[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1092
  • Last Modified:

Windows Defender not operating....hijacked?

I have been having experiencing several pop-ups lately including "SystemErrorFixer", Bestsellerantivirus, malewarealarm,deuscleaner and versiontrackerPro. I have run Spybot, Norton Internet Security and Anti-virus 2008, Ad-Aware 2007 and nothing seems to find any of these as a problem. Since this problem, my Windows Defender has been deleted, or at least made inoperable as has my AWS Weatherbug. I have re-installed both and within a day or two, they are no longer operable. Please note that I first uninstalled Zone Alarm and AVG prior to installing Norton. Since all of this, my computer, especially when on the internet with IE, seems to have bogged down. Any suggestions? I am running XP Home as well as connecting vial comcast. Thanks in advance
0
GiforGOD
Asked:
GiforGOD
  • 8
  • 4
  • 2
  • +3
4 Solutions
 
briancassinCommented:
Several problems here

1. Norton by nature will cause a 20 - 30% performance hit especially if you do not have at least 512MB of Ram

aside from that you have an active infection on the system

you need to do the following

download hijack this http://tomcoyoe.org/hjt 

next do the following

Download  combofix.exe and save it to your desktop
Close any open browsers.
Before starting ComboFix disable and exit any anti-virus software, anti-spyware or any other security related software as they may interfere with ComboFix's operation.
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you and display it on your desktop called c:\combofix.txt. By default this log is located on your 'C' drive. Post that log in your next reply along with a fresh HJT log as well
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

after that is done run HIJACK THIS and post a logfile up here for us to go through along with combo fixes log file.

Also run these

your going to need some anti spyware /malware utlities run too

http://security.kolla.de spybot s&d - download it install it (do not install tea timer, ) update it then run it

http://lavasoft.com - adaware - download it run it and then uninstall it
http://pack.google.com/intl/en/pack_installer_new.html?hl=en&gl=us&utm_source=en_US-et-more&utm_medium=et&utm_campaign=en_US&ciNum=11    - select to only download and install spyware doctor.

Additionally I would download and run rootkit revealer if it comes up with anything odd post it up here.
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx 
0
 
briancassinCommented:
here is more information on the systemerrorfixer

http://ca.com/us/securityadvisor/pest/pest.aspx?id=453120379
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Recommend download/installing SUPER Antispyware as well as it has an assortment of tools embedded into it...

URL: http://www.superantispyware.com/
0
 
IndiGenusCommented:
Sounds like the new file infecting Vundo trojan to me. As briancassin had pointed out combofix would probably be the best option. Then with the RenV function we may be able to get some or all of the programs back. The file infecter basically infects all of your startup programs, like Defender, ect...
0
 
GiforGODAuthor Commented:
Tnks folks....I have all the programs in briancassin's initial post except for Combofx, which I will download, installa, and run. After that, I will run the Hijack and post both logfiles. I have already run Spybot and Ad-Aware (both newest versions) with no unusual findings. I shall try Spyware Doctor and smitfraud, however, Superantivirus has been reported to be a problem in some circles. nce I get these, I will post my logs, etc. Thanks agn for your help!
0
 
briancassinCommented:
sounds good, I look forward to see the log files
0
 
GiforGODAuthor Commented:
Okay gang, sorry for the delay. I had a difficult time downloading ComboFix through IE and was only able to do it through FireFox which I downloaded as well. Since downloading ComboFix and running it, things appear to have improved drastically with no annoying pop-ups since. Speed has increased as well (and I really like FireFox over IE now and will continue to use it instead).

Below are the log files for Hijack This and ComboFix as requested. Any help in figuring out if my problems have been solved will be greatly appreciated.

I do want to add memory to the system and would like any suggestions on best place to get it. I want to increase to 512K.

Thanks everyone in advance!
Greg


Logfile of HijackThis v1.99.1
Scan saved at 8:32:35 AM, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINNT\System32\FtrakSvc.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINNT\system32\xbflvmcu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O20 - Winlogon Notify: byxxuuv - byxxuuv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NkPtpEnumP2 - Unknown owner - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
 
END OF CODE FOR HIJACK THIS
 
ComboFix Code:
 
ComboFix 08-02.03.1 - Owner 2008-02-02 17:19:00.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\WINNT\system32\jkkjj.dll
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\WINNT\bar.exe
C:\WINNT\bobsaver.scr
C:\WINNT\cookies.ini
C:\WINNT\system32\[u]0[/u]00080.exe
C:\WINNT\system32\aeyyvswv.ini
C:\WINNT\system32\ariivmtu.dll
C:\WINNT\system32\boxbddyo.ini
C:\WINNT\system32\bvllfnen.dll
C:\WINNT\system32\dnrnpiag.dll
C:\WINNT\system32\errugxeq.ini
C:\WINNT\system32\esntrfve.dll
C:\WINNT\system32\fqcnruqw.ini
C:\WINNT\system32\gdtvqktf.dll
C:\WINNT\system32\ggfjtpvn.ini
C:\WINNT\system32\gnanrcim.ini
C:\WINNT\system32\icxlqdsb.ini
C:\WINNT\system32\jjkkj.ini
C:\WINNT\system32\jjkkj.ini2
C:\WINNT\system32\jkkjj.dll
C:\WINNT\system32\MabryObj.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\micrnang.dll
C:\WINNT\system32\nuomyknw.ini
C:\WINNT\system32\sphhftqb.ini
C:\WINNT\system32\utmviira.ini
C:\WINNT\system32\wapiicomsv.exe
C:\WINNT\system32\wnkymoun.dll
C:\WINNT\system32\wqurncqf.dll
C:\WINNT\system32\yxswelud.dll
 
.
(((((((((((((((((((((((((   Files Created from 2008-01-02 to 2008-02-02  )))))))))))))))))))))))))))))))
.
 
2008-02-02 17:19 . 2008-02-02 17:19	6,736	--a------	C:\WINNT\system32\drivers\PROCEXP90.SYS
2008-02-01 12:24 . 2008-02-01 12:24	<DIR>	d--------	C:\efac57cf4047be7051f611911795bd21
2008-02-01 11:14 . 2008-02-01 11:14	106,560	--a------	C:\WINNT\system32\xbflvmcu.dll
2008-01-30 16:57 . 2008-01-30 17:36	<DIR>	d--------	C:\hijackthis
2008-01-29 16:22 . 2008-01-29 16:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 16:53 . 2002-12-29 01:14	81,920	--a------	C:\WINNT\system32\Startup.cpl
2008-01-27 16:44 . 2008-01-27 16:44	<DIR>	d--------	C:\Program Files\MyWebSearchWB
2008-01-27 15:48 . 2008-01-27 16:01	<DIR>	d--------	C:\Program Files\RegCure
2008-01-26 19:17 . 2008-01-26 19:17	<DIR>	d--------	C:\Program Files\Windows Sidebar
2008-01-26 19:16 . 2008-01-27 15:09	<DIR>	d--------	C:\Program Files\Norton Internet Security
2008-01-26 19:13 . 2008-01-27 14:59	10,740	--a------	C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-01-26 19:13 . 2008-01-27 14:59	805	--a------	C:\WINNT\system32\drivers\SYMEVENT.INF
2008-01-26 18:21 . 2008-01-26 18:21	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-26 18:11 . 2008-01-26 18:11	<DIR>	d--------	C:\Documents and Settings\All Users\Symantec Temporary Files
2008-01-22 15:32 . 2008-01-22 15:32	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-22 15:31 . 2008-01-22 15:31	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-22 15:01 . 2008-01-22 15:01	<DIR>	d--------	C:\Program Files\CCleaner
2008-01-22 14:34 . 2008-01-22 14:34	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-22 11:30 . 2003-04-11 06:31	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-22 11:30 . 2003-04-11 06:27	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-01-21 18:13 . 2008-01-21 18:13	<DIR>	d--h-----	C:\WINNT\PIF
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 23:14	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-02-02 21:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-01 17:19	---------	d-----w	C:\Program Files\iTunes
2008-01-31 10:55	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 23:34	---------	d-----w	C:\Program Files\Maxis
2008-01-30 23:34	---------	d-----w	C:\Program Files\BitTorrent
2008-01-30 23:34	---------	d-----w	C:\Program Files\Binary Boy
2008-01-30 23:33	---------	d-----w	C:\Program Files\Stamps.com Internet Postage
2008-01-30 19:19	---------	d-----w	C:\Program Files\LimeWire
2008-01-29 22:28	---------	d-----w	C:\Program Files\Lavasoft
2008-01-29 22:28	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-29 22:21	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 23:25	---------	d-----w	C:\Program Files\Windows Defender
2008-01-28 16:45	---------	d-----w	C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-01-27 22:42	---------	d-----w	C:\Program Files\AWS
2008-01-27 20:59	123,952	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-01-27 20:59	---------	d-----w	C:\Program Files\Symantec
2008-01-27 01:22	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Symantec
2008-01-27 01:20	---------	d-----w	C:\Program Files\SymNetDrv
2008-01-26 17:53	20	---ha-w	C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-01-25 20:11	---------	d-----w	C:\Program Files\ieSpell
2008-01-23 16:29	---------	d-----w	C:\Program Files\Real
2008-01-23 16:25	---------	d-----w	C:\Program Files\Common Files\Adaptec Shared
2008-01-20 13:19	---------	d-----w	C:\Program Files\QuickTime
2008-01-15 15:54	10,537	----a-w	C:\WINNT\system32\drivers\coh_mon.cat
2008-01-15 11:28	706	----a-w	C:\WINNT\system32\drivers\COH_Mon.inf
2008-01-13 00:32	23,904	----a-w	C:\WINNT\system32\drivers\COH_Mon.sys
2008-01-06 21:06	---------	d-----w	C:\Program Files\Incomplete
2008-01-06 00:36	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2007-12-25 17:46	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-25 17:46	---------	d-----w	C:\Program Files\Samsung
2007-12-04 23:35	---------	d-----w	C:\Program Files\IncrediMail
2004-01-23 02:39	35,942,843	----a-w	C:\Program Files\NIS2004.exe
2006-05-23 21:48	56	--sh--r	C:\WINNT\system32\DDFB19383A.sys
2006-05-23 21:48	3,350	--sha-w	C:\WINNT\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w           579,072 2008-01-22 18:03:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2008-01-27 01:10:57  C:\Program Files\iTunes\iTunesHelper .exe
</pre>[/code]
 
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-02-01 11:14	106560	--a------	C:\WINNT\system32\xbflvmcu.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51	316784	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 11:51	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
 
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]
 
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-07-13 15:19 95352]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" [2005-03-21 14:00 78848]
"@"="C:\WINNT\System32\Rename.exe" [2002-05-03 11:47 120979]
"RunNarrator"="Narrator.exe" [2004-08-04 01:56 53760 C:\WINNT\system32\narrator.exe]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxuuv]
byxxuuv.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 09:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 13:24 90112 C:\WINNT\GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 13:24 53248 C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-07-10 03:13 114688 C:\WINNT\System32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
--a------ 2006-05-18 17:23 65536 C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-07-10 03:25 155648 C:\WINNT\System32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
--a------ 2005-08-09 02:27 401408 C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2004-03-03 11:50 19968 C:\WINNT\LOGI_MWX.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:21 1694208 C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater]
--a------ 2004-09-30 14:46 122880 C:\Program Files\PtpUpdater\PtpUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-10-06 18:10 208941 C:\Program Files\Real\RealPlayer\realplay.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-05-03 01:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-06 18:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 22:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2004-11-05 02:17 1372160 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2004-03-18 08:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit]
 
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [2002-11-07 14:07]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-24 23:07]
R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a []
R2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 10:36]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 10:36]
R3 SymIMMP;SymIMMP;C:\WINNT\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
R3 VBus;Virtual Bus;C:\WINNT\system32\DRIVERS\NkVBus.sys [2005-06-17 10:11]
S3 COH_Mon;COH_Mon;C:\WINNT\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINNT\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
 
*Newly Created Service* - COMHOST
*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 18:06:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 23:50:48 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-29 04:22:45 C:\WINNT\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-02 23:00:02 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-31 10:46:32 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2005-12-24 21:45:34 C:\WINNT\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 17:48:13
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINNT\System32\FtrakSvc.exe
C:\WINNT\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2008-02-02 17:59:34 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-02 23:59:29
.
2008-02-01 18:24:21	--- E O F ---  

Open in new window

0
 
briancassinCommented:
here is what needs to be removed through hijack this

O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINNT\system32\xbflvmcu.dll

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O20 - Winlogon Notify: byxxuuv - byxxuuv.dll (file missing)

other files that need to be removed you will need to go to start run regedit and then navigate to these keys and remove the entries below
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\
look for a ket named byxxuuv and remove the entire key

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
look for sub key that makes this reference and delete that value
C:\WINNT\system32\xbflvmcu.dll

I would continue with running spyware doctor above, superantispyware, vundofix, smitfraud and cwsshredder.

make sure that you clear your system restore points after the machine has been cleaned right click my computer go to properties then the system restore tab and select to turn it off hit apply then ok. You can turn it back on once you have completed cleaning the machine by following the same instructions but remove the checkmark to turn it back on.
0
 
IndiGenusCommented:
You could use the following script to do the above also, you may still not be out of the woods here either as that is another Vundo file that has "spawned". They have a way of doing that if you don't get everything. You'll need to get the 016 as briancassin had pointed out with HJT.

But the rest can be done with this script too...

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:


---------------------------------------------------------------------------------------------------------------

File::
C:\WINNT\system32\xbflvmcu.dll
C:\WINNT\system32\byxxuuv.dll

Folder::
C:\efac57cf4047be7051f611911795bd21

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxuuv]

---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
 
GiforGODAuthor Commented:
Thanks guys.....I have done the deed and below are the most recent log files for HijackThis and for ComboFix. Thanks again for all your help.......

also, need advice on where to shop for best memory. Want to upgrade to 512 stick.


Greg
Hijack This:
 
Logfile of HijackThis v1.99.1
Scan saved at 2:10:18 PM, on 02/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINNT\System32\FtrakSvc.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O20 - Winlogon Notify: byxxuuv - C:\WINNT\
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NkPtpEnumP2 - Unknown owner - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
 
***********end of HijackThis Log**************
 
Here is ComboFix log:
 
ComboFix 08-02.05.3 - Owner 2008-02-05 13:51:24.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
 
FILE
C:\WINNT\system32\byxxuuv.dll
C:\WINNT\system32\xbflvmcu.dll
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\efac57cf4047be7051f611911795bd21
 
.
(((((((((((((((((((((((((   Files Created from 2008-01-05 to 2008-02-05  )))))))))))))))))))))))))))))))
.
 
2008-02-05 13:43 . 2004-08-04 01:56	388,608	--a------	C:\kmd.exe
2008-01-30 16:57 . 2008-01-30 17:36	<DIR>	d--------	C:\hijackthis
2008-01-29 16:22 . 2008-01-29 16:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 16:53 . 2002-12-29 01:14	81,920	--a------	C:\WINNT\system32\Startup.cpl
2008-01-27 16:44 . 2008-01-27 16:44	<DIR>	d--------	C:\Program Files\MyWebSearchWB
2008-01-27 15:48 . 2008-01-27 16:01	<DIR>	d--------	C:\Program Files\RegCure
2008-01-26 19:17 . 2008-01-26 19:17	<DIR>	d--------	C:\Program Files\Windows Sidebar
2008-01-26 19:16 . 2008-01-27 15:09	<DIR>	d--------	C:\Program Files\Norton Internet Security
2008-01-26 19:13 . 2008-01-27 14:59	10,740	--a------	C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-01-26 19:13 . 2008-01-27 14:59	805	--a------	C:\WINNT\system32\drivers\SYMEVENT.INF
2008-01-26 18:21 . 2008-01-26 18:21	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-26 18:11 . 2008-01-26 18:11	<DIR>	d--------	C:\Documents and Settings\All Users\Symantec Temporary Files
2008-01-22 15:32 . 2008-01-22 15:32	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-22 15:31 . 2008-01-22 15:31	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-22 15:01 . 2008-01-22 15:01	<DIR>	d--------	C:\Program Files\CCleaner
2008-01-22 14:34 . 2008-01-22 14:34	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-22 11:30 . 2003-04-11 06:31	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-22 11:30 . 2003-04-11 06:27	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-01-21 18:13 . 2008-01-21 18:13	<DIR>	d--h-----	C:\WINNT\PIF
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 18:15	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-02-05 18:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-05 12:10	---------	d-----w	C:\Program Files\Incomplete
2008-02-05 04:06	---------	d-----w	C:\Program Files\LimeWire
2008-02-04 22:00	---------	d-----w	C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-02-01 17:19	---------	d-----w	C:\Program Files\iTunes
2008-01-31 10:55	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 23:34	---------	d-----w	C:\Program Files\Maxis
2008-01-30 23:34	---------	d-----w	C:\Program Files\BitTorrent
2008-01-30 23:34	---------	d-----w	C:\Program Files\Binary Boy
2008-01-30 23:33	---------	d-----w	C:\Program Files\Stamps.com Internet Postage
2008-01-29 22:28	---------	d-----w	C:\Program Files\Lavasoft
2008-01-29 22:28	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-29 22:21	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 23:25	---------	d-----w	C:\Program Files\Windows Defender
2008-01-27 22:42	---------	d-----w	C:\Program Files\AWS
2008-01-27 20:59	60,800	----a-w	C:\WINNT\system32\S32EVNT1.DLL
2008-01-27 20:59	123,952	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-01-27 20:59	---------	d-----w	C:\Program Files\Symantec
2008-01-27 01:22	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Symantec
2008-01-27 01:20	---------	d-----w	C:\Program Files\SymNetDrv
2008-01-26 17:53	20	---ha-w	C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-01-25 20:11	---------	d-----w	C:\Program Files\ieSpell
2008-01-23 16:29	---------	d-----w	C:\Program Files\Real
2008-01-23 16:25	---------	d-----w	C:\Program Files\Common Files\Adaptec Shared
2008-01-20 13:19	---------	d-----w	C:\Program Files\QuickTime
2008-01-15 15:54	10,537	----a-w	C:\WINNT\system32\drivers\coh_mon.cat
2008-01-15 11:28	706	----a-w	C:\WINNT\system32\drivers\COH_Mon.inf
2008-01-13 00:32	23,904	----a-w	C:\WINNT\system32\drivers\COH_Mon.sys
2008-01-06 00:36	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2007-12-25 17:46	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-25 17:46	---------	d-----w	C:\Program Files\Samsung
2007-12-14 17:32	12,632	----a-w	C:\WINNT\system32\lsdelete.exe
2007-12-10 17:23	38,795	----a-w	C:\WINNT\Fonts\english.zip
2007-11-07 09:26	721,920	----a-w	C:\WINNT\system32\lsasrv.dll
2007-11-07 09:26	721,920	------w	C:\WINNT\system32\dllcache\lsasrv.dll
2006-11-30 22:43	54,908	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_11_30_16_30_53_small.dmp.zip
2006-11-30 22:43	49,820	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_11_30_16_32_19_small.dmp.zip
2006-11-30 22:26	13,150,198	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_11_30_15_45_12_full.dmp.zip
2006-11-30 22:25	42,472	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_11_30_15_44_48_small.dmp.zip
2006-10-03 18:09	49,565	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_10_02_07_39_35_small.dmp.zip
2006-10-03 18:08	41,408	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_10_02_07_39_19_small.dmp.zip
2006-03-20 21:05	50,688	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_03_14_09_47_11_small.dmp.zip
2006-03-20 21:04	38,141	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_03_14_09_46_22_small.dmp.zip
2004-01-23 02:39	35,942,843	----a-w	C:\Program Files\NIS2004.exe
2006-05-23 21:48	56	--sh--r	C:\WINNT\system32\DDFB19383A.sys
2006-05-23 21:48	3,350	--sha-w	C:\WINNT\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w           579,072 2008-01-22 18:03:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2008-01-27 01:10:57  C:\Program Files\iTunes\iTunesHelper .exe
</pre>[/code]
 
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51	316784	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 11:51	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
 
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]
 
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 15:02 1343488]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-07-13 15:19 95352]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" [2005-03-21 14:00 78848]
"@"="C:\WINNT\System32\Rename.exe" [2002-05-03 11:47 120979]
"RunNarrator"="Narrator.exe" [2004-08-04 01:56 53760 C:\WINNT\system32\narrator.exe]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 09:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 13:24 90112 C:\WINNT\GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 13:24 53248 C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-07-10 03:13 114688 C:\WINNT\System32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
--a------ 2006-05-18 17:23 65536 C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-07-10 03:25 155648 C:\WINNT\System32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
--a------ 2005-08-09 02:27 401408 C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2004-03-03 11:50 19968 C:\WINNT\LOGI_MWX.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:21 1694208 C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater]
--a------ 2004-09-30 14:46 122880 C:\Program Files\PtpUpdater\PtpUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-10-06 18:10 208941 C:\Program Files\Real\RealPlayer\realplay.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-05-03 01:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-06 18:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 22:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2004-11-05 02:17 1372160 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2004-03-18 08:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit]
 
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [2002-11-07 14:07]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-24 23:07]
R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a []
R2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 10:36]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 10:36]
R3 SymIMMP;SymIMMP;C:\WINNT\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
R3 VBus;Virtual Bus;C:\WINNT\system32\DRIVERS\NkVBus.sys [2005-06-17 10:11]
S3 COH_Mon;COH_Mon;C:\WINNT\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINNT\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
 
*Newly Created Service* - COMHOST
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 18:06:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-05 19:18:47 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-05 03:01:08 C:\WINNT\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-05 19:16:33 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-31 10:46:32 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2005-12-24 21:45:34 C:\WINNT\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 14:00:40
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-02-05 14:06:39
ComboFix-quarantined-files.txt  2008-02-05 20:06:33
.
2008-02-01 18:24:21	--- E O F ---  

Open in new window

0
 
briancassinCommented:
norton anti virus looks like it may be damaged
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

also I noticed that you are running both ad-aware's live monitor and windows defender it is not a good idea to run these two together.

this needs to be removed
2006-05-23 21:48      56      --sh--r      C:\WINNT\system32\DDFB19383A.sys
2006-05-23 21:48      3,350      --sha-w      C:\WINNT\system32\KGyGaAvL.sys

looking at the date though these are quite old it looks as if you have had an infection for awhile or whatever it is , is faking the dates...

I would continue on using the other things I recommended

spyware doctor above, superantispyware, vundofix, smitfraud and cwsshredder.
Make sure you disable windows defender and also ad-aware when running these

Do you also have zone alarm on this machine it looked like it from the log files I ask because that may also be the reason why windows defender is not running... but I am leaning more towards it being malware and the like causing that problem.

0
 
GiforGODAuthor Commented:
Thanks to these fine "experts" and their knowledge, patience, and clear and concise instructions. The system appears clean and is running quite smoothly. I greatly appreciate all the help and this web site! Regards, Greg
0
 
briancassinCommented:
your welcome

glad I could help :)
0
 
bmkiss67Commented:
Hi all.  It looks like I just got this vundo virus, or at least I just realized that I have it, so I now need to get rid of it.  Question I have is how do you guys know what to get rid of?
0
 
briancassinCommented:
bmkiss67,

 you will have to open a new question regarding this as this question is closed and the points have been awarded already this also keeps this thread from having too many different problems in it. That way everyone gets individual help for there issue. Experts also won't pay attention to this since it is closed.
0
 
Vee_ModCommented:
bmkiss67 - please post a new question of your own - giving all of the details of your OS/System/symptoms.


Vee_Mod
Experts Exchange Moderator
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 8
  • 4
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now