Link to home
Start Free TrialLog in
Avatar of GiforGOD
GiforGOD

asked on

Windows Defender not operating....hijacked?

I have been having experiencing several pop-ups lately including "SystemErrorFixer", Bestsellerantivirus, malewarealarm,deuscleaner and versiontrackerPro. I have run Spybot, Norton Internet Security and Anti-virus 2008, Ad-Aware 2007 and nothing seems to find any of these as a problem. Since this problem, my Windows Defender has been deleted, or at least made inoperable as has my AWS Weatherbug. I have re-installed both and within a day or two, they are no longer operable. Please note that I first uninstalled Zone Alarm and AVG prior to installing Norton. Since all of this, my computer, especially when on the internet with IE, seems to have bogged down. Any suggestions? I am running XP Home as well as connecting vial comcast. Thanks in advance
ASKER CERTIFIED SOLUTION
Avatar of Member_2_49692
Member_2_49692

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Member_2_49692
Member_2_49692

here is more information on the systemerrorfixer

http://ca.com/us/securityadvisor/pest/pest.aspx?id=453120379
Avatar of Michael Worsham
Recommend download/installing SUPER Antispyware as well as it has an assortment of tools embedded into it...

URL: http://www.superantispyware.com/
Sounds like the new file infecting Vundo trojan to me. As briancassin had pointed out combofix would probably be the best option. Then with the RenV function we may be able to get some or all of the programs back. The file infecter basically infects all of your startup programs, like Defender, ect...
Avatar of GiforGOD

ASKER

Tnks folks....I have all the programs in briancassin's initial post except for Combofx, which I will download, installa, and run. After that, I will run the Hijack and post both logfiles. I have already run Spybot and Ad-Aware (both newest versions) with no unusual findings. I shall try Spyware Doctor and smitfraud, however, Superantivirus has been reported to be a problem in some circles. nce I get these, I will post my logs, etc. Thanks agn for your help!
sounds good, I look forward to see the log files
Okay gang, sorry for the delay. I had a difficult time downloading ComboFix through IE and was only able to do it through FireFox which I downloaded as well. Since downloading ComboFix and running it, things appear to have improved drastically with no annoying pop-ups since. Speed has increased as well (and I really like FireFox over IE now and will continue to use it instead).

Below are the log files for Hijack This and ComboFix as requested. Any help in figuring out if my problems have been solved will be greatly appreciated.

I do want to add memory to the system and would like any suggestions on best place to get it. I want to increase to 512K.

Thanks everyone in advance!
Greg


Logfile of HijackThis v1.99.1
Scan saved at 8:32:35 AM, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINNT\System32\FtrakSvc.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINNT\system32\xbflvmcu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O20 - Winlogon Notify: byxxuuv - byxxuuv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NkPtpEnumP2 - Unknown owner - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
 
END OF CODE FOR HIJACK THIS
 
ComboFix Code:
 
ComboFix 08-02.03.1 - Owner 2008-02-02 17:19:00.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\WINNT\system32\jkkjj.dll
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\WINNT\bar.exe
C:\WINNT\bobsaver.scr
C:\WINNT\cookies.ini
C:\WINNT\system32\[u]0[/u]00080.exe
C:\WINNT\system32\aeyyvswv.ini
C:\WINNT\system32\ariivmtu.dll
C:\WINNT\system32\boxbddyo.ini
C:\WINNT\system32\bvllfnen.dll
C:\WINNT\system32\dnrnpiag.dll
C:\WINNT\system32\errugxeq.ini
C:\WINNT\system32\esntrfve.dll
C:\WINNT\system32\fqcnruqw.ini
C:\WINNT\system32\gdtvqktf.dll
C:\WINNT\system32\ggfjtpvn.ini
C:\WINNT\system32\gnanrcim.ini
C:\WINNT\system32\icxlqdsb.ini
C:\WINNT\system32\jjkkj.ini
C:\WINNT\system32\jjkkj.ini2
C:\WINNT\system32\jkkjj.dll
C:\WINNT\system32\MabryObj.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\micrnang.dll
C:\WINNT\system32\nuomyknw.ini
C:\WINNT\system32\sphhftqb.ini
C:\WINNT\system32\utmviira.ini
C:\WINNT\system32\wapiicomsv.exe
C:\WINNT\system32\wnkymoun.dll
C:\WINNT\system32\wqurncqf.dll
C:\WINNT\system32\yxswelud.dll
 
.
(((((((((((((((((((((((((   Files Created from 2008-01-02 to 2008-02-02  )))))))))))))))))))))))))))))))
.
 
2008-02-02 17:19 . 2008-02-02 17:19	6,736	--a------	C:\WINNT\system32\drivers\PROCEXP90.SYS
2008-02-01 12:24 . 2008-02-01 12:24	<DIR>	d--------	C:\efac57cf4047be7051f611911795bd21
2008-02-01 11:14 . 2008-02-01 11:14	106,560	--a------	C:\WINNT\system32\xbflvmcu.dll
2008-01-30 16:57 . 2008-01-30 17:36	<DIR>	d--------	C:\hijackthis
2008-01-29 16:22 . 2008-01-29 16:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 16:53 . 2002-12-29 01:14	81,920	--a------	C:\WINNT\system32\Startup.cpl
2008-01-27 16:44 . 2008-01-27 16:44	<DIR>	d--------	C:\Program Files\MyWebSearchWB
2008-01-27 15:48 . 2008-01-27 16:01	<DIR>	d--------	C:\Program Files\RegCure
2008-01-26 19:17 . 2008-01-26 19:17	<DIR>	d--------	C:\Program Files\Windows Sidebar
2008-01-26 19:16 . 2008-01-27 15:09	<DIR>	d--------	C:\Program Files\Norton Internet Security
2008-01-26 19:13 . 2008-01-27 14:59	10,740	--a------	C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-01-26 19:13 . 2008-01-27 14:59	805	--a------	C:\WINNT\system32\drivers\SYMEVENT.INF
2008-01-26 18:21 . 2008-01-26 18:21	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-26 18:11 . 2008-01-26 18:11	<DIR>	d--------	C:\Documents and Settings\All Users\Symantec Temporary Files
2008-01-22 15:32 . 2008-01-22 15:32	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-22 15:31 . 2008-01-22 15:31	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-22 15:01 . 2008-01-22 15:01	<DIR>	d--------	C:\Program Files\CCleaner
2008-01-22 14:34 . 2008-01-22 14:34	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-22 11:30 . 2003-04-11 06:31	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-22 11:30 . 2003-04-11 06:27	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-01-21 18:13 . 2008-01-21 18:13	<DIR>	d--h-----	C:\WINNT\PIF
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 23:14	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-02-02 21:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-01 17:19	---------	d-----w	C:\Program Files\iTunes
2008-01-31 10:55	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 23:34	---------	d-----w	C:\Program Files\Maxis
2008-01-30 23:34	---------	d-----w	C:\Program Files\BitTorrent
2008-01-30 23:34	---------	d-----w	C:\Program Files\Binary Boy
2008-01-30 23:33	---------	d-----w	C:\Program Files\Stamps.com Internet Postage
2008-01-30 19:19	---------	d-----w	C:\Program Files\LimeWire
2008-01-29 22:28	---------	d-----w	C:\Program Files\Lavasoft
2008-01-29 22:28	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-29 22:21	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 23:25	---------	d-----w	C:\Program Files\Windows Defender
2008-01-28 16:45	---------	d-----w	C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-01-27 22:42	---------	d-----w	C:\Program Files\AWS
2008-01-27 20:59	123,952	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-01-27 20:59	---------	d-----w	C:\Program Files\Symantec
2008-01-27 01:22	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Symantec
2008-01-27 01:20	---------	d-----w	C:\Program Files\SymNetDrv
2008-01-26 17:53	20	---ha-w	C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-01-25 20:11	---------	d-----w	C:\Program Files\ieSpell
2008-01-23 16:29	---------	d-----w	C:\Program Files\Real
2008-01-23 16:25	---------	d-----w	C:\Program Files\Common Files\Adaptec Shared
2008-01-20 13:19	---------	d-----w	C:\Program Files\QuickTime
2008-01-15 15:54	10,537	----a-w	C:\WINNT\system32\drivers\coh_mon.cat
2008-01-15 11:28	706	----a-w	C:\WINNT\system32\drivers\COH_Mon.inf
2008-01-13 00:32	23,904	----a-w	C:\WINNT\system32\drivers\COH_Mon.sys
2008-01-06 21:06	---------	d-----w	C:\Program Files\Incomplete
2008-01-06 00:36	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2007-12-25 17:46	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-25 17:46	---------	d-----w	C:\Program Files\Samsung
2007-12-04 23:35	---------	d-----w	C:\Program Files\IncrediMail
2004-01-23 02:39	35,942,843	----a-w	C:\Program Files\NIS2004.exe
2006-05-23 21:48	56	--sh--r	C:\WINNT\system32\DDFB19383A.sys
2006-05-23 21:48	3,350	--sha-w	C:\WINNT\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w           579,072 2008-01-22 18:03:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2008-01-27 01:10:57  C:\Program Files\iTunes\iTunesHelper .exe
</pre>[/code]
 
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-02-01 11:14	106560	--a------	C:\WINNT\system32\xbflvmcu.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51	316784	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 11:51	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
 
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]
 
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-07-13 15:19 95352]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" [2005-03-21 14:00 78848]
"@"="C:\WINNT\System32\Rename.exe" [2002-05-03 11:47 120979]
"RunNarrator"="Narrator.exe" [2004-08-04 01:56 53760 C:\WINNT\system32\narrator.exe]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxuuv]
byxxuuv.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 09:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 13:24 90112 C:\WINNT\GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 13:24 53248 C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-07-10 03:13 114688 C:\WINNT\System32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
--a------ 2006-05-18 17:23 65536 C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-07-10 03:25 155648 C:\WINNT\System32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
--a------ 2005-08-09 02:27 401408 C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2004-03-03 11:50 19968 C:\WINNT\LOGI_MWX.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:21 1694208 C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater]
--a------ 2004-09-30 14:46 122880 C:\Program Files\PtpUpdater\PtpUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-10-06 18:10 208941 C:\Program Files\Real\RealPlayer\realplay.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-05-03 01:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-06 18:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 22:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2004-11-05 02:17 1372160 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2004-03-18 08:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit]
 
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [2002-11-07 14:07]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-24 23:07]
R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a []
R2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 10:36]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 10:36]
R3 SymIMMP;SymIMMP;C:\WINNT\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
R3 VBus;Virtual Bus;C:\WINNT\system32\DRIVERS\NkVBus.sys [2005-06-17 10:11]
S3 COH_Mon;COH_Mon;C:\WINNT\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINNT\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
 
*Newly Created Service* - COMHOST
*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 18:06:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 23:50:48 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-29 04:22:45 C:\WINNT\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-02 23:00:02 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-31 10:46:32 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2005-12-24 21:45:34 C:\WINNT\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 17:48:13
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINNT\System32\FtrakSvc.exe
C:\WINNT\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2008-02-02 17:59:34 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-02 23:59:29
.
2008-02-01 18:24:21	--- E O F ---  

Open in new window

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks guys.....I have done the deed and below are the most recent log files for HijackThis and for ComboFix. Thanks again for all your help.......

also, need advice on where to shop for best memory. Want to upgrade to 512 stick.


Greg
Hijack This:
 
Logfile of HijackThis v1.99.1
Scan saved at 2:10:18 PM, on 02/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINNT\System32\FtrakSvc.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O20 - Winlogon Notify: byxxuuv - C:\WINNT\
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NkPtpEnumP2 - Unknown owner - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
 
***********end of HijackThis Log**************
 
Here is ComboFix log:
 
ComboFix 08-02.05.3 - Owner 2008-02-05 13:51:24.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
 
FILE
C:\WINNT\system32\byxxuuv.dll
C:\WINNT\system32\xbflvmcu.dll
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\efac57cf4047be7051f611911795bd21
 
.
(((((((((((((((((((((((((   Files Created from 2008-01-05 to 2008-02-05  )))))))))))))))))))))))))))))))
.
 
2008-02-05 13:43 . 2004-08-04 01:56	388,608	--a------	C:\kmd.exe
2008-01-30 16:57 . 2008-01-30 17:36	<DIR>	d--------	C:\hijackthis
2008-01-29 16:22 . 2008-01-29 16:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-27 16:53 . 2002-12-29 01:14	81,920	--a------	C:\WINNT\system32\Startup.cpl
2008-01-27 16:44 . 2008-01-27 16:44	<DIR>	d--------	C:\Program Files\MyWebSearchWB
2008-01-27 15:48 . 2008-01-27 16:01	<DIR>	d--------	C:\Program Files\RegCure
2008-01-26 19:17 . 2008-01-26 19:17	<DIR>	d--------	C:\Program Files\Windows Sidebar
2008-01-26 19:16 . 2008-01-27 15:09	<DIR>	d--------	C:\Program Files\Norton Internet Security
2008-01-26 19:13 . 2008-01-27 14:59	10,740	--a------	C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-01-26 19:13 . 2008-01-27 14:59	805	--a------	C:\WINNT\system32\drivers\SYMEVENT.INF
2008-01-26 18:21 . 2008-01-26 18:21	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-26 18:11 . 2008-01-26 18:11	<DIR>	d--------	C:\Documents and Settings\All Users\Symantec Temporary Files
2008-01-22 15:32 . 2008-01-22 15:32	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-22 15:31 . 2008-01-22 15:31	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-22 15:01 . 2008-01-22 15:01	<DIR>	d--------	C:\Program Files\CCleaner
2008-01-22 14:34 . 2008-01-22 14:34	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-22 11:30 . 2003-04-11 06:31	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-22 11:30 . 2003-04-11 06:27	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-01-21 18:13 . 2008-01-21 18:13	<DIR>	d--h-----	C:\WINNT\PIF
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 18:15	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-02-05 18:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-05 12:10	---------	d-----w	C:\Program Files\Incomplete
2008-02-05 04:06	---------	d-----w	C:\Program Files\LimeWire
2008-02-04 22:00	---------	d-----w	C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-02-01 17:19	---------	d-----w	C:\Program Files\iTunes
2008-01-31 10:55	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 23:34	---------	d-----w	C:\Program Files\Maxis
2008-01-30 23:34	---------	d-----w	C:\Program Files\BitTorrent
2008-01-30 23:34	---------	d-----w	C:\Program Files\Binary Boy
2008-01-30 23:33	---------	d-----w	C:\Program Files\Stamps.com Internet Postage
2008-01-29 22:28	---------	d-----w	C:\Program Files\Lavasoft
2008-01-29 22:28	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-01-29 22:21	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 23:25	---------	d-----w	C:\Program Files\Windows Defender
2008-01-27 22:42	---------	d-----w	C:\Program Files\AWS
2008-01-27 20:59	60,800	----a-w	C:\WINNT\system32\S32EVNT1.DLL
2008-01-27 20:59	123,952	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-01-27 20:59	---------	d-----w	C:\Program Files\Symantec
2008-01-27 01:22	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Symantec
2008-01-27 01:20	---------	d-----w	C:\Program Files\SymNetDrv
2008-01-26 17:53	20	---ha-w	C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-01-25 20:11	---------	d-----w	C:\Program Files\ieSpell
2008-01-23 16:29	---------	d-----w	C:\Program Files\Real
2008-01-23 16:25	---------	d-----w	C:\Program Files\Common Files\Adaptec Shared
2008-01-20 13:19	---------	d-----w	C:\Program Files\QuickTime
2008-01-15 15:54	10,537	----a-w	C:\WINNT\system32\drivers\coh_mon.cat
2008-01-15 11:28	706	----a-w	C:\WINNT\system32\drivers\COH_Mon.inf
2008-01-13 00:32	23,904	----a-w	C:\WINNT\system32\drivers\COH_Mon.sys
2008-01-06 00:36	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2007-12-25 17:46	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-25 17:46	---------	d-----w	C:\Program Files\Samsung
2007-12-14 17:32	12,632	----a-w	C:\WINNT\system32\lsdelete.exe
2007-12-10 17:23	38,795	----a-w	C:\WINNT\Fonts\english.zip
2007-11-07 09:26	721,920	----a-w	C:\WINNT\system32\lsasrv.dll
2007-11-07 09:26	721,920	------w	C:\WINNT\system32\dllcache\lsasrv.dll
2006-11-30 22:43	54,908	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_11_30_16_30_53_small.dmp.zip
2006-11-30 22:43	49,820	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_11_30_16_32_19_small.dmp.zip
2006-11-30 22:26	13,150,198	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_11_30_15_45_12_full.dmp.zip
2006-11-30 22:25	42,472	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_11_30_15_44_48_small.dmp.zip
2006-10-03 18:09	49,565	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_10_02_07_39_35_small.dmp.zip
2006-10-03 18:08	41,408	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_10_02_07_39_19_small.dmp.zip
2006-03-20 21:05	50,688	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_03_14_09_47_11_small.dmp.zip
2006-03-20 21:04	38,141	----a-w	C:\WINNT\Internet Logs\zlclient_2nd_2006_03_14_09_46_22_small.dmp.zip
2004-01-23 02:39	35,942,843	----a-w	C:\Program Files\NIS2004.exe
2006-05-23 21:48	56	--sh--r	C:\WINNT\system32\DDFB19383A.sys
2006-05-23 21:48	3,350	--sha-w	C:\WINNT\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w           579,072 2008-01-22 18:03:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2008-01-27 01:10:57  C:\Program Files\iTunes\iTunesHelper .exe
</pre>[/code]
 
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51	316784	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 11:51	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
 
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]
 
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 15:02 1343488]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:56 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53 714608]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-07-13 15:19 95352]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" [2005-03-21 14:00 78848]
"@"="C:\WINNT\System32\Rename.exe" [2002-05-03 11:47 120979]
"RunNarrator"="Narrator.exe" [2004-08-04 01:56 53760 C:\WINNT\system32\narrator.exe]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 09:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 13:24 90112 C:\WINNT\GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 13:24 53248 C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-07-10 03:13 114688 C:\WINNT\System32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
--a------ 2006-05-18 17:23 65536 C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-07-10 03:25 155648 C:\WINNT\System32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
--a------ 2005-08-09 02:27 401408 C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2004-03-03 11:50 19968 C:\WINNT\LOGI_MWX.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:21 1694208 C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater]
--a------ 2004-09-30 14:46 122880 C:\Program Files\PtpUpdater\PtpUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-10-06 18:10 208941 C:\Program Files\Real\RealPlayer\realplay.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-05-03 01:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-06 18:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 22:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2004-11-05 02:17 1372160 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2004-03-18 08:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit]
 
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [2002-11-07 14:07]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-24 23:07]
R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a []
R2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 10:36]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 10:36]
R3 SymIMMP;SymIMMP;C:\WINNT\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
R3 VBus;Virtual Bus;C:\WINNT\system32\DRIVERS\NkVBus.sys [2005-06-17 10:11]
S3 COH_Mon;COH_Mon;C:\WINNT\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINNT\system32\DRIVERS\SymIM.sys [2007-08-09 18:27]
 
*Newly Created Service* - COMHOST
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 18:06:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-05 19:18:47 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-05 03:01:08 C:\WINNT\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-05 19:16:33 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-31 10:46:32 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2005-12-24 21:45:34 C:\WINNT\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 14:00:40
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-02-05 14:06:39
ComboFix-quarantined-files.txt  2008-02-05 20:06:33
.
2008-02-01 18:24:21	--- E O F ---  

Open in new window

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks to these fine "experts" and their knowledge, patience, and clear and concise instructions. The system appears clean and is running quite smoothly. I greatly appreciate all the help and this web site! Regards, Greg
your welcome

glad I could help :)
Hi all.  It looks like I just got this vundo virus, or at least I just realized that I have it, so I now need to get rid of it.  Question I have is how do you guys know what to get rid of?
bmkiss67,

 you will have to open a new question regarding this as this question is closed and the points have been awarded already this also keeps this thread from having too many different problems in it. That way everyone gets individual help for there issue. Experts also won't pay attention to this since it is closed.
bmkiss67 - please post a new question of your own - giving all of the details of your OS/System/symptoms.


Vee_Mod
Experts Exchange Moderator