Solved: Vundo Again

jharveytx · 12-Jul-2008, 11:56 PM #1

Hi!

I seem to have re-infected my machine. I started getting write fail errors from my external hard drive. I'm sure it really is having problems, but in trying to fix this, I seem to have re-infected my PC with VUNDO. I used some tools to try to correct the problem myself, and seem to have only made things worse.

Here is the latest HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\SYSTEM32\srxTitan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TweakNow PowerPack 2006\VirDesk.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\DOCUME~1\john\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\CallStation\CStation.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CallStation\CStation.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Sony Handheld\USBSwt.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\Program Files\YCIII\YankClip.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Intellisync\PushSyncService\PushSyncService.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.utdallas.edu/exchweb...hange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: {7c950ca9-5cdc-700a-0f74-7d2edb881904} - {409188bd-e2d7-47f0-a007-cdc59ac059c7} - C:\WINDOWS\system32\nalajc.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirtualDesk] C:\Program Files\TweakNow PowerPack 2006\VirDesk.exe
O4 - HKLM\..\Run: [00Hotkeys] "C:\Program Files\Qliner Hotkeys\HotKeys.exe"
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [CallStation] C:\Program Files\CallStation\CStation.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Sony PDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa...bs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa...bs/tgctlsr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2785CCEF-6B5B-4453-BC4E-5219A9B6CB7E}: NameServer = 68.238.96.12,68.238.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{2785CCEF-6B5B-4453-BC4E-5219A9B6CB7E}: NameServer = 68.238.96.12,68.238.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{2785CCEF-6B5B-4453-BC4E-5219A9B6CB7E}: NameServer = 68.238.96.12,68.238.112.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{2785CCEF-6B5B-4453-BC4E-5219A9B6CB7E}: NameServer = 68.238.96.12,68.238.112.12
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - South River Technologies, Inc. - C:\WINDOWS\SYSTEM32\srxTitan.exe

--
End of file - 13494 bytes

Thanks, as always,
jharveytx

sjpritch25 · 13-Jul-2008, 07:39 PM #2

Welcome to TSG

Download Combofix from this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

jharveytx · 13-Jul-2008, 10:00 PM #3

Thanks for your help. Here is the combofix log:

ComboFix 08-07-13.6 - john 2008-07-13 20:26:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1481 [GMT -5:00]
Running from: C:\Documents and Settings\john\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Documents\My Videos\Desktop.ini
C:\Documents and Settings\john\My Documents\My Videos\Desktop.ini
C:\WINDOWS\system32\fafgavmd.dll
C:\WINDOWS\system32\gxiens.dll
C:\WINDOWS\system32\nalajc.dll
C:\WINDOWS\system32\nnhbofqa.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-13 13:42 . 2008-07-13 13:42 <DIR> d-------- C:\WINDOWS\Sun
2008-07-13 13:42 . 2008-07-13 20:24 <DIR> d-------- C:\Documents and Settings\john\.housecall6.6
2008-07-13 13:42 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-11 13:17 . 2008-07-11 13:17 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-07-11 13:17 . 2008-07-11 13:17 2 --a------ C:\WINDOWS\Twain001.Mtx
2008-07-11 13:17 . 2008-07-11 13:17 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-07-10 22:55 . 2008-07-10 22:55 77,920 --a------ C:\WINDOWS\SYSTEM32\GDIPFONTCACHEV1.DAT
2008-07-10 22:35 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-07-08 21:21 . 2008-07-08 21:21 <DIR> d-------- C:\Documents and Settings\john\Application Data\Earthsim
2008-07-08 07:45 . 2008-07-08 07:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SlySoft
2008-07-08 07:44 . 2008-07-08 07:44 0 ---hs---- C:\WINDOWS\SB6511B5C.tmp
2008-07-05 00:28 . 2008-07-05 00:28 <DIR> d-------- C:\Documents and Settings\john\Application Data\Bitstream
2008-07-05 00:26 . 2008-07-05 00:26 <DIR> d-------- C:\Program Files\Corel
2008-07-05 00:23 . 2008-07-05 00:23 82,594 --a------ C:\WINDOWS\ATMREG.ATM
2008-07-05 00:19 . 2008-07-05 00:19 <DIR> d-------- C:\PSFONTS
2008-07-05 00:19 . 2008-07-05 00:19 <DIR> d-------- C:\Program Files\Adobe Type Manager
2008-07-05 00:19 . 2000-05-24 15:20 15,360 --a------ C:\WINDOWS\SYSTEM32\ATMsrvc.exe
2008-07-04 14:37 . 2008-07-04 14:37 <DIR> d-------- C:\Documents and Settings\john\Application Data\PushSyncData
2008-07-04 14:37 . 2008-07-04 14:37 <DIR> d-------- C:\Documents and Settings\john\Application Data\AutoSync for Yahoo
2008-07-04 14:30 . 2008-07-04 14:30 <DIR> d-------- C:\Program Files\Common Files\Intellisync
2008-07-04 13:38 . 2008-07-04 14:33 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-04 13:37 . 2008-07-04 13:37 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-07-04 13:37 . 2008-07-04 13:37 <DIR> d-------- C:\Program Files\Cisco Systems
2008-07-04 13:37 . 2007-01-31 13:45 127,376 --a------ C:\WINDOWS\SYSTEM32\drivers\dne2000.sys
2008-07-04 13:37 . 2007-01-31 13:45 101,904 --a------ C:\WINDOWS\SYSTEM32\dneinobj.dll
2008-07-04 13:37 . 2008-07-04 13:38 1,594 --a------ C:\WINDOWS\VPNInstall.MIF
2008-07-02 21:26 . 2008-07-13 11:38 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-02 19:39 . 2008-07-02 19:39 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-01 22:35 . 2008-07-01 22:37 <DIR> d-------- C:\Program Files\Common Files\Nero2
2008-07-01 22:09 . 2008-07-01 22:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe
2008-06-28 14:38 . 2001-05-31 08:45 36,864 --a------ C:\WINDOWS\SYSTEM32\PalmDevC.dll
2008-06-28 14:19 . 1999-02-06 21:12 2,563,072 --a------ C:\WINDOWS\SYSTEM32\iplA6.dll
2008-06-28 14:19 . 1999-02-06 21:12 2,454,528 --a------ C:\WINDOWS\SYSTEM32\iplM6.dll
2008-06-28 14:19 . 1999-02-06 21:12 2,363,392 --a------ C:\WINDOWS\SYSTEM32\iplM5.dll
2008-06-28 14:19 . 1999-02-06 21:12 2,250,752 --a------ C:\WINDOWS\SYSTEM32\iplP6.dll
2008-06-28 14:19 . 1999-02-06 21:12 2,206,208 --a------ C:\WINDOWS\SYSTEM32\iplPX.dll
2008-06-28 14:19 . 1999-02-06 21:12 2,153,984 --a------ C:\WINDOWS\SYSTEM32\iplP5.dll
2008-06-28 14:19 . 1999-02-06 21:11 69,120 --a------ C:\WINDOWS\SYSTEM32\ipl.dll
2008-06-28 14:19 . 1998-06-17 18:08 53,248 --a------ C:\WINDOWS\SYSTEM32\MFC42LOC.DLL
2008-06-28 14:19 . 1999-02-02 15:59 19,968 --a------ C:\WINDOWS\SYSTEM32\Cpuinf32.dll
2008-06-26 07:46 . 2008-06-26 07:46 <DIR> d-------- C:\Program Files\NextUp-ScanSoft
2008-06-24 22:15 . 2008-06-24 22:20 <DIR> d-------- C:\Program Files\No-IP
2008-06-21 11:12 . 2008-06-21 11:12 <DIR> d-------- C:\Documents and Settings\Maggie\Application Data\Nero
2008-06-21 08:54 . 2008-06-21 08:54 <DIR> d-------- C:\Documents and Settings\Rose.BATCRAY\Application Data\ThumbsPlus
2008-06-20 17:05 . 2008-06-20 17:17 <DIR> d-------- C:\DVDVolume
2008-06-18 13:16 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\SYSTEM32\ShellManager310E2D762.dll
2008-06-18 13:16 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\SYSTEM32\NEROINSTAEC43759.DB
2008-06-18 13:15 . 2008-06-18 13:15 0 --a------ C:\WINDOWS\Irremote.ini
2008-06-15 23:19 . 2008-06-15 23:19 <DIR> d-------- C:\Program Files\NeroInstall.bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 01:25 --------- d-----w C:\Program Files\Chameleon Clock
2008-07-14 00:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-07-13 18:42 --------- d-----w C:\Program Files\Java
2008-07-13 16:42 --------- d-----w C:\Documents and Settings\john\Application Data\Azureus
2008-07-13 04:18 --------- d-----w C:\Program Files\Thumbs7
2008-07-12 22:02 --------- d-----w C:\Program Files\Folder Lock
2008-07-11 04:32 --------- d-----w C:\Program Files\DirectUpdate
2008-07-10 13:06 --------- d-----w C:\Program Files\Winamp
2008-07-10 13:00 --------- d-----w C:\Documents and Settings\john\Application Data\Winamp
2008-07-10 12:56 --------- d-----w C:\Program Files\NewsRover
2008-07-10 12:39 --------- d-----w C:\Program Files\SHOUTcast
2008-07-09 02:22 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-07-09 02:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Earthsim
2008-07-09 02:12 --------- d-----w C:\Program Files\Nero
2008-07-08 12:34 --------- d-----w C:\Program Files\SuperCat
2008-07-08 12:34 --------- d-----w C:\Program Files\CloneDVD
2008-07-04 19:30 --------- d-----w C:\Program Files\Yahoo!
2008-07-03 11:45 --------- d-----w C:\Documents and Settings\john\Application Data\dvdcss
2008-07-03 00:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2008-07-03 00:04 --------- d-----w C:\Documents and Settings\john\Application Data\Nero
2008-07-01 23:43 --------- d-----w C:\Program Files\Azureus
2008-06-28 19:42 --------- d-----w C:\Program Files\ISCLIE
2008-06-28 19:38 --------- d-----w C:\Program Files\Sony Handheld
2008-06-28 19:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 19:19 --------- d-----w C:\Program Files\Sony
2008-06-20 20:48 --------- d-----w C:\Program Files\DVDlabPro2
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 00:05 --------- d-----w C:\Program Files\PC Doc Pro
2008-06-14 03:34 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Minnetonka Audio Software
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 00:46 --------- d-----w C:\Program Files\Virtual Earth 3D
2008-06-07 14:53 102,400 ----a-w C:\WINDOWS\Winamp Now Playing.scr
2008-06-06 17:09 --------- d-----w C:\Program Files\Cat Daddy Games
2008-06-05 12:35 --------- d-----w C:\Program Files\Google
2008-06-05 12:12 --------- d-----w C:\Program Files\Seagate
2008-06-05 12:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 12:10 --------- d-----w C:\Program Files\CallStation
2008-06-05 00:06 625,152 ----a-w C:\WINDOWS\SYSTEM32\mp3tsshx.dll
2008-06-01 16:11 --------- d-----w C:\Documents and Settings\john\Application Data\SuperNZB
2008-06-01 06:28 --------- d-----w C:\Program Files\SuperNZB
2008-05-31 17:34 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-31 17:34 --------- d-----w C:\Documents and Settings\john\Application Data\Malwarebytes
2008-05-31 17:34 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-05-31 03:48 --------- d-----w C:\Documents and Settings\john\Application Data\RateMyScreensaver
2008-05-30 23:40 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-05-30 23:39 --------- d-----w C:\Program Files\Lavasoft
2008-05-30 06:06 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 06:06 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 02:51 --------- d-----w C:\Program Files\CleanUp!
2008-05-29 12:44 --------- d-----w C:\Documents and Settings\john\Application Data\SiteAdvisor
2008-05-28 12:23 --------- d-----w C:\Documents and Settings\Administrator.BATCRAY\Application Data\Helios
2008-05-28 01:41 --------- d-----w C:\Documents and Settings\john\Application Data\ArcSoft
2008-05-27 03:40 --------- d-----w C:\Program Files\MagicDisc
2008-05-25 20:20 21,840 ----atw C:\WINDOWS\SYSTEM32\SIntfNT.dll
2008-05-25 20:20 17,212 ----atw C:\WINDOWS\SYSTEM32\SIntf32.dll
2008-05-25 20:20 12,067 ----atw C:\WINDOWS\SYSTEM32\SIntf16.dll
2008-05-25 20:02 --------- d-----w C:\Program Files\FaxTalk Communicator
2008-05-24 15:30 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-23 12:17 --------- d-----w C:\Program Files\Quicken
2008-05-23 12:15 --------- d-----w C:\Program Files\Common Files\AnswerWorks 5.0
2008-05-22 12:29 --------- d-----w C:\Program Files\Winamp Remote
2008-05-22 03:34 --------- d-----w C:\Documents and Settings\john\Application Data\Sony Corporation
2008-05-18 15:07 --------- d-----w C:\Documents and Settings\Rose.BATCRAY\Application Data\Nero
2008-05-17 05:14 35,363 ----a-w C:\WINDOWS\SYSTEM32\windrvNT.sys
2008-05-17 03:29 --------- d-----w C:\Program Files\MagicISO
2008-05-16 11:20 --------- d-----w C:\Program Files\Audio Caller ID
2008-05-16 11:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Impulse Technology
2008-05-16 11:20 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\GrebleSoft
2008-05-16 03:29 --------- d-----w C:\Documents and Settings\john\Application Data\Audio Caller ID
2008-05-14 03:21 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-18 12:32 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-02-14 12:07 984,576 ----a-w C:\Documents and Settings\john\Application Data\kernel33.dll
2008-01-10 02:45 53,884,718 ----a-w C:\Program Files\NewsRover.rar
2006-11-28 09:07 271 --sh--w C:\Program Files\desktop.ini
2006-11-28 09:07 21,952 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot_2008-07-11_ 0.20.17.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-11 05:14:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-13 18:31:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-11 05:14:45 202,248 ----a-w C:\WINDOWS\SYSTEM32\inetsrv\MetaBase.bin
+ 2008-07-13 18:32:13 202,259 ----a-w C:\WINDOWS\SYSTEM32\inetsrv\MetaBase.bin
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-07-13 18:32:07 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_51c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTZDetec.exe"="C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe" [2007-12-18 15:20 401408]
"CallStation"="C:\Program Files\CallStation\CStation.exe" [2007-12-10 16:00 1335296]
"HomeAlarm"="C:\Program Files\Chameleon Clock\ChamClock.exe" [2004-09-24 18:06 845312]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-02-28 18:07 132392]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-07-02 21:54 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"VirtualDesk"="C:\Program Files\TweakNow PowerPack 2006\VirDesk.exe" [2007-01-11 14:13 1885184]
"00Hotkeys"="C:\Program Files\Qliner Hotkeys\HotKeys.exe" [2006-12-01 19:13 45056]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2004-08-24 09:31 1331200]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-07-26 20:57 36640]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-09-20 16:50 1404928]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-29 22:14 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.E XE" [2007-03-20 17:40 1884160]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-06 23:53 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 14:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"CallControl 4.5"="C:\Program Files\FaxTalk Communicator\FTCtrl32.exe" [2004-03-23 15:43 123904]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 17:14 570664]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 14:21 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"MBMon"="CTMBHA.DLL" [2004-08-24 09:56 1344596 C:\WINDOWS\SYSTEM32\CTMBHA.DLL]

C:\Documents and Settings\john.BRUCEWAYNE\Start Menu\Programs\Startup\
Dragon NaturallySpeaking.lnk - C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe [2005-04-04 09:37:50 1994752]
Hotkeys.lnk - C:\WINNT\Installer\{C1D1E3E7-0A50-426D-8FAD-64112F6C7184}\_4d064db7.exe [2006-12-04 00:35:16 25214]
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2007-01-12 09:14:27 299008]
Yankee Clipper III.lnk - C:\Program Files\YCIII\YankClip.exe [2006-12-04 17:20:11 1368064]

C:\Documents and Settings\john\Start Menu\Programs\Startup\
Yankee Clipper III.lnk - C:\Program Files\YCIII\YankClip.exe [2006-12-04 17:20:11 1368064]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2007-01-12 09:14:27 299008]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2004-05-28 23:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\digital imaging\bin\hpqthb08.exe [2004-05-29 00:06:36 53248]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-04-18 07:32:33 67128]
Sony PDA USB Switcher.lnk - C:\Program Files\Sony Handheld\USBSwt.exe [2007-01-12 09:14:33 57344]
VPN Client.lnk - C:\WINDOWS\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-07-04 13:38:14 6144]
Yahoo! Autosync.lnk - C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-08-21 14:28:52 391680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"MaxRecentDocs"= 11 (0xb)
"NoStartMenuMFUprogramsList"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Winamp\\winamp.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Xlight\\xlight.exe"=
"C:\\Program Files\\NetCID\\NetCID.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"9000:TCP"= 9000:TCP:Seizures In Stereo Stream TCP
"9000:UDP"= 9000:UDP:Seizures In Stereo Stream UDP
"8181:TCP"= 8181:TCP:RocketGirlz.net TCP
"8181:UDP"= 8181:UDP:RocketGirlz.net UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9090:TCP"= 9090:TCP:SquareHolePress TCP
"9090:UDP"= 9090:UDP:SquareHolePress UDP
"5151:TCP"= 5151:TCP:AjaxAmp TCP
"5151:UDP"= 5151:UDP:AjaxAmp UDP
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 SRTSERVERDAEMON;Titan FTP Server Daemon;C:\WINDOWS\SYSTEM32\srxTitan.exe [2007-12-09 22:03]
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2006-01-13 01:46]
S1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys []
S3 CTSFSYN;Creative SoundFont Synth;C:\WINDOWS\system32\drivers\ctsfsyn.sys [2004-08-24 10:03]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\P]
\Shell\AutoRun\command - P:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 11:38:17 C:\WINDOWS\Tasks\20080226_221800_john.job"
- C:\Program Files\Nero\Nero8\Nero BackItUp\BackItUp.exe
"2008-07-13 23:47:03 C:\WINDOWS\Tasks\HP Usg Daily FY04.job"
- C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 20:30:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-07-13 20:31:53
ComboFix-quarantined-files.txt 2008-07-14 01:31:50
ComboFix2.txt 2008-07-11 05:20:41
ComboFix3.txt 2008-05-31 16:25:02
ComboFix4.txt 2008-05-31 02:19:18

Pre-Run: 20,203,913,216 bytes free
Post-Run: 20,233,965,568 bytes free

290 --- E O F --- 2008-07-08 23:27:17

jharveytx · 13-Jul-2008, 10:01 PM #4

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:56, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\SYSTEM32\srxTitan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TweakNow PowerPack 2006\VirDesk.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Sony Handheld\USBSwt.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\Program Files\Common Files\Intellisync\PushSyncService\PushSyncService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.utdallas.edu/exchweb...hange&reason=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirtualDesk] C:\Program Files\TweakNow PowerPack 2006\VirDesk.exe
O4 - HKLM\..\Run: [00Hotkeys] "C:\Program Files\Qliner Hotkeys\HotKeys.exe"
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [CallStation] C:\Program Files\CallStation\CStation.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Yankee Clipper III.lnk = C:\Program Files\YCIII\YankClip.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Sony PDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa...bs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa...bs/tgctlsr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=23100
O17 - HKLM\System\CCS\Services\Tcpip\..\{2785CCEF-6B5B-4453-BC4E-5219A9B6CB7E}: NameServer = 68.238.96.12,68.238.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{2785CCEF-6B5B-4453-BC4E-5219A9B6CB7E}: NameServer = 68.238.96.12,68.238.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{2785CCEF-6B5B-4453-BC4E-5219A9B6CB7E}: NameServer = 68.238.96.12,68.238.112.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{2785CCEF-6B5B-4453-BC4E-5219A9B6CB7E}: NameServer = 68.238.96.12,68.238.112.12
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Titan FTP Server Daemon (SRTSERVERDAEMON) - South River Technologies, Inc. - C:\WINDOWS\SYSTEM32\srxTitan.exe

--
End of file - 13467 bytes

sjpritch25 · 13-Jul-2008, 10:06 PM #5

How is everything running??

jharveytx · 13-Jul-2008, 11:04 PM #6

Everything seems okay now -- I don't know if I should trust the good feeling, though.

sjpritch25 · 14-Jul-2008, 06:02 AM #7

Well, everything is gone according to the logs. However, you will still be getting infected unless uninstall both of your P2P programs. Vundo is all over P2P networks. Unless you remove those programs, you will be back.

Go to Start ---> Run ---> Type ComboFix /u and press Enter. The command will remove ComboFix and create a fresh Restore Point.

Here is some useful information on keeping your computer clean:

Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
Here are two great Preventive programs

:

SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.

Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown

Here are the link to install SiteAdisor in Internet Explorer and Firefox

Anti-Spyware Programs I Recommend:

Free Anti-Spyware Programs

Free Firewalls

For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place

jharveytx · 14-Jul-2008, 10:53 AM #8

It looks like I'm still having some problems. My machine is taking ages to boot up, and once it is up, it hangs pretty soon after logging on. Could this be related to my external hard drive? I still experience problems with the drive turned off.

sjpritch25 · 14-Jul-2008, 04:35 PM #9

Really hard to say. What are system specs example memory, cpu, age of computer.

jharveytx · 14-Jul-2008, 06:06 PM **#10**

I think I have the startup issue figured out, so I'm going to mark this as solved. If the slow startup issue returns, I'll be back to open another ticked and annoy you all again.

thanks for the excellent help.

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)