microsoft.com/technet/securi···ome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2008
Proud Member of ASAP (Alliance of Security Analysis Professionals)
to forum · permalink · · 2008-05-16 08:32:21 · Reply to this
Forums » Up and Running » Security » Security Cleanup[Trojan] AVWA.DLL Removal »

Saturday, 22-Nov 19:31:04 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 9 years online! © 1999-2008 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [199] Obama FCC Selection Team Won't Make AT&T Happy
· [109] DSL's Not Dead Yet
· [87] Zone Alarm Pro Free Just For Today
· [84] Storm Reviews Come Rolling In
· [80] Harvard Law Professor Sues RIAA
· [69] New Xbox 360 'Experience' Goes Live
· [69] CRTC Rules Against Indie ISPs In Throttling Dispute
· [59] Just 26% of U.S. Broadband Users Faster Than 5Mbps
· [56] Friday Open Thread
· [51] Cable Grabbing 71% Of New Broadband Customers
Most people now reading
· Pentagon Hit by Unprecedented Cyber Attack [Security]
· CRTC ruling coming Thursday Nov 20 [TekSavvy]
· [Scam] Colbert & Johnson [Spam, Scam and Phishbusters]
· [WotLK] New Hunter Macros [World of Warcraft]
· Things to give up if we're capped [TekSavvy]
· Rocky - time to offer VPN service to all your customers [TekSavvy]
· Will Bell start capping TS users now? [TekSavvy]
· [WotLK] PVP gear at 80 [World of Warcraft]
· Disabling Autorun in XP? [Security]