hijack log check please

[sUBs]

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[lyric39]

I am currently running kaspersky scanner, are you still going to send me insstructions how to fix up the spaces prior to dots that you found in my last scans eg combo fix etc..will post kaspersky log when its done it has foung 1 virus and 4 infected objects so far 5 minutes into it.
Thanks a lot
lyric39

[lyric39]

KASPERSKY ONLINE SCANNER REPORT
Thursday, December 27, 2007 11:04:56 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/12/2007
Kaspersky Anti-Virus database records: 494953


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
P:\

Scan Statistics
Total number of scanned objects 42453
Number of viruses found 4
Number of infected objects 20
Number of suspicious objects 0
Duration of the scan process 01:43:54

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12252007-112537.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02540000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09100000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F0C0000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F100000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.clc skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\lynda\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\lynda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\lynda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\lynda\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{893D9129-F537-4BEC-B274-641DF5B65345} Object is locked skipped

C:\Documents and Settings\lynda\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\lynda\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\lynda\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\lynda\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\lynda\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\hijack this\backups\backup-20071223-202207-723.dll Infected: Trojan.Win32.Obfuscated.mi skipped

C:\Program Files\hijack this\backups\backup-20071223-203656-889.dll Infected: Trojan.Win32.Obfuscated.mi skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0144NAV~.TMP Object is locked skipped

C:\qoobox\Quarantine\C\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\qoobox\Quarantine\C\Program Files\Common Files\Real\Update_OB\realsched.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\qoobox\Quarantine\C\Program Files\Common Files\Symantec Shared\ccApp.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\qoobox\Quarantine\C\Program Files\Fsotegei\iyeqixjp.dll.vir Infected: Trojan.Win32.Obfuscated.mi skipped

C:\qoobox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin\jusched.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\qoobox\Quarantine\C\Program Files\Mcqkygov\wzlepndl.dll.vir Infected: Trojan.Win32.Obfuscated.mi skipped

C:\qoobox\Quarantine\C\Program Files\SYMANT~1\VPTray.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\qoobox\Quarantine\C\Program Files\Windows Defender\MSASCui.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\qoobox\Quarantine\C\Program Files\Yjztzwso\apersewc.dll.vir Infected: Trojan.Win32.Obfuscated.mi skipped

C:\VundoFix Backups\hkcmd.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\VundoFix Backups\igfxtray.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\VundoFix Backups\NeroCheck.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVEMONITOR.EXE Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{FED736DD-0475-4116-921E-B91B178A4E87}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\gebbbya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cln skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[lyric39]

hi again getting a new error message on boot up it says
this application failed to load msvcp70.dll and that reinsalling it might fix aplication
lyric39

[sUBs]

Quote:

this application failed to load msvcp70.dll and that reinsalling it might fix aplication

Your machine is probably missing the file - msvcp70.dll
You can download a copy from here - http://www.dll-files.com/dllindex/dl....shtml?msvcp70
Download the file & place it in this folder - C:\Windows\System32\


--------


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02540000.VBN"
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09100000.VBN"
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F0C0000.VBN"
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F100000.VBN"
"C:\Program Files\hijack this\backups\backup-20071223-202207-723.dll"
"C:\Program Files\hijack this\backups\backup-20071223-203656-889.dll"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVEMONITOR.EXE"
"C:\Program Files\Symantec AntiVirus\VPTray .exe"
"C:\WINDOWS\system32\gebbbya.dll"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox\Quarantine
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says


---------


Reboot the machine & let me know if there's still any more error messages

[lyric39]

Hi I downloaded msvcp70.dll and put it where you said to be no luck still getting the same error problem will send the log you asked for shortly
Thank you
lyric39

[sUBs]

Quote:

hi again getting a new error message on boot up it says
this application failed to load msvcp70.dll and that reinsalling it might fix aplication

Kindly post the full error message.

[lyric39]

error message
This application has failed to start because MSVCR70.DLL was not found. Reinstalling the application may fix this problem.

Have reinstalled as per your instructions but it has'nt fixed the problem.
lyric39

[lyric39]

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02540000.VBN"
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09100000.VBN"
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F0C0000.VBN"
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F100000.VBN"
"C:\Program Files\hijack this\backups\backup-20071223-202207-723.dll"
"C:\Program Files\hijack this\backups\backup-20071223-203656-889.dll"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\GROOVEMONITOR.EXE"
"C:\Program Files\Symantec AntiVirus\VPTray .exe"
"C:\WINDOWS\system32\gebbbya.dll"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox\Quarantine
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

nircmd wait 7000
del %0

[lyric39]

Hi again have also renamed :\Program Files\Symantec AntiVirus\VPTray .exe" as :\Program Files\Symantec AntiVirus\VPTray.exe" with no space but log still showing up as having space.

[sUBs]

Quote:

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

You appear to have done it incorrectly

Does fix.bat look like this -->

If it does not look like that, kindly re-do the exercise.


---------


I would also like a fresh ComboFix + Hijackthis log

[lyric39]

yes the check.bat does look like that. next I'll post combo fix and hijack logs thank you
lyric39

[lyric39]

ComboFix 07-12-25.2 - lynda 2007-12-30 11:24:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT 11:00]
Running from: C:\Documents and Settings\lynda\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-29 09:36 . 2007-12-29 09:36 9,216 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-27 14:29 . 2002-10-06 19:37 487,424 --a------ C:\WINDOWS\system32\msvcp.dll
2007-12-27 14:29 . 2002-10-06 19:37 487,424 --a------ C:\WINDOWS\system\MSVCP70.DLL
2007-12-27 08:21 . 2007-12-27 08:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-27 08:21 . 2007-12-27 08:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 18:11 . 2007-12-27 14:35 5,632 --ahs---- C:\WINDOWS\system32\Thumbs.db
2007-12-26 13:46 . 2007-12-26 13:47 <DIR> d-------- C:\Program Files\WinPcap
2007-12-25 11:14 . 2005-05-13 19:50 123,488 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-25 11:14 . 2005-05-13 19:50 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-24 09:44 . 2007-12-24 13:31 <DIR> d-------- C:\Program Files\PrevxCSI
2007-12-24 09:35 . 2007-12-24 09:36 <DIR> d-------- C:\Documents and Settings\lynda\Application Data\PrevxCSI
2007-12-24 09:35 . 2007-12-24 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-24 09:22 . 2007-12-27 07:02 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-24 09:22 . 2007-12-27 07:02 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-12-23 22:51 . 2007-12-23 22:51 <DIR> d-------- C:\Documents and Settings\lynda\Application Data\Uniblue
2007-12-23 20:05 . 2007-12-24 15:06 <DIR> d-------- C:\VundoFix Backups
2007-12-22 15:01 . 2007-12-25 11:54 <DIR> d-------- C:\Program Files\hijack this
2007-12-22 09:59 . 2007-12-25 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 18:50 . 2007-12-21 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-21 18:49 . 2007-12-21 18:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 18:41 . 2007-12-21 18:42 <DIR> d-------- C:\Documents and Settings\lynda\Application Data\AdwareAlert
2007-12-21 17:31 . 2007-12-21 19:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-21 08:20 . 2007-12-25 11:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-21 07:45 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-20 17:59 . 2007-12-23 19:52 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-20 17:59 . 2007-12-23 19:51 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-20 17:59 . 2007-12-23 19:51 106,496 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-20 17:48 . 2007-12-24 10:00 <DIR> d-------- C:\Program Files\rktmxkre
2007-12-20 17:48 . 2007-12-20 17:48 39,936 --a------ C:\WINDOWS\system32\gebbbya.dll
2007-12-13 22:29 . 2007-12-26 18:11 <DIR> d-------- C:\WINDOWS\usb-audio.deTascam
2007-12-13 22:29 . 2006-10-23 07:24 106,496 --a------ C:\WINDOWS\system32\US-122L_US-144.CPL
2007-12-13 22:26 . 2006-10-23 07:24 396,192 -ra------ C:\WINDOWS\system32\drivers\tascusb2.sys
2007-12-13 22:26 . 2006-10-23 07:24 19,904 -ra------ C:\WINDOWS\system32\drivers\tscusb2a.sys
2007-12-13 22:26 . 2006-10-23 07:24 10,752 -ra------ C:\WINDOWS\system32\drivers\tscusb2m.sys
2007-11-29 17:04 . 2007-11-29 17:04 253,952 --------- C:\WINDOWS\Setup1.exe
2007-11-29 17:04 . 2007-11-29 17:04 74,752 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-29 16:35 . 2007-12-22 11:31 215 --a------ C:\WINDOWS\wininit.ini
2007-11-08 07:33 . 2007-12-13 23:48 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-11-08 07:33 . 2007-11-08 07:33 <DIR> d-------- C:\Documents and Settings\lynda\Application Data\NCH Swift Sound
2007-11-08 07:33 . 2007-11-08 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 00:17 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-26 20:09 --------- d-----w C:\Program Files\Windows Defender
2007-12-26 20:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-26 11:18 --------- d-----w C:\Documents and Settings\lynda\Application Data\uTorrent
2007-12-25 00:14 --------- d-----w C:\Program Files\Symantec
2007-12-24 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-22 04:00 413 ----a-w C:\Program Files\Shortcut to HijackThis.lnk
2007-12-13 17:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 09:27 --------- d-----w C:\Program Files\uTorrent
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 08:23 28,672 ----a-w C:\Program Files\wmdmhelper.dll
2007-10-28 08:23 --------- d-----w C:\Program Files\templates
2007-10-28 08:23 --------- d-----w C:\Program Files\rpplugins
2007-10-28 08:23 --------- d-----w C:\Program Files\plugins
2007-10-28 08:23 --------- d-----w C:\Program Files\Devices
2007-10-28 08:22 86,016 ----a-w C:\Program Files\rpplugprot.dll
2007-10-28 08:22 719,360 ----a-w C:\Program Files\dbghelp.dll
2007-10-28 08:22 682 ----a-w C:\Program Files\realplay.exe.manifest
2007-10-28 08:22 667,648 ----a-w C:\Program Files\rjbres.dll
2007-10-28 08:22 61,495 ----a-w C:\Program Files\ssimages.vs
2007-10-28 08:22 61,440 ----a-w C:\Program Files\rjwmapln.dll
2007-10-28 08:22 57,762 ----a-w C:\Program Files\howto.chm
2007-10-28 08:22 57,344 ----a-w C:\Program Files\tpasdk.dll
2007-10-28 08:22 57,344 ----a-w C:\Program Files\rdsf3260.dll
2007-10-28 08:22 568 ----a-w C:\Program Files\fpsectbl
2007-10-28 08:22 54,600 ----a-w C:\Program Files\rpshellsearch.dll
2007-10-28 08:22 54,584 ----a-w C:\Program Files\rpshell.dll
2007-10-28 08:22 53,098 ----a-w C:\Program Files\presets.rnx
2007-10-28 08:22 522,924 ----a-w C:\Program Files\normal.vs
2007-10-28 08:22 52,609 ----a-w C:\Program Files\RealNetworks License.html
2007-10-28 08:22 52,609 ----a-w C:\Program Files\playrlic.html
2007-10-28 08:22 50,548 ----a-w C:\Program Files\RealNetworks License.txt
2007-10-28 08:22 50,548 ----a-w C:\Program Files\playrlic.txt
2007-10-28 08:22 50 ----a-w C:\Program Files\strs23.dat
2007-10-28 08:22 49,152 ----a-w C:\Program Files\mmcdda32.dll
2007-10-28 08:22 49,152 ----a-w C:\Program Files\ierjplug.dll
2007-10-28 08:22 480 ----a-w C:\Program Files\keys.dat
2007-10-28 08:22 45,056 ----a-w C:\Program Files\rpau3260.dll
2007-10-28 08:22 339,968 ----a-w C:\Program Files\dtdr3260.dll
2007-10-28 08:22 335,872 ----a-w C:\Program Files\rjdlg.dll
2007-10-28 08:22 32,768 ----a-w C:\Program Files\tnetdtct.dll
2007-10-28 08:22 32,768 ----a-w C:\Program Files\rpwa3260.dll
2007-10-28 08:22 32,768 ----a-w C:\Program Files\rjprog.dll
2007-10-28 08:22 27,024 ----a-w C:\Program Files\Readme.html
2007-10-28 08:22 214,296 ----a-w C:\Program Files\realplay.exe
2007-10-28 08:22 207 ----a-w C:\Program Files\subscription.rnx
2007-10-28 08:22 201,949 ----a-w C:\Program Files\realplay.chm
2007-10-28 08:22 20,480 ----a-w C:\Program Files\rphelperapp.exe
2007-10-28 08:22 20,480 ----a-w C:\Program Files\fixrjb.exe
2007-10-28 08:22 2,851 ----a-w C:\Program Files\cdroms.cfg
2007-10-28 08:22 17,846 ----a-w C:\Program Files\videotest.rm
2007-10-28 08:22 16,296 ----a-w C:\Program Files\realtfon.fon
2007-10-28 08:22 139,264 ----a-w C:\Program Files\DUNZIP32.dll
2007-10-28 08:22 13 ----a-w C:\Program Files\strs26.dat
2007-10-28 08:22 119,808 ----a-w C:\Program Files\waiting.avi
2007-10-28 08:22 11,444 ----a-w C:\Program Files\frw.bmp
2007-10-28 08:22 102,400 ----a-w C:\Program Files\tsasdk.dll
2007-10-28 08:22 1,030 ----a-w C:\Program Files\autoplaylist.dat
2007-10-28 08:22 --------- d-----w C:\Program Files\Setup
2007-10-28 08:22 --------- d-----w C:\Program Files\producer
2007-10-28 08:22 --------- d-----w C:\Program Files\Netscape6
2007-10-28 08:22 --------- d-----w C:\Program Files\library
2007-10-28 08:22 --------- d-----w C:\Program Files\Firstrun
2007-10-28 08:22 --------- d-----w C:\Program Files\DataCache
2007-10-28 08:22 --------- d-----w C:\Program Files\Common Files\xing shared
2007-10-28 08:22 --------- d-----w C:\Program Files\Common Files\Real
2007-10-28 08:22 --------- d-----w C:\Program Files\CDBurning
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-18 04:38 155,995 ----a-w C:\WINDOWS\java\Packages\OFLN5RV1.ZIP
.

((((((((((((((((((((((((((((( snapshot_2007-12-26_ 7.49.53.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-02 21:10:13 32,512 ----a-w C:\WINDOWS\system32\drivers\npf.sys
+ 2005-05-24 01:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 04:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 04:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2005-08-02 21:08:09 81,920 ----a-w C:\WINDOWS\system32\Packet.dll
+ 2005-08-02 21:24:01 53,299 ----a-w C:\WINDOWS\system32\pthreadVC.dll
+ 2005-08-02 21:08:06 61,440 ----a-w C:\WINDOWS\system32\WanPacket.dll
+ 2005-08-02 21:18:45 233,472 ----a-w C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-27 07:02]
"InternodeUsage"="D:\INTERN~1\mum.exe" [2007-07-06 00:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-12-24 13:32]
"C-Media Mixer"="Mixer.exe" [2002-10-15 19:00 C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-12-24 21:23]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-12-29 11:17]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-12-24 21:23]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-12-27 07:02]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 12:17]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 20:42:22]

S3 CheckFSD;Antiy Labs FSD Service;D:\atool\CheckFSD.sys [2007-12-12 16:27]
S3 CheckSSDT;Antiy Labs SSDT Service;D:\atool\SSDT.sys [2007-12-12 16:27]
S3 HookMsg;Antiy Labs MsgHook Service;D:\atool\ABaseDrv.sys [2007-12-12 16:27]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 08:10]
S3 Proc;Antiy Labs Process Service;D:\atool\Proc.sys [2007-12-12 16:27]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;C:\WINDOWS\system32\Drivers\tascusb2.sys [2006-10-23 07:24]
S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;C:\WINDOWS\system32\drivers\tscusb2m.sys [2006-10-23 07:24]
S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;C:\WINDOWS\system32\drivers\tscusb2a.sys [2006-10-23 07:24]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-25 16:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- D:\AdwareAlert\AdwareAlert.ex
- D:\AdwareAlert
"2007-12-30 00:19:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 11:26:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 11:27:26
C:\ComboFix2.txt ... 2007-12-26 07:50
C:\ComboFix3.txt ... 2007-12-25 07:04
.
2007-12-28 22:37:35 --- E O F ---

[lyric39]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:22 AM, on 30/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
D:\INTERN~1\mum.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InternodeUsage] D:\INTERN~1\mum.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://portal
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192096468609
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6159 bytes