Infostealer virus

[demiskus]

Appologies if this is double posted, the first one didn't show up after 10 min of refreshing. Possibly more than just infostealer is infecting my computer, symptoms I have seen the past few days:

- Upon startup, system sometimes completely locks up, when I'm able to get through an enormous amount of lag to open task manager and see what it is, I found a program called QTTask.exe pegging my CPU. I can remedy this by turning off the PC, unplugging the power cord, discharging the system by hitting the power button, and then booting up. This confuses me.

- When clicking links off of anywhere, such as a google search, often I am redirected to seemingly random junk websites. I must use the backstep button and try the link again and it will sometimes work.

- Norton 360 found a high threat risk called infostealer, but cannot clear it. The only information it gives me about it is in the 'details' it says "globalroot\systemroot\system32\msivxictkltfjtlapyqinppearehewqokjmmg.dll" I could not find this file anywhere.


My DDS file:


DDS (Ver_09-05-14.01) - NTFSx86
Run by David at 4:29:45.21 on Mon 06/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.539 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: : {62b5f6ab-e33e-445d-9700-27a0ba931d47} - c:\program files\windows media player\nipyr83122.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: Alcohol Toolbar: {ed4bd629-c1b6-4399-8a34-02ccaa921dc9} - c:\program files\alcohol toolbar\v3.2.0.0\Alcohol_Toolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167026031687
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: ddccd.dll - hggheby.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-28 24652]
R3 Alpham;Ideazon Merc Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [2005-12-4 34944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-13 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090621.039\NAVENG.SYS [2009-6-21 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090621.039\NAVEX15.SYS [2009-6-21 876144]
S2 nlojki;nlojki;c:\windows\system32\drivers\rgoqqfge.sys [2009-6-12 76416]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-1-12 1245064]

=============== Created Last 30 ================

2009-06-22 04:15 <DIR> --d----- c:\program files\Trend Micro
2009-06-22 02:48 <DIR> --d----- c:\program files\Exterminate It!
2009-06-13 19:38 <DIR> --d----- c:\program files\Norton 360
2009-06-13 19:36 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-13 19:36 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-13 19:36 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-13 19:36 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-13 19:36 <DIR> --d----- c:\program files\Symantec
2009-06-12 22:21 68,608 a------- c:\windows\system32\drivers\stbvpeoriyqrcjiu.sys
2009-06-12 22:21 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-12 22:21 213,024 a------- c:\windows\system32\drivers\str.sys
2009-06-12 22:20 76,416 a------- c:\windows\system32\drivers\rgoqqfge.sys

==================== Find3M ====================

2007-07-27 23:46 1,768,266 ac-sh--- c:\windows\system32\dccdd.bak1
2007-08-01 18:30 1,759,743 ac-sh--- c:\windows\system32\dccdd.bak2
2007-08-01 18:58 1,768,849 ac-sh--- c:\windows\system32\dccdd.ini2

============= FINISH: 4:30:13.15 ===============


I greatly appreciate any help given.

[Angelfire777]

Please re-scan with GMER and post the log.

[demiskus]

Hello and thank you Angelfire777, I have done as you requested. I would like to confirm a step in the process though. Under the instructions, boxes were requested to be unchecked. This box: Drives/Partition other than Systemdrive (typically C:\) is for computers with multiple HDDs? I left it checked as it is my only HDD. Am I correct in how I interpreted this? The text was too massive to post directly in the thread, I recieved an error when trying to do so. I have zipped and attached it.

[Angelfire777]

That's completely fine, thanks.

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Note: Please rename combofix.exe to cfix.exe

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[demiskus]

Ran the program, along the way encountered some difficulties. after the initial combofix scan and prior to completing stage 1, combofix told me I needed to reboot the computer and that I should write down these file names for future reference:
C:\Windows\system32\drivers\MSIVXliqxxnjsnfmpubxwypsolkjmsxolvgoan.sys
C:\Windows\system32\drivers\MSIVXxoexllqlmspyitcokdxnqgmrosvsdofm.sys
C:\Windows\system32\MSIVXictkltfjtlapyqinppearehewqokjmmg.dll
C:\Windows\system32\MSIVXsdksvydwoxpwvgxyuhdmoggovvuurdvd.dll

Upon restart I got a blue screen on the 'Welcome' screen. Shut down, restarted, still blue screen. Ran System recovery, fixboot, restored system to last known good config. and I was able to boot up and continue. I was never prompted for those files, but I'm pretty sure I saw at least 2 of them being deleted prior to completion of stage 1.

Here is the log:


ComboFix 09-06-23.01 - David 06/24/2009 18:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.716 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\cfix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\ymbols~1
c:\temp\0b9
c:\temp\iee
c:\temp\tn3
c:\windows\system32\drivers\MSIVXliqxxnjsnfmpubxwypsolkjmsxdugoan.sys
c:\windows\system32\drivers\MSIVXxoexllqlmspyitcokdxnqgmrosvsdofm.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\lowsec
c:\windows\system32\MSIVXictkltfjtlapyqinppearehewqokjmmg.dll
c:\windows\system32\MSIVXsdksvydwoxpwvgxyuhdmoggovvuurdvl.dll
c:\windows\system32\o02PrEz
c:\windows\system32\win
c:\windows\system32\X2
c:\windows\system32\X3
c:\windows\system32\X9
c:\temp\0b9\tmpTF.log
c:\temp\iee\tmpZTF.log
c:\windows\system32\ahuxkyjc.ini
c:\windows\system32\bqeqevbm.ini
c:\windows\system32\bqqcamir.ini
c:\windows\system32\ccqrlcuo.ini
c:\windows\system32\daehxbid.ini
c:\windows\system32\dccdd.bak1
c:\windows\system32\dccdd.bak2
c:\windows\system32\dccdd.ini
c:\windows\system32\dccdd.ini2
c:\windows\system32\dccdd.tmp
c:\windows\system32\ddpgrmxs.ini
c:\windows\system32\drivers\ctoss2k.sys
c:\windows\system32\drivers\MSIVXliqxxnjsnfmpubxwypsolkjmsxdugoan.sys
c:\windows\system32\drivers\MSIVXxoexllqlmspyitcokdxnqgmrosvsdofm.sys
c:\windows\system32\drivers\rgoqqfge.sys
c:\windows\system32\fcdwqutg.ini
c:\windows\system32\gfndtfwn.ini
c:\windows\system32\jlswvmyt.ini
c:\windows\system32\llkkj.ini
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXictkltfjtlapyqinppearehewqokjmmg.dll
c:\windows\system32\MSIVXsdksvydwoxpwvgxyuhdmoggovvuurdvl.dll
c:\windows\system32\nkynvrhc.ini
c:\windows\system32\nqpokwsh.ini
c:\windows\system32\odvyxjyn.ini
c:\windows\system32\onqgpbrm.ini
c:\windows\system32\sjdcjtur.ini
c:\windows\system32\ufhwhvlm.ini
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys
-------\Legacy_NLOJKI
-------\Legacy_ossrv
-------\Service_ossrv


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-24 12:21 . 2009-06-24 12:21 -------- d-sh--w- c:\documents and settings\David\IECompatCache
2009-06-23 08:58 . 2009-06-23 08:58 -------- d-sh--w- c:\documents and settings\David\PrivacIE
2009-06-23 08:27 . 2009-06-23 08:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-23 08:26 . 2009-06-23 08:26 -------- d-sh--w- c:\documents and settings\David\IETldCache
2009-06-23 07:15 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-23 07:15 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-23 07:15 . 2009-06-23 07:15 -------- d-----w- c:\windows\ie8updates
2009-06-23 07:15 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-23 07:13 . 2009-06-23 07:14 -------- dc-h--w- c:\windows\ie8
2009-06-22 09:23 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-22 09:23 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-22 09:23 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-22 09:23 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-22 09:23 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-22 09:23 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-22 09:23 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-22 09:23 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-22 09:23 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-22 09:21 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-22 09:21 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-22 08:15 . 2009-06-22 08:15 -------- d-----w- c:\program files\Trend Micro
2009-06-22 06:48 . 2009-06-22 08:26 -------- d-----w- c:\program files\Exterminate It!
2009-06-14 00:00 . 2009-06-14 00:00 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Symantec
2009-06-13 23:38 . 2009-06-13 23:38 -------- d-----w- c:\program files\Windows Sidebar
2009-06-13 23:38 . 2009-06-17 14:10 -------- d-----w- c:\program files\Norton 360
2009-06-13 23:36 . 2009-06-17 13:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-13 23:36 . 2009-06-17 13:48 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-13 23:36 . 2009-06-17 13:48 -------- d-----w- c:\program files\Symantec
2009-06-13 02:21 . 2009-06-13 02:21 68608 ----a-w- c:\windows\system32\drivers\stbvpeoriyqrcjiu.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 22:59 . 2007-03-22 22:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-22 08:28 . 2008-03-22 20:57 -------- d-----w- c:\program files\QuickTime
2009-06-22 08:24 . 2008-12-08 15:31 -------- d-----w- c:\program files\Common Files\Apple
2009-06-22 08:23 . 2009-04-24 18:53 -------- d-----w- c:\program files\Bitlord
2009-06-17 13:48 . 2009-06-13 23:36 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-17 13:48 . 2009-06-13 23:36 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-15 12:50 . 2007-03-22 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-14 00:06 . 2008-12-08 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-05-14 12:42 . 2007-05-31 03:41 -------- d-----w- c:\program files\Educational
2009-05-13 05:15 . 2006-06-23 16:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-09-03 19:42 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2002-09-03 20:03 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-01 02:46 . 2008-02-24 02:07 9584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-12-05 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-1-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/28/2007 11:46 AM 24652]
R3 Alpham;Ideazon Merc Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [12/4/2005 2:55 PM 34944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/13/2009 8:08 PM 101936]
S2 nlojki;nlojki;\??\c:\windows\system32\drivers\rgoqqfge.sys --> c:\windows\system32\drivers\rgoqqfge.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{62B5F6AB-E33E-445D-9700-27A0BA931D47} - c:\program files\Windows Media Player\nipyr83122.dll
HKCU-Run-Aim6 - (no file)
Notify-AutorunsDisabled - c:\windows\System32\ddccd.dll hggheby.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 18:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="ytmexk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1180)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-06-24 19:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 23:03

Pre-Run: 1,238,011,904 bytes free
Post-Run: 1,314,627,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=6 Default=6 Failed=5 LastKnownGood=1 Sets=1,2,3,4,5,6
223 --- E O F --- 2009-06-23 07:16

[Angelfire777]

Quote:

C: is FIXED (NTFS) - 75 GiB total, 1.618 GiB free.

Take note the your C drive has VERY low space now. This could cause slowdowns and tons of other problems for you.

I suggest you transfer some files out of that drive and free up at least 10%-15% of the whole drive.



*I see you have Viewpoint installed...
Viewpoint related software are considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player

*I also recommend you uninstall AIM Toolbar and Alcohol Toolbar

These software are known to collect information like surfing habits, etc.


*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

File::
c:\windows\system32\drivers\rgoqqfge.sys
c:\windows\system32\drivers\stbvpeoriyqrcjiu.sys
Driver::
nlojki
Reglock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
DDS::
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AutorunsDisabled - No File
FixCSet::

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.


*Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

On your next reply, please include a

• eset scan log
• combofix log

[demiskus]

Things are looking much better. I am no longer getting alerts from Norton about infostealer. I ran a scan with Norton to see if infostealer was being pulled up still as uncorrectable and it ended up fast fixing 3 files, a tracking cookie, a Heuristic virus (Packed.Generic.238), and a virus (infostealer). I didn't intend for it to fast fix that, incase it was to be removed in another fashion. The logs were created prior to that, do you want new logs now?

Combofix log:

ComboFix 09-06-23.01 - David 06/25/2009 10:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.610 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\cfix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

FILE ::
"c:\windows\system32\drivers\rgoqqfge.sys"
"c:\windows\system32\drivers\stbvpeoriyqrcjiu.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\stbvpeoriyqrcjiu.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_nlojki


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-24 23:02 . 2009-06-24 23:02 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-24 12:21 . 2009-06-24 12:21 -------- d-sh--w- c:\documents and settings\David\IECompatCache
2009-06-23 08:58 . 2009-06-23 08:58 -------- d-sh--w- c:\documents and settings\David\PrivacIE
2009-06-23 08:27 . 2009-06-23 08:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-23 08:26 . 2009-06-23 08:26 -------- d-sh--w- c:\documents and settings\David\IETldCache
2009-06-23 07:15 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-23 07:15 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-23 07:15 . 2009-06-23 07:15 -------- d-----w- c:\windows\ie8updates
2009-06-23 07:15 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-23 07:13 . 2009-06-23 07:14 -------- dc-h--w- c:\windows\ie8
2009-06-22 09:23 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-06-22 09:23 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-06-22 09:23 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-06-22 09:23 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-06-22 09:23 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-22 09:23 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-06-22 09:23 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-06-22 09:23 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-22 09:23 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-22 09:21 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-22 09:21 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-06-22 08:15 . 2009-06-22 08:15 -------- d-----w- c:\program files\Trend Micro
2009-06-22 06:48 . 2009-06-22 08:26 -------- d-----w- c:\program files\Exterminate It!
2009-06-14 00:00 . 2009-06-14 00:00 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Symantec
2009-06-13 23:38 . 2009-06-13 23:38 -------- d-----w- c:\program files\Windows Sidebar
2009-06-13 23:38 . 2009-06-17 14:10 -------- d-----w- c:\program files\Norton 360
2009-06-13 23:36 . 2009-06-17 13:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-13 23:36 . 2009-06-17 13:48 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-13 23:36 . 2009-06-17 13:48 -------- d-----w- c:\program files\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 14:29 . 2007-03-22 22:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-25 14:15 . 2007-02-18 22:58 -------- d-----w- c:\documents and settings\David\Application Data\Viewpoint
2009-06-25 14:15 . 2007-02-18 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-25 14:15 . 2007-02-18 22:20 -------- d-----w- c:\program files\Viewpoint
2009-06-22 08:28 . 2008-03-22 20:57 -------- d-----w- c:\program files\QuickTime
2009-06-22 08:24 . 2008-12-08 15:31 -------- d-----w- c:\program files\Common Files\Apple
2009-06-22 08:23 . 2009-04-24 18:53 -------- d-----w- c:\program files\Bitlord
2009-06-17 13:48 . 2009-06-13 23:36 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-17 13:48 . 2009-06-13 23:36 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-15 12:50 . 2007-03-22 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-14 00:06 . 2008-12-08 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-05-14 12:42 . 2007-05-31 03:41 -------- d-----w- c:\program files\Educational
2009-05-13 05:15 . 2006-06-23 16:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2002-09-03 19:42 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2002-09-03 20:03 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-01 02:46 . 2008-02-24 02:07 9584 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-24_22.59.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-24 23:02 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-24 23:02 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-24 23:02 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-24 23:02 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-24 23:02 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-24 23:02 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-24 23:02 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-24 23:02 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-24 23:02 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-24 23:02 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-06-24 23:02 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-24 23:02 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-24 23:02 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-24 23:02 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-24 23:02 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-24 23:02 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-24 23:02 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-24 23:02 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-24 23:02 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-24 23:02 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-24 23:02 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-24 23:02 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-24 23:02 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-24 23:02 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-12-05 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 188416]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-1-11 39792]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-5-11 738968]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R3 Alpham;Ideazon Merc Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [12/4/2005 2:55 PM 34944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/13/2009 8:08 PM 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 10:32 PM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

BHO-{62B5F6AB-E33E-445D-9700-27A0BA931D47} - (no file)
HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 10:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="ytmexk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2004)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-06-25 10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 14:31
ComboFix2.txt 2009-06-24 23:03

Pre-Run: 1,176,342,528 bytes free
Post-Run: 1,250,304,000 bytes free

191 --- E O F --- 2009-06-23 07:16



Eset log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=d00a488eb08c7f44a366d4e7af87d3ce
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-06-25 03:20:21
# local_time=2009-06-25 11:20:21 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=50636
# found=46
# cleaned=0
# scan_time=2646
C:\Documents and Settings\David\Desktop\Windows_Divx_Rupoconexo_Update.exe a variant of Win32/Kryptik.TB trojan 00000000000000000000000000000000
C:\Documents and Settings\David\My Documents\bpftpserver_install.exe a variant of Win32/Tool.ServiceRunner application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ahuxkyjc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\bqeqevbm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\bqqcamir.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ccqrlcuo.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\daehxbid.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\dccdd.bak1.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\dccdd.bak2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\dccdd.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\dccdd.ini2.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\dccdd.tmp.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ddpgrmxs.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\fcdwqutg.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\gfndtfwn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\jlswvmyt.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\llkkj.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXictkltfjtlapyqinppearehewqokjmmg.dll.vir a variant of Win32/Kryptik.SQ trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXsdksvydwoxpwvgxyuhdmoggovvuurdvl.dll.vir a variant of Win32/Kryptik.SQ trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\nkynvrhc.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\nqpokwsh.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\odvyxjyn.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\onqgpbrm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\sjdcjtur.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ufhwhvlm.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0097556.dll a variant of Win32/Kryptik.SQ trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0097557.dll a variant of Win32/Kryptik.SQ trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099583.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099584.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099585.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099586.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099587.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099588.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099589.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099590.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099591.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099592.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099593.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099594.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099595.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099596.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099597.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099598.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\System Volume Information\_restore{7C6C330F-D8D8-44D4-B3D2-B3DA360626DF}\RP970\A0099599.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000
C:\WINDOWS\AdmDll.dll Win32/RemoteAdmin application 00000000000000000000000000000000
C:\WINDOWS\raddrv.dll Win32/RemoteAdmin application 00000000000000000000000000000000

[Angelfire777]

Sorry for the delay.

No need to create new logs, these are fine.


*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.

Code:

@echo off 
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"C:\Documents and Settings\David\Desktop\Windows_Divx_Rupoconexo_Update.exe"
"C:\Documents and Settings\David\My Documents\bpftpserver_install.exe"
) do ( 
del /a/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

for %%g in ( 
"c:\documents and settings\David\Application Data\Viewpoint"
"c:\documents and settings\All Users\Application Data\Viewpoint"
"c:\program files\Viewpoint"
) do ( 
attrib -s -h -r %%g 
rd /s/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" 
) else echo.Deleted Successfully! 
echo. 
pause 
del %0

Locate clean.bat on your Desktop and double-click on it. Tell me what it says.

Let me know how's it running.

[demiskus]

"Deleted Successfully!"

Everything appears to be running great. No problems noted in the last several days of use. Thank you so much for your assistance Angelfire. I plan on making a donation soon.

[Angelfire777]

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

[demiskus]

Successfully uninstalled. Thank you again.