1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virtumonde

Discussion in 'Virus & Other Malware Removal' started by Adam_Black, Dec 12, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Hi guys,

    My computer was recently infected with what I believe to be a virus named 'Virtumonde' (which will teach me to be more careful around the less salubrious avenues of the Internet). Spybot detected a load of files when I ran it and got rid of them, and HijackThis/Killbox a couple more on my own initiative, so I'd like to think I've got rid of the more malicious part of the program (the keylogger), but the pop-ups are still there, and explorer.exe keeps restarting itself, which I understand is due to the virus 'hooking' itself into it somehow, which is probably going to make this a tough nut to crack.

    So, where do I start?
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.

    Download hijack this from the link below.Please do this. Click here:

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

    to download HijackThis. Click scan and save a logfile, then post it here so
    we can take a look at it for you. Don't click fix on anything in hijack this
    as most of the files are legitimate.



    Download ComboFix from
    Here
    or
    Here
    to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just
    before Windows starts to load. If done right a Windows Advanced Options menu
    will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a
      HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its
    running. That may cause it to stall




    post the hijack this log and the combo log!
     
  3. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Thanks for welcoming me to the forums despite the fact you joined six months after I did, that's a very friendly attitude!

    When I try to start ComboFix.exe I get an error message telling me it is "not a valid Win32 application".

    This is my HijackThis log, though I don't expect you'll find anything in it.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:02:07, on 13/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Acer\Acer eMode Management\AspireService.exe
    C:\Program Files\Acer\Acer eConsole\MediaSync.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
    C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
    C:\Documents and Settings\Adam\My Documents\PowerMenu_1_5_1\PowerMenu.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Adam\My Documents\Stuff\unzipped\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebigproject.co.uk/index2
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
    O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: [email protected] 5.03.lnk = ?
    O4 - Startup: PowerMenu.lnk = C:\Documents and Settings\Adam\My Documents\PowerMenu_1_5_1\PowerMenu.exe
    O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
    O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 9786 bytes
     
  4. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Bumpity bump.

    EDIT: Whoops, only just noticed hedgehog man has shouted at people who bump. I'll let this lie then...

    EDIT2: I managed to get ComboFix from another link working and it appears to have eradicated Virtumonde. I'll post again if any symptoms reoccur. Thanks khazars!
     
  5. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    can you post the logs as there maybe more left behind!
     
  6. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Seems you were right. Explorer.exe continued to restart after I made that last post, and 24 hours later Spybot Resident is now reporting another exe, and BHO registry changes. I've denied all of them, and I'll run HijackThis, Spybot and ComboFix again. One moment please...
     
  7. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Beginning of Spybot SD log:



    HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:06:05, on 13/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\Adam\My Documents\Stuff\unzipped\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebigproject.co.uk/index2
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
    O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: [email protected] 5.03.lnk = ?
    O4 - Startup: PowerMenu.lnk = C:\Documents and Settings\Adam\My Documents\PowerMenu_1_5_1\PowerMenu.exe
    O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
    O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 8269 bytes
     
  8. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    ComboFix log:

    ComboFix 07-12-12.3 - Adam 2007-12-13 16:07:38.2 - NTFSx86 MINIMAL
    Running from: C:\Documents and Settings\Adam\Desktop\ComboFix(2).exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\cpuvagrd.dll
    C:\WINDOWS\system32\drtmxrqp.dll
    C:\WINDOWS\system32\pqrxmtrd.ini
    C:\WINDOWS\system32\xbadd.ini
    C:\WINDOWS\system32\xbadd.ini2

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE


    ((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
    .

    2007-12-13 15:04 . 2007-12-13 15:11 56 --a------ C:\WINDOWS\system32\gphjudri.exe
    2007-12-12 04:39 . 2007-12-12 04:39 <DIR> d-------- C:\Program Files\Lavasoft
    2007-12-12 04:39 . 2007-12-12 04:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-12-12 02:22 . 2007-12-12 03:26 354 --ahs---- C:\WINDOWS\system32\cchaiclq.ini
    2007-12-11 01:13 . 2007-12-11 01:13 252,480 --a------ C:\WINDOWS\system32\ddabx.dll
    2007-12-09 22:38 . 2007-12-09 22:38 <DIR> d-------- C:\Documents and Settings\Adam\Contacts
    2007-12-02 23:56 . 2001-08-17 14:02 8,576 --a------ C:\WINDOWS\system32\drivers\hidgame.sys
    2007-12-02 23:56 . 2001-08-17 14:02 8,576 --a------ C:\WINDOWS\system32\dllcache\hidgame.sys
    2007-12-02 23:41 . 2002-05-23 12:17 9,472 --a------ C:\WINDOWS\system32\drivers\hidsaitek.sys
    2007-12-02 18:06 . 2007-12-02 18:06 <DIR> d-------- C:\Program Files\Mega World

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-13 16:16 --------- d-----w C:\Documents and Settings\Adam\Application Data\Skype
    2007-12-13 05:04 --------- d-----w C:\Program Files\mIRC
    2007-12-12 13:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-12-12 04:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-11 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-10 14:53 --------- d-----w C:\Documents and Settings\Adam\Application Data\Azureus
    2007-12-10 14:37 --------- d-----w C:\Program Files\Azureus
    2007-12-09 22:38 --------- d-----w C:\Program Files\MSN Messenger
    2007-12-09 21:24 --------- d-----w C:\Program Files\Steam
    2007-12-08 08:31 --------- d-----w C:\Program Files\[email protected]
    2007-11-05 16:13 94,208 ----a-w C:\WINDOWS\ScUnin.exe
    2007-10-31 00:33 --------- d-----w C:\Program Files\C-Media
    2007-10-30 00:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-27 00:37 --------- d-----w C:\Program Files\Winamp
    2007-10-26 21:38 --------- d-----w C:\Program Files\AGEIA Technologies
    2007-10-25 01:52 --------- d-----w C:\Program Files\RegCleaner
    2007-10-25 01:41 --------- d-----w C:\Program Files\BenchemAll
    2007-10-25 01:32 --------- d-----w C:\Program Files\SequoiaView
    2007-10-20 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
    2007-10-20 01:10 90,112 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2007-10-20 01:10 126,976 ----a-w C:\WINDOWS\system32\UAService7.exe
    2007-10-20 01:10 --------- d-----w C:\Documents and Settings\Adam\Application Data\SecuROM
    2007-03-27 12:56 4 ----a-w C:\Documents and Settings\All Users\Application Data\C4162F5F.DAT
    2007-02-02 23:16 120 ---ha-w C:\Program Files\ezed.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49ACDA60-6056-4EB6-BE26-D16F7566D918}]
    2007-12-11 01:13 252480 --a------ C:\WINDOWS\system32\ddabx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54B5B6F2-B13C-4D36-857A-C15395A124DD}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C47B6E93-5981-43F5-BB8F-6D98A4F201E0}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E84BCEBB-0B51-4421-B016-1099DB841576}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="" []
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 19:16]
    "updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-06-26 14:53]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" []
    "SoundMan"="SOUNDMAN.EXE" [2005-09-22 00:42 C:\WINDOWS\soundman.exe]
    "ntiMUI"="c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 02:15]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 04:24]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-13 20:20]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
    "VTTimer"="VTTimer.exe" [2004-09-01 15:28 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2004-06-22 01:57 C:\WINDOWS\system32\VTTrayp.exe]
    "AspireService"="C:\Program Files\Acer\Acer eMode Management\AspireService.exe" [2005-09-29 23:07]
    "MediaSync"="C:\Program Files\Acer\Acer eConsole\MediaSync.exe" [2005-09-21 20:48]
    "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-17 00:00]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-10 10:58]
    "EPSON Stylus D88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.exe" [2005-01-27 04:00]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 14:57]
    "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
    "nwiz"="nwiz.exe" [2007-04-19 12:26 C:\WINDOWS\system32\nwiz.exe]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-03 19:39]
    "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
    "C-Media Mixer"="Mixer.exe" [2002-07-12 16:33 C:\WINDOWS\mixer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00]

    C:\Documents and Settings\Adam\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
    [email protected] 5.03.lnk - C:\Program Files\[email protected]\winFAH.exe [2006-08-29 11:49:50]
    PowerMenu.lnk - C:\Documents and Settings\Adam\My Documents\PowerMenu_1_5_1\PowerMenu.exe [2002-12-20 11:17:56]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Wireless 802.11g USB Adapter.lnk - C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe [2004-11-19 18:34:00]
    ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2006-06-09 20:22:52]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddabx.dll

    R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
    R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
    S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
    S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys
    S3 SaitekPad;deviceX634 driver;C:\WINDOWS\system32\drivers\hidsaitek.sys
    S3 vgadrv;vgadrv;C:\WINDOWS\system32\DRIVERS\vgadrv.sys
    S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys
    S3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\ZDPNDIS5.SYS

    *Newly Created Service* - INT15.SYS
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-01 20:02:35 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Adam.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-13 16:14:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\xbadd.ini2 6495 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
    -> C:\WINDOWS\system32\ddabx.dll

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
    -> C:\WINDOWS\system32\ddabx.dll
    .
    Completion time: 2007-12-13 16:18:08 - machine was rebooted
    C:\ComboFix2.txt ... 2007-12-13 02:07
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Disable spybot's teatimer as it can interfere with the fixes!


    i'm attaching a fix reg in zip form, double click it to download it, then double click it to unzip it and then click it agian to enter it into the registry, click ok to the prompt!


    * Copy the entire contents of the Quote Box below to Notepad.
    * Name the file as CFScript.txt
    * Change the Save as Type to All Files
    * and Save it on the desktop


    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause
    it to stall






    Download AVG Anti-Spyware

    http://www.ewido.net/en/


    * Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition
    files.
    * On the main screen select the icon "Update" then select the "Update now"
    link.
    * Next select the "Start Update" button, the update will start and a
    progress bar will show the updates being installed.
    * Once the update has completed select the "Scanner" icon at the top of the
    screen, then select the "Settings" tab.
    * Once in the Settings screen click on "Recommended actions" and then select
    "Delete"
    * Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-Select "Only if threats were found"


    Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
    later in safe mode.






    * Click here to download ATF Cleaner by Atribune and save it to your
    desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords,
    please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords,
    please click No at the prompt.
    * Click Exit on the Main menu to close the program.


    * Click here for info on how to boot to safe mode if you don't already know
    how.


    http://support.microsoft.com/kb/315222


    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:




    Run AVG Anti-Spyware!

    # IMPORTANT: Do not open any other windows or programs while AVG is scanning
    as it may interfere with the scanning process:
    # Launch AVG Anti-spyware by double-clicking the icon on your desktop.
    # Select the "Scanner" icon at the top and then the "Scan" tab then click on
    "Complete System Scan".
    # AVG will now begin the scanning process. Be patient this may take a little
    time.
    Once the scan is complete do the following:
    # If you have any infections you will prompted, then select "Apply all
    actions"
    # Next select the "Reports" icon at the top.
    # Select the "Save report as" button in the lower left hand of the screen
    and save it to a text file on your system (make sure to remember where you
    saved that file, this is important).
    # Close AVG and reboot your system back into Normal Mode.



    * Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

    * Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    * This will scan the files currently running in memory and when something is
    found,
    click the yes button when it asks you if you want to cure it. This is only a
    short scan.
    * Once the short scan has finished, Click Options > Change settings
    * Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
    * Back at the main window, mark the drives that you want to scan.
    * Select all drives. A red dot shows which drives have been chosen.
    * Click the green arrow at the right, and the scan will start.
    * Click 'Yes to all' if it asks if you want to cure/move the file.
    * When the scan has finished, look if you can click next icon next to the
    files found: IPB Image
    * If so, click it and then click the next icon right below and select Move
    incurable as you'll see in next image:
    IPB Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
    can't be cured. (this in case if we need samples)
    * After selecting, in the Dr.Web CureIt menu on top, click file and choose
    save report list
    * Save the report to your desktop. The report will be called DrWeb.csv
    * Close Dr.Web Cureit.
    * Reboot your computer!! Because it could be possible that files in use will
    be moved/deleted during reboot.


    Post a new hijack this, the dr wb scan log, the combo log, and the AVg antispware log!
     

    Attached Files:

  10. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Good christ, is all that really necessary? *sigh* Alright, give me a moment or twelve...
     
  11. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Well, bizarrely and despite me ticking the 'Automatically create a report' button, AVG didn't create a report nor gave me the option to after the scan. I noted down the names of the important things it removed though:

    Logger.Goldun.ms
    Adware.TrustCleaner
    Adware.Altnet

    ComboFix log:

    (I deleted xbadd.ini as soon as I saw it had reappeared, so don't worry about that)

    ComboFix 07-12-12.3 - Adam 2007-12-13 23:45:06.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.66 [GMT 0:00]
    Running from: C:\Documents and Settings\Adam\Desktop\ComboFix(2).exe
    Command switches used :: C:\Documents and Settings\Adam\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\system32\cchaiclq.ini
    C:\WINDOWS\system32\ddabx.dll
    C:\WINDOWS\system32\gphjudri.exe
    C:\WINDOWS\system32\xbadd.ini2
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\cchaiclq.ini
    C:\WINDOWS\system32\ddabx.dll
    C:\WINDOWS\system32\gphjudri.exe
    C:\WINDOWS\system32\xbadd.ini2

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
    .

    2007-12-13 16:15 . 2007-12-13 23:47 19,063 --ahs---- C:\WINDOWS\system32\xbadd.ini
    2007-12-12 04:39 . 2007-12-12 04:39 <DIR> d-------- C:\Program Files\Lavasoft
    2007-12-12 04:39 . 2007-12-12 04:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-12-09 22:38 . 2007-12-09 22:38 <DIR> d-------- C:\Documents and Settings\Adam\Contacts
    2007-12-02 23:56 . 2001-08-17 14:02 8,576 --a------ C:\WINDOWS\system32\drivers\hidgame.sys
    2007-12-02 23:56 . 2001-08-17 14:02 8,576 --a------ C:\WINDOWS\system32\dllcache\hidgame.sys
    2007-12-02 23:41 . 2002-05-23 12:17 9,472 --a------ C:\WINDOWS\system32\drivers\hidsaitek.sys
    2007-12-02 18:06 . 2007-12-02 18:06 <DIR> d-------- C:\Program Files\Mega World

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-13 23:31 --------- d-----w C:\Documents and Settings\Adam\Application Data\Skype
    2007-12-13 05:04 --------- d-----w C:\Program Files\mIRC
    2007-12-12 13:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-12-12 04:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-11 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-10 14:53 --------- d-----w C:\Documents and Settings\Adam\Application Data\Azureus
    2007-12-10 14:37 --------- d-----w C:\Program Files\Azureus
    2007-12-09 22:38 --------- d-----w C:\Program Files\MSN Messenger
    2007-12-09 21:24 --------- d-----w C:\Program Files\Steam
    2007-12-08 08:31 --------- d-----w C:\Program Files\[email protected]
    2007-11-05 16:13 94,208 ----a-w C:\WINDOWS\ScUnin.exe
    2007-10-31 00:33 --------- d-----w C:\Program Files\C-Media
    2007-10-30 00:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-27 00:37 --------- d-----w C:\Program Files\Winamp
    2007-10-26 21:38 --------- d-----w C:\Program Files\AGEIA Technologies
    2007-10-25 01:52 --------- d-----w C:\Program Files\RegCleaner
    2007-10-25 01:41 --------- d-----w C:\Program Files\BenchemAll
    2007-10-25 01:32 --------- d-----w C:\Program Files\SequoiaView
    2007-10-20 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
    2007-10-20 01:10 90,112 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
    2007-10-20 01:10 126,976 ----a-w C:\WINDOWS\system32\UAService7.exe
    2007-10-20 01:10 --------- d-----w C:\Documents and Settings\Adam\Application Data\SecuROM
    2007-03-27 12:56 4 ----a-w C:\Documents and Settings\All Users\Application Data\C4162F5F.DAT
    2007-02-02 23:16 120 ---ha-w C:\Program Files\ezed.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A51D352-3D5B-4081-8E7F-32379B756A0C}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49ACDA60-6056-4EB6-BE26-D16F7566D918}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C47B6E93-5981-43F5-BB8F-6D98A4F201E0}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="" []
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 19:16]
    "updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-06-26 14:53]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" []
    "SoundMan"="SOUNDMAN.EXE" [2005-09-22 00:42 C:\WINDOWS\soundman.exe]
    "ntiMUI"="c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 02:15]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 04:24]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-13 20:20]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
    "VTTimer"="VTTimer.exe" [2004-09-01 15:28 C:\WINDOWS\system32\VTTimer.exe]
    "VTTrayp"="VTtrayp.exe" [2004-06-22 01:57 C:\WINDOWS\system32\VTTrayp.exe]
    "AspireService"="C:\Program Files\Acer\Acer eMode Management\AspireService.exe" [2005-09-29 23:07]
    "MediaSync"="C:\Program Files\Acer\Acer eConsole\MediaSync.exe" [2005-09-21 20:48]
    "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-17 00:00]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-10 10:58]
    "EPSON Stylus D88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.exe" [2005-01-27 04:00]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 14:57]
    "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
    "nwiz"="nwiz.exe" [2007-04-19 12:26 C:\WINDOWS\system32\nwiz.exe]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-03 19:39]
    "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
    "C-Media Mixer"="Mixer.exe" [2002-07-12 16:33 C:\WINDOWS\mixer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00]

    C:\Documents and Settings\Adam\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
    [email protected] 5.03.lnk - C:\Program Files\[email protected]\winFAH.exe [2006-08-29 11:49:50]
    PowerMenu.lnk - C:\Documents and Settings\Adam\My Documents\PowerMenu_1_5_1\PowerMenu.exe [2002-12-20 11:17:56]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Wireless 802.11g USB Adapter.lnk - C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe [2004-11-19 18:34:00]
    ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2006-06-09 20:22:52]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddabx.dll

    R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
    R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
    R3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys
    S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
    S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys
    S3 SaitekPad;deviceX634 driver;C:\WINDOWS\system32\drivers\hidsaitek.sys
    S3 vgadrv;vgadrv;C:\WINDOWS\system32\DRIVERS\vgadrv.sys
    S3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\ZDPNDIS5.SYS

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-01 20:02:35 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Adam.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-13 23:52:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-12-13 23:55:08 - machine was rebooted
    C:\ComboFix2.txt ... 2007-12-13 16:18
    C:\ComboFix3.txt ... 2007-12-13 02:07


    Dr.Web log:

    The only things Webby found seem to have been false alarms (a Grand Theft Auto sound file? A music authoring help document?); old quarantines, or unintentional copies to System Restore, so no help there methinks.

    dbcvynih.exe;C:\!KillBox;Trojan.EzulaAd;Deleted.;
    gphjudri.exe;C:\!KillBox;Trojan.EzulaAd;Deleted.;
    qlciahcc.dll;C:\!KillBox;Trojan.Virtumod.232;Deleted.;
    backup-20040214-220728-220.dll;C:\Documents and Settings\Adam\My Documents\Stuff\unzipped\Merijn\hijackthis;Adware.MyWay;;
    Sequoia1_3Install.exe;C:\Documents and Settings\Adam\My Documents\Zips and Executables;Tool.Ipscan;;
    RegUBP2b-Adam.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
    j4_f.wav;C:\Games\GTA III\audio;Modification of V2Px.1190;Moved.;
    miditest.htm;C:\Program Files\Anvil Studio\html;Modification of BAT.Mtr.1429;Moved.;
    mirc.exe;C:\Program Files\mIRC;Program.mIRC.603;;
    05A24458.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1073;Deleted.;
    087E0133.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1073;Deleted.;
    4C170785.tmp;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Spambot;Deleted.;
    4C1A3181.tmp;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Spambot;Deleted.;
    4C861B0B.gam;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.14471;Deleted.;
    6E6B5FBF.dll;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.15909;Deleted.;
    6E6E09BB.ga2;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.15909;Deleted.;
    6E6E09BB.gam;C:\Program Files\Norton AntiVirus\Quarantine;Dialer.Maxd;Deleted.;
    787C0D39.tmp;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.MulDrop.3290;Deleted.;
    7B0651A9.exe;C:\Program Files\Norton AntiVirus\Quarantine;BackDoor.Polter.124;Incurable.Moved.;
    7E2D5432.exe;C:\Program Files\Norton AntiVirus\Quarantine;BackDoor.Polter.124;Incurable.Moved.;
    cpuvagrd.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.29;Deleted.;
    drtmxrqp.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.232;Deleted.;
    hxkjjwct.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.29;Deleted.;
    A0121481.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP386;Trojan.DownLoader.36395;Deleted.;
    A0121589.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP386;Trojan.EzulaAd;Deleted.;
    A0121627.dll;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP386;Trojan.Virtumod.232;Deleted.;
    A0122764.dll;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP388;Trojan.Juan.29;Deleted.;
    A0122811.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP389;Modification of Trojan.Packed.155;Moved.;
    A0122813.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP389;Trojan.MulDrop.9285;Deleted.;
    A0122903.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP390;Trojan.EzulaAd;Deleted.;
    A0122925.dll;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP390;Trojan.Juan.29;Deleted.;
    A0122926.dll;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP390;Trojan.Virtumod.232;Deleted.;
    A0123055.reg;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP391;Trojan.StartPage.1505;Deleted.;
    A0123083.dll;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.Virtumod.248;Deleted.;
    A0123144.reg;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.StartPage.1505;Deleted.;
    A0123237.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.EzulaAd;Deleted.;
    A0123238.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.EzulaAd;Deleted.;
    A0123239.dll;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.Virtumod.232;Deleted.;
    A0123240.reg;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.StartPage.1505;Deleted.;
    A0123256.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.DownLoader.1073;Deleted.;
    A0123257.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.DownLoader.1073;Deleted.;
    A0123258.dll;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;Trojan.DownLoader.15909;Deleted.;
    A0123259.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;BackDoor.Polter.124;Incurable.Moved.;
    A0123260.exe;C:\System Volume Information\_restore{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP392;BackDoor.Polter.124;Incurable.Moved.;


    And finally the obligatory HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 04:31:33, on 14/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Acer\Acer eMode Management\AspireService.exe
    C:\Program Files\Acer\Acer eConsole\MediaSync.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
    C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
    C:\Documents and Settings\Adam\My Documents\PowerMenu_1_5_1\PowerMenu.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\mIRC\mirc.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Adam\My Documents\Stuff\unzipped\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebigproject.co.uk/index2
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1A51D352-3D5B-4081-8E7F-32379B756A0C} - (no file)
    O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {49ACDA60-6056-4EB6-BE26-D16F7566D918} - (no file)
    O2 - BHO: WSR_IEplug - {4E9CAE1A-545D-48EA-8EEF-4D1DB6695AD3} - C:\Documents and Settings\Adam\Desktop\Stream Recorder\wsr_ieplug.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C47B6E93-5981-43F5-BB8F-6D98A4F201E0} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
    O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: [email protected] 5.03.lnk = ?
    O4 - Startup: PowerMenu.lnk = C:\Documents and Settings\Adam\My Documents\PowerMenu_1_5_1\PowerMenu.exe
    O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
    O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 11462 bytes


    Have we snagged it this time?
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    did you run the reg fix from my last post?


    fix this with hijack this!

    O2 - BHO: (no name) - {C47B6E93-5981-43F5-BB8F-6D98A4F201E0} - (no file)



    clean log!



    You should now turn off system restore to flush out the bad restore points
    and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.


    http://www.spywarewarrior.com/uiuc/resource.htm




    Use either Arovax or spyware terminator, you could try both and see
    what one you like!


    Arovax shield.

    http://www.arovaxshield.com/


    Spyware Terminator

    http://www.spywareterminator.com/dnl/landing.aspx


    In spyware terminator, click real time protection and tick the box to use
    real time protection and tick all the boxes except file exceptions shield.
    If your confident in using its advanced feature, click advanced and tick
    the HIPS box.

    If you want to install and uninstall programs it is best to
    temporarily disable Spyware terminator and then re-enable it after you
    have installed or uninstalled a program as it will create a lot of pop ups
    asking you do you wish this to happen!

    Right click spyware terminator on the bottom right of your status bar and
    choose exit.Then tick the box and that is spyware terminator disabled!




    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is
    also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  13. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Thanks for all the help! Though I think I'll wait a couple of days before I mark solved just to make sure.

    I did of course enter your fix into the registry like I did everything else - but could you tell me what exactly it did? What's the Local Security Authority?
     
  14. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    it basically restores your registry to the way it should be after being altered by a hijacker!
     
  15. Adam_Black

    Adam_Black Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    141
    Ever since Virtumonde was removed I've been having trouble with Internet Explorer - sometimes when I click its icon no window appears. I can click it a number of times before I finally get a window, but then there are two or more iexplorer.exe processes running in Task Manager. Also, the invisible processes have half the memory usage of their normally-running windowed brothers - ostensibly because it isn't showing a window.

    These dead processes are also playing havoc when I shutdown Windows - they do not respond to the shutdown. This often leads to puzzlement and frustration after I've turned off my monitor and expected my computer to follow suit, as the 'Program Not Responding' window is waiting for my 'End Now' before it can.

    So, what did you do to my machine, khazars?! :)


    EDIT: It seems to me like AVG's guard.exe is causing it - I terminated it just now and Internet Explorer seems to be opening windows every time I click the icon.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/661366

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice