Need help with malware, virus, spyware problem.

[stephmw]

Hi, I'm thinking there are probably posts out there that are similar in some way, shape or form to my problem, but I'm not terribly tech-savvy and I was hoping someone might be able to guide me through this step-by-step. Fixes all seemed to involve registry editing and I don't want to go messing around in there on a guess.

Anyhow, I downloaded a file the other night (which I thought was harmless) but immediately after I started to have problems. At the moment I am unable to successfully open Task Manager, SpyBot, HiJackThis (and I'm sure other things of that nature I haven't thought to try just yet). In addition, I am unable to even load webpages that might have anything to do with fixing what malware/spyware/virus I suspect is on my computer. It seems as though it knows what I'm looking for. I am able to load other pages (eBay, google, anything NOT to do with this problem) and my Internet Explorer Home Page has also been "hijacked" and I cannot change it.

I'm hoping someone can give me a hand to figure out what's up. I have already run Trend Micro Housecall, but it's been working on and off for me, and each time I try and restart it finds different things. I can't seem to get any other online scans to go (webpage closes automatically). I renamed HiJackThis to HJT and managed to click on it enough times to finally get it to do a scan and save a log before closing. I will post it below.

Thanks in advance to anyone who can help. I've got another computer in the house I'm doing the posting from as this one is not infected. Oh, and also, please let me know if I should be posting this elsewhere.

[stephmw]

Logfile of HijackThis v1.99.1
Scan saved at 3:43:34 PM, on 19/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\iexplorer.exe
C:\Program Files\Common Files\{00700D63-0765-4105-1129-020603020002}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Stephanie\My Documents\Downloads\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplorer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157425519949
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000478 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[Ried]

Hello stephmw and welcome to TSF,

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop** Do not run it yet.

---------------------------------------------------------------

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

---------------------------------------------------------------

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

---------------------------------------------------------------

From Normal Mode:

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you located at C:\ComboFix.txt. I'll need that in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Try again to perform an online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
Panda results
C:\ComboFix.txt
New HijackThis log

[stephmw]

Hi Reid, thanks very much for your help (and for explaining things so well).
Here are my results:

SD Fix Report:

SDFix: Version 1.73

Run by Stephanie - 20/03/2007 - 3:52:16.79

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

Path:
"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000478

Client IP-IPX Deleted


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\IEXPLORER.exe - Deleted
C:\WINDOWS\system32\unsvchosts.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Documents and Settings\Stephanie\Application Data\??crosoft\d?dplay.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\s?stem\tracert.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Stephanie\My Documents\ASMR\Fighting the Tide\~WRL0078.tmp

Finished

ComboFix Results:

"Stephanie" - 07-03-20 4:00:40 Service Pack 2
ComboFix 07-03-20.2 - Running from: "C:\Documents and Settings\Stephanie\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\Program Files\Common Files\{00700~1
C:\Program Files\Common Files\{30700~1
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\network monitor
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\STEPHA~1
C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1
C:\qoobox\purity\DOCUME~1\STEPHA~1\MYDOCU~1
C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1\CROSOF~1
C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1\CROSOF~1\d?dplay.exe
C:\qoobox\purity\DOCUME~1\STEPHA~1\MYDOCU~1\from.txt
C:\qoobox\purity\DOCUME~1\STEPHA~1\MYDOCU~1\SSTEM3~1
C:\qoobox\purity\WINDOWS\system32\SSTEM~1
C:\qoobox\purity\WINDOWS\system32\SSTEM~1\s?stem
C:\qoobox\purity\WINDOWS\system32\SSTEM~1\tracert.exe


((((((((((((((((((((((((((((((( Files Created from 2007-02-20 to 2007-03-20 ))))))))))))))))))))))))))))))))))


2007-03-19 15:44 60,928 --a------ C:\WINDOWS\system32\izfbt.dll
2007-03-19 08:51 <DIR> d--h----- C:\WINDOWS\system32\vidmon
2007-03-19 08:51 <DIR> d--h----- C:\WINDOWS\system32\nfomon
2007-03-19 08:51 <DIR> d--h----- C:\Program Files\Common Files\Uninstall Information
2007-03-19 08:51 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\vidmon
2007-03-19 08:51 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nfo
2007-03-19 08:19 <DIR> d-------- C:\Program Files\PeDevice
2007-03-19 03:52 <DIR> d-------- C:\WINDOWS\pss
2007-03-19 03:08 <DIR> d--hs---- C:\WINDOWS\U3RlcGhhbmllIFdhcmQ
2007-03-19 02:11 <DIR> d-------- C:\DOCUME~1\STEPHA~1\.housecall6.6
2007-03-19 01:44 2 --a------ C:\WINDOWS\system32\wtsisvit.exe
2007-03-19 01:42 <DIR> d-------- C:\Program Files\Download Plugin
2007-03-14 01:17 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\Opera
2007-03-08 18:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-03-07 02:41 <DIR> d-------- C:\Program Files\iTunes
2007-03-07 02:38 <DIR> d-------- C:\Program Files\QuickTime
2007-02-23 04:32 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\DivX
2007-02-22 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-02-22 21:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-02-22 21:01 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-02-22 14:50 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-02-22 14:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-02-22 14:30 <DIR> d-------- C:\Program Files\PowerISO
2007-02-22 12:25 <DIR> d-------- C:\Program Files\Apple Software Update
2007-02-22 12:20 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\OfficeUpdate12
2007-02-22 12:11 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-22 12:11 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-22 12:11 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-02-22 12:11 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-02-22 12:11 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-02-22 11:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-02-22 11:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-19 15:44 2 --a------ C:\WINDOWS\system32\wtsisvit.exe
2007-03-19 13:30 60928 --a------ C:\WINDOWS\system32\izfbt.dll
2007-03-19 09:25 -------- d-------- C:\Program Files\pedevice
2007-03-19 08:51 -------- d--h----- C:\Program Files\Common Files\uninstall information
2007-03-19 01:42 -------- d-------- C:\Program Files\download plugin
2007-03-14 01:17 -------- d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\opera
2007-03-11 04:45 -------- d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\utorrent
2007-03-07 02:42 -------- d-------- C:\Program Files\itunes
2007-03-07 02:42 -------- d-------- C:\Program Files\ipod
2007-03-07 02:39 -------- d-------- C:\Program Files\quicktime
2007-03-01 04:12 -------- d-------- C:\Program Files\dc++
2007-02-23 04:32 -------- d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\divx
2007-02-22 21:02 -------- d-------- C:\Program Files\windows media connect 2
2007-02-22 15:53 -------- d--h----- C:\Program Files\installshield installation information
2007-02-22 15:52 -------- d-------- C:\Program Files\Common Files\installshield
2007-02-22 14:30 -------- d-------- C:\Program Files\poweriso
2007-02-22 12:34 -------- d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\officeupdate12
2007-02-22 12:11 -------- d-------- C:\Program Files\divx
2007-02-21 16:00 -------- d-------- C:\Program Files\Common Files\ahead
2007-02-21 14:04 -------- d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\ahead
2007-01-31 23:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-31 23:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-31 23:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-31 23:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 16:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-30 18:15 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-30 00:03 36624 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-01-30 00:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 00:03 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-01-30 00:03 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-01-30 00:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 00:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-30 00:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-30 00:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-30 00:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 23:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 23:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-29 23:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 23:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-01-29 23:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 23:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 23:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 23:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-20 02:11 31644 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2007-01-17 10:43 16 --a------ C:\WINDOWS\popcinfo.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"Rmdc"="\"C:\\WINDOWS\\system32\\SSTEM~1\\tracert.exe\" -vt yazb"
"Cgojkle"="\"C:\\Documents and Settings\\Stephanie\\Application Data\\??crosoft\\d?dplay.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.2\\SetHook.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-20 4:02:15

New HijackThis Report:

Logfile of HijackThis v1.99.1
Scan saved at 421 AM, on 20/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\SSTEM~1\tracert.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\iexplorer.exe
C:\Documents and Settings\Stephanie\My Documents\Downloads\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35E3AA41-6A82-7F30-A341-6BE33DECAA9C} - C:\WINDOWS\system32\izfbt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplorer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Rmdc] "C:\WINDOWS\system32\SSTEM~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [Cgojkle] "C:\Documents and Settings\Stephanie\Application Data\??crosoft\d?dplay.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157425519949
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

____

I was unable to run Panda's ActiveScan. Whatever is on my computer won't allow the window to remain open (just as with Task Manager, HijackThis, etc). Is there something else I might try so that I can produce a scan log?

Thanks again.

[Ried]

Hi,

Those 2 tools knocked out the majority of 'junk' on this system. Before I can continue I need to clarify something. I'm seeing entries in your HijackThis log that show as having been removed by the tools. Did you run the HijackThis scan after you ran the final ComboFix.exe?

Please run another scan with HijackThis and post the log here.

[stephmw]

I did indeed run HijackThis after Combo Fix, but I will run again for you.

Logfile of HijackThis v1.99.1
Scan saved at 8:17:54 AM, on 21/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stephanie\My Documents\Downloads\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {35E3AA41-6A82-7F30-A341-6BE33DECAA9C} - C:\WINDOWS\system32\izfbt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplorer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Rmdc] "C:\WINDOWS\system32\SSTEM~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [Cgojkle] "C:\Documents and Settings\Stephanie\Application Data\??crosoft\d?dplay.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1157425519949
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[Ried]

Hiya,

Thanks.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O2 - BHO: (no name) - {35E3AA41-6A82-7F30-A341-6BE33DECAA9C} - C:\WINDOWS\system32\izfbt.dll
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplorer.exe
O4 - HKCU\..\Run: [Rmdc] "C:\WINDOWS\system32\SSTEM~1\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [Cgojkle] "C:\Documents and Settings\Stephanie\Application Data\??crosoft\d?dplay.exe"

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Run SDFix once again:

Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

You should now be in Normal Mode. Please run ComboFix.exe again:

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Now try to run an online scan at Panda:

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
C:\ComboFix.txt
Panda results
New HijackThis log

[stephmw]

Okay, I'm doing everything now. I have to view this forum on my other computer (which I am using now) as whatever has infected my computer will not allow me to open any tech support pages. I wanted to ask (I don't really know anything about HijackThis) about the entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/

The freewebportal thing is not my usual homepage, and it is something I am now unable to change when I try to reset my homepage in IE. This only came about after my computer got infected, so is that something that should be fixed/deleted?

[stephmw]

Hi there. Once again, I'm still unable to get Panda's ActiveScan to open and work (infection automatically shuts the window). All I have for you are the log files from SDFix, Combofix and HijackThis. I thank you for your continued effort.

SDFix:


SDFix: Version 1.73

Run by Stephanie - 21/03/2007 - 11:22:24.44

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\IEXPLORER.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1\CROSOF~1\d?dplay.exe
C:\qoobox\purity\WINDOWS\system32\SSTEM~1\tracert.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Stephanie\My Documents\ASMR\Fighting the Tide\~WRL0078.tmp

Finished

Combofix:

"Stephanie" - 07-03-21 11:32:00 Service Pack 2
ComboFix 07-03-21.3 - Running from: "C:\Documents and Settings\Stephanie\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\STEPHA~1
C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1
C:\qoobox\purity\DOCUME~1\STEPHA~1\MYDOCU~1
C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1\CROSOF~1
C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\STEPHA~1\APPLIC~1\CROSOF~1\d?dplay.exe
C:\qoobox\purity\DOCUME~1\STEPHA~1\MYDOCU~1\from.txt
C:\qoobox\purity\DOCUME~1\STEPHA~1\MYDOCU~1\SSTEM3~1
C:\qoobox\purity\WINDOWS\system32\SSTEM~1
C:\qoobox\purity\WINDOWS\system32\SSTEM~1\s?stem
C:\qoobox\purity\WINDOWS\system32\SSTEM~1\tracert.exe


((((((((((((((((((((((((((((((( Files Created from 2007-02-21 to 2007-03-21 ))))))))))))))))))))))))))))))))))


2007-03-19 08:51 <DIR> d--h----- C:\Program Files\Common Files\Uninstall Information
2007-03-19 08:19 <DIR> d-------- C:\Program Files\PeDevice
2007-03-19 03:52 <DIR> d-------- C:\WINDOWS\pss
2007-03-19 03:08 <DIR> d--hs---- C:\WINDOWS\U3RlcGhhbmllIFdhcmQ
2007-03-19 02:11 <DIR> d-------- C:\DOCUME~1\STEPHA~1\.housecall6.6
2007-03-19 01:44 2 --a------ C:\WINDOWS\system32\wtsisvit.exe
2007-03-19 01:42 <DIR> d-------- C:\Program Files\Download Plugin
2007-03-14 01:17 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\Opera
2007-03-08 18:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-03-07 02:41 <DIR> d-------- C:\Program Files\iTunes
2007-03-07 02:38 <DIR> d-------- C:\Program Files\QuickTime
2007-02-23 04:32 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\DivX
2007-02-22 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-02-22 21:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-02-22 21:01 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-02-22 14:50 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-02-22 14:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-02-22 14:30 <DIR> d-------- C:\Program Files\PowerISO
2007-02-22 12:25 <DIR> d-------- C:\Program Files\Apple Software Update
2007-02-22 12:20 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\OfficeUpdate12
2007-02-22 12:11 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-22 12:11 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-22 12:11 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-02-22 12:11 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-02-22 12:11 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-02-22 11:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-02-22 11:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-11 04:45 -------- d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\utorrent
2007-03-07 02:42 -------- d-------- C:\Program Files\ipod
2007-03-01 04:12 -------- d-------- C:\Program Files\dc++
2007-02-22 15:53 -------- d--h----- C:\Program Files\installshield installation information
2007-02-22 15:52 -------- d-------- C:\Program Files\Common Files\installshield
2007-02-22 12:11 -------- d-------- C:\Program Files\divx
2007-02-21 16:00 -------- d-------- C:\Program Files\Common Files\ahead
2007-02-21 14:04 -------- d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\ahead
2007-01-31 23:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-31 23:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-31 23:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-31 23:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 16:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-30 18:15 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-30 00:03 36624 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-01-30 00:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-30 00:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-30 00:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 23:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 23:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-29 23:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 23:56 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-01-29 23:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 23:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 23:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-29 23:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-17 10:43 16 --a------ C:\WINDOWS\popcinfo.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.2\\SetHook.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W