My computer was infected by Trojan Horse virus and I have been getting Symantec Email Proxy Error Pop up. I have tried all sorts of method and it ends up with a Error status for the Norton Anti-Virus Email scanning. This has in fact stopped the Error message popping up. However, I know that this isn't the right solution, the virus is still in my system. This is the HijackThis Log from my system, please advise me what should I do next:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:02 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\O2Micro\AudioDJ\o2cd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\O2Micro\AudioDJ\o2cd .exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch .exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC .EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\Program Files\QuickTime\QTTask .exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\Canon\MULTIP~1\MPTBox .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\wlmsvcxp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\svchostx.exe
C:\Program Files\QuickTime\QTTask .exe
C:\WINDOWS\System32\P2P Networking\P2P Networking .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\awvtr.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [o2cd] C:\Program Files\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [sp] regedit -s C:\sp.reg
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Control Server] wlmsvcxp.exe
O4 - HKLM\..\Run: [Windows svchost] svchostx.exe
O4 - HKLM\..\Run: [P2P Networking ] C:\WINDOWS\System32\P2P Networking\P2P Networking .exe /AUTOSTART
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O15 - Trusted Zone: http://schdnavdo.schooldna.com
O15 - Trusted Zone: http://schdnaweb.schooldna.com
O15 - Trusted Zone: http://schdnaweb1.schooldna.com
O15 - Trusted Zone: http://schdnaweb2.schooldna.com
O15 - Trusted Zone: http://www.schooldna.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://netgil.chevrontexaco.com/ica32/wficat.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166446513187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-wt01.morganstanley.com/prx/000/http/rc-fe.ms.com:8180/mydesk/common/htdocs/SPX/2.0.1.10/TerminalSvcsTCS.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://portal.morganstanley.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Filter hijack: text/html - {F5C815D5-17DC-46FF-8F62-2CB038AB6DDC} - C:\WINDOWS\system32\wmvtore.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10439 bytes

Recommended Answers

All 16 Replies

8 hours has past.... No help has offered yet.... The pop-up came back this morning again... /COLOR] :'( Please Help !! really very frustrated with the pop-up...

Hi and welcome to Daniweb forums :).

Please download ComboFix by sUBs from HERE or HERE

  • Save it to your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    "%userprofile%\desktop\ComboFix.exe" /KillAll

    [IMG]http://i5.photobucket.com/albums/y153/crunchie1/thRunBox_KillAll.jpg[/IMG]

  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File and include it in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* Re-enable all the programs that were disabled prior to the running of ComboFix.

* Post the following logs/Reports:


  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hi Crunchie,

Thanks for your advice. This is the log from ComboFix:
ComboFix 08-01-23.1C - acer 2008-01-27 15:56:10.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.164 [GMT 8:00]
Running from: C:\Documents and Settings\acer\desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a.exe
C:\d.exe
C:\Documents and Settings\All Users.\documents\settings\config.ini
C:\Documents and Settings\All Users.\documents\settings\partnership.dll
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Canon\MultiPASS4\MPTBox .exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
C:\Program Files\FunWebProducts\Installr\Cache\files.ini
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch .exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MouseWare\system\EM_EXEC .EXE
C:\Program Files\MouseWare\system\EM_EXEC.EXE
C:\Program Files\MyWay
C:\Program Files\MyWay\bar\History\search
C:\Program Files\MyWay\bar\Settings\settings.dat
C:\Program Files\MyWay\bar\Settings\settings.htm
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL
C:\Program Files\MyWay\myBar\1.bin\UNINSTALL.INF
C:\Program Files\MyWay\myBar\Cache\00021023
C:\Program Files\MyWay\myBar\Cache\00025588
C:\Program Files\MyWay\myBar\Cache\00025DB6
C:\Program Files\MyWay\myBar\Cache\000274B9.bin
C:\Program Files\MyWay\myBar\Cache\000278B0.bmp
C:\Program Files\MyWay\myBar\Cache\00027BDD.bin
C:\Program Files\MyWay\myBar\Cache\0006038D
C:\Program Files\MyWay\myBar\Cache\00073779
C:\Program Files\MyWay\myBar\Cache\00075E98
C:\Program Files\MyWay\myBar\Cache\000EFFF7
C:\Program Files\MyWay\myBar\Cache\00295A5D
C:\Program Files\MyWay\myBar\Cache\003E805D
C:\Program Files\MyWay\myBar\Cache\0046CD8C
C:\Program Files\MyWay\myBar\Cache\005760E5
C:\Program Files\MyWay\myBar\Cache\files.ini
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\myBar\Settings\settings.dat
C:\Program Files\MyWay\myBar\Settings\settings.htm
C:\Program Files\O2Micro\AudioDJ\o2cd .exe
C:\Program Files\O2Micro\AudioDJ\o2cd.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\REGSHAVE\REGSHAVE .EXE
C:\Program Files\REGSHAVE\Regshave.exe
C:\Program Files\SymNetDrv\SNDMon .exe
C:\Program Files\SymNetDrv\SNDMon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont .exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
C:\WINDOWS\Downloaded Program Files\UERS_0001_NI57M1124NetInstaller.exe
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\Image2008.zip
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
C:\WINDOWS\system32\4_exception.nls
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtr.exe
C:\WINDOWS\system32\drivers\Hlp61.sys
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
C:\WINDOWS\system32\jkkiifc.dll
C:\WINDOWS\System32\P2P Networking\P2P Networking .exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\pmnnnll.dll
C:\WINDOWS\system32\RCX38.tmp
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2
C:\Documents and Settings\All Users.\documents\settings

<pre>
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe ---> QooBox
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE ---> QooBox
C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE ---> QooBox
C:\Program Files\Common Files\Symantec Shared\ccApp .exe ---> QooBox
C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe ---> QooBox
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe ---> QooBox
C:\Program Files\O2Micro\AudioDJ\o2cd .exe ---> QooBox
C:\Program Files\Logitech\iTouch\iTouch .exe ---> QooBox
C:\Program Files\MouseWare\system\EM_EXEC .EXE ---> QooBox
C:\Program Files\REGSHAVE\REGSHAVE .EXE ---> QooBox
C:\Program Files\Canon\MultiPASS4\MPTBox .exe ---> QooBox
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont .exe ---> QooBox
C:\Program Files\SymNetDrv\SNDMon .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HLP61
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\Hlp61
-------\nm
-------\runtime


((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 16:06 . 71 C:\a.bat
2008-01-27 15:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 08:01 . 2008-01-27 15:43 0 --a------ C:\WINDOWS\system32\stdoleh.tlb
2008-01-27 08:00 . 2008-01-27 15:43 0 --a------ C:\WINDOWS\system32\stdolex.tlb
2008-01-26 22:40 . 2008-01-26 22:40 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-26 22:17 . 2008-01-26 22:17 <DIR> d-------- C:\Program Files\Windows Live
2008-01-26 22:17 . 2008-01-26 22:17 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-26 20:14 . 2008-01-26 20:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 09:55 . 2008-01-26 09:55 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-25 22:08 . 2008-01-25 22:08 90,112 --a------ C:\WINDOWS\system32\crehcjid.dll
2008-01-25 22:08 . 2008-01-25 22:08 18,432 --a------ C:\rvivgern.exe
2008-01-25 22:08 . 2008-01-27 16:05 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-01-25 22:08 . 2008-01-25 22:08 2 --a------ C:\794366681
2008-01-25 20:50 . 2008-01-25 20:50 36,352 -r-hs---- C:\WINDOWS\svchostx.exe
2008-01-23 20:45 . 2008-01-23 20:45 35,840 -r-hs---- C:\WINDOWS\wlmsvcxp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 05:14 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-15 05:14 --------- d-----w C:\Program Files\Power Video Capture Convert Burn DVD Studio
2008-03-12 05:17 --------- d-----w C:\Program Files\Anvsoft
2008-03-11 11:08 --------- d-----w C:\Program Files\Free iPod Video Converter
2008-03-01 05:56 --------- d-----w C:\Program Files\Windows Live Favorites
2008-01-27 08:06 36,510 ----a-w C:\WINDOWS\Image2008.zip
2007-11-28 00:24 --------- d-----w C:\Program Files\Common Files\Canon
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 09:39 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-27 09:37 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-06-05 13:04 2,068,128 ----a-w C:\Program Files\timeleft.exe
2006-01-01 10:24 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
2005-10-20 14:13 5,691,288 ----a-w C:\Program Files\InstallAble2Doc.exe
2005-10-20 14:02 643,276 ----a-w C:\Program Files\pdf2word.exe
2005-09-04 09:03 1,013,627 ----a-w C:\Program Files\wrar350.exe
2003-09-27 06:09 1,492,645 ----a-w C:\Program Files\mp3cinst.exe
2003-05-24 09:53 32 --sha-w C:\WINDOWS\{D2F9AD81-F372-49A2-A1FC-4A368C259862}.dat
2003-05-24 09:53 32 --sha-w C:\WINDOWS\system32\{DD7185E4-F7DD-4534-8940-B97C62FB3195}.dat
2004-11-25 08:00 0 --sha-r C:\WINDOWS\system32\mcc(2).exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-19 02:44 46592 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2002-05-24 12:42 372736 C:\WINDOWS\system32\nwiz.exe]
"o2cd"="C:\Program Files\O2Micro\AudioDJ\o2cd.exe" [ ]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [ ]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 12:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00 455168]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"sp"="regedit -s C:\sp.reg" [ ]
"MPTBox"="C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"P2P Networking"="C:\WINDOWS\System32\P2P Networking\P2P Networking.exe" [ ]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"Windows Control Server"="wlmsvcxp.exe" [2008-01-23 20:45 35840 C:\WINDOWS\wlmsvcxp.exe]
"Windows svchost"="svchostx.exe" [2008-01-25 20:50 36352 C:\WINDOWS\svchostx.exe]
"P2P Networking "="C:\WINDOWS\System32\P2P Networking\P2P Networking .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-05-15 18:24 67264]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\?x€]
?x€

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\?`]
?`

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
crehcjid.dll 2008-01-25 22:08 90112 C:\WINDOWS\system32\crehcjid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hlp61.sys]
@="Driver"

R1 o2adj;o2adj;C:\WINDOWS\system32\drivers\o2adj.sys [2002-10-18 15:22]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys [2002-09-28 12:47]
S3 R20_W2K;Reflex 20 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20_W2K.sys [2002-03-08 04:06]
S3 R20V2W2K;Reflex 20 v.2 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20V2W2K.sys [2003-04-16 17:48]
S3 Reflex USB v.2 Smart card reader;Reflex USB v.2 Smart card reader;C:\WINDOWS\system32\DRIVERS\rusb2w2k.sys [2002-10-28 20:39]
S3 Reflex20 v3 Smart card reader;Reflex20 v3 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20V3.sys [2004-09-09 17:42]
S3 SCR24x PCMCIA Smart Card Reader;SCR24x PCMCIA Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR24X.sys [2005-03-09 02:20]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-06 04:24]
S3 stcusb;Reflex USB;C:\WINDOWS\system32\DRIVERS\RUSB_W2K.sys [2002-03-14 03:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{651099f0-591e-11dc-8ce9-0010dc7cc095}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 12:00:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-01-07 10:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 01:03:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 16:06:21
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\WinRAR\rarext.dll
.
Completion time: 2008-01-27 16:28:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 08:28:14
.
2008-01-09 13:46:50 --- E O F ---

The Log from HijackThis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:22 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\svchostx.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\wlmsvcxp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [o2cd] C:\Program Files\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [sp] regedit -s C:\sp.reg
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Control Server] wlmsvcxp.exe
O4 - HKLM\..\Run: [Windows svchost] svchostx.exe
O4 - HKLM\..\Run: [P2P Networking ] C:\WINDOWS\System32\P2P Networking\P2P Networking .exe /AUTOSTART
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O15 - Trusted Zone: http://schdnavdo.schooldna.com
O15 - Trusted Zone: http://schdnaweb.schooldna.com
O15 - Trusted Zone: http://schdnaweb1.schooldna.com
O15 - Trusted Zone: http://schdnaweb2.schooldna.com
O15 - Trusted Zone: http://www.schooldna.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://netgil.chevrontexaco.com/ica32/wficat.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166446513187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-wt01.morganstanley.com/prx/000/http/rc-fe.ms.com:8180/mydesk/common/htdocs/SPX/2.0.1.10/TerminalSvcsTCS.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://portal.morganstanley.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: ?x€ - ?x€ (file missing)
O20 - Winlogon Notify: ?` - ?` (file missing)
O20 - Winlogon Notify: crehcjid - C:\WINDOWS\SYSTEM32\crehcjid.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10026 bytes

After the run of ComboFix, I have problem to enable the Auto Protection and Email protection in Norton.

Please advise what should I do next.

Thank you.

After the run of ComboFix, I have problem to enable the Auto Protection and Email protection in Norton.

Please advise what should I do next.

Thank you.

Unfortunately that is the nature of the infection your pc has. You will have to reinstall Norton I'm afraid.

==

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\rvivgern.exe

==

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [sp] regedit -s C:\sp.reg
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Windows Control Server] wlmsvcxp.exe
    O4 - HKLM\..\Run: [Windows svchost] svchostx.exe
    O4 - HKLM\..\Run: [P2P Networking ] C:\WINDOWS\System32\P2P Networking\P2P Networking .exe /AUTOSTART

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.6.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    O20 - Winlogon Notify: ?x€ - ?x€ (file missing)
    O20 - Winlogon Notify: ?` - ?` (file missing)
    O20 - Winlogon Notify: crehcjid - C:\WINDOWS\SYSTEM32\crehcjid.dll

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\sp.reg
C:\WINDOWS\svchostx.exe
C:\WINDOWS\system32\crehcjid.dll
C:\WINDOWS\wlmsvcxp.exe
Folder::
C:\WINDOWS\System32\P2P Networking

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hi,

Attached are :

1) Result from Jotti's scan;
2) ComboFix txt:


The latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:52 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [o2cd] C:\Program Files\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O15 - Trusted Zone: http://schdnavdo.schooldna.com
O15 - Trusted Zone: http://schdnaweb.schooldna.com
O15 - Trusted Zone: http://schdnaweb1.schooldna.com
O15 - Trusted Zone: http://schdnaweb2.schooldna.com
O15 - Trusted Zone: http://www.schooldna.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://netgil.chevrontexaco.com/ica32/wficat.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166446513187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-wt01.morganstanley.com/prx/000/http/rc-fe.ms.com:8180/mydesk/common/htdocs/SPX/2.0.1.10/TerminalSvcsTCS.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://portal.morganstanley.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: ??€ - ??€ (file missing)
O20 - Winlogon Notify: crehcjid - crehcjid.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9477 bytes


ComboFix 08-01-23.1C - acer 2008-01-27 20:59:04.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.181 [GMT 8:00]
Running from: C:\Documents and Settings\acer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\acer\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\sp.reg
C:\WINDOWS\svchostx.exe
C:\WINDOWS\system32\crehcjid.dll
C:\WINDOWS\wlmsvcxp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sp.reg
C:\WINDOWS\Image2008.zip
C:\WINDOWS\svchostx.exe
C:\WINDOWS\system32\crehcjid.dll
C:\WINDOWS\System32\P2P Networking
C:\WINDOWS\System32\P2P Networking\Cache\Database\index256.dbb
C:\WINDOWS\System32\P2P Networking\MARSHAL3.DLL
C:\WINDOWS\System32\P2P Networking\P2P Networking.eng
C:\WINDOWS\wlmsvcxp.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 15:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 08:01 . 2008-01-27 15:43 0 --a------ C:\WINDOWS\system32\stdoleh.tlb
2008-01-27 08:00 . 2008-01-27 15:43 0 --a------ C:\WINDOWS\system32\stdolex.tlb
2008-01-26 22:40 . 2008-01-26 22:40 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-26 22:17 . 2008-01-26 22:17 <DIR> d-------- C:\Program Files\Windows Live
2008-01-26 22:17 . 2008-01-26 22:17 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-26 20:14 . 2008-01-26 20:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 09:55 . 2008-01-26 09:55 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-25 22:08 . 2008-01-25 22:08 18,432 --a------ C:\rvivgern.exe
2008-01-25 22:08 . 2008-01-27 21:03 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-01-25 22:08 . 2008-01-25 22:08 2 --a------ C:\794366681

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 05:14 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-15 05:14 --------- d-----w C:\Program Files\Power Video Capture Convert Burn DVD Studio
2008-03-12 05:17 --------- d-----w C:\Program Files\Anvsoft
2008-03-11 11:08 --------- d-----w C:\Program Files\Free iPod Video Converter
2008-03-01 05:56 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-28 00:24 --------- d-----w C:\Program Files\Common Files\Canon
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 09:39 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-27 09:37 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-06-05 13:04 2,068,128 ----a-w C:\Program Files\timeleft.exe
2006-01-01 10:24 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
2005-10-20 14:13 5,691,288 ----a-w C:\Program Files\InstallAble2Doc.exe
2005-10-20 14:02 643,276 ----a-w C:\Program Files\pdf2word.exe
2005-09-04 09:03 1,013,627 ----a-w C:\Program Files\wrar350.exe
2003-09-27 06:09 1,492,645 ----a-w C:\Program Files\mp3cinst.exe
2003-05-24 09:53 32 --sha-w C:\WINDOWS\{D2F9AD81-F372-49A2-A1FC-4A368C259862}.dat
2003-05-24 09:53 32 --sha-w C:\WINDOWS\system32\{DD7185E4-F7DD-4534-8940-B97C62FB3195}.dat
2004-11-25 08:00 0 --sha-r C:\WINDOWS\system32\mcc(2).exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_16.07.26.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 07:54:14 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 12:58:50 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 07:54:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 12:58:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 07:54:14 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 12:58:50 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 07:54:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 12:58:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 07:54:14 6,516,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-27 12:58:50 6,516,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-27 07:54:14 16,384 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 12:58:50 16,384 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-19 02:44 46592 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2002-05-24 12:42 372736 C:\WINDOWS\system32\nwiz.exe]
"o2cd"="C:\Program Files\O2Micro\AudioDJ\o2cd.exe" [ ]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [ ]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 12:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00 455168]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"MPTBox"="C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-05-15 18:24 67264]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 03:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2007-07-10 21:43:15 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\??€]
??€

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
crehcjid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hlp61.sys]
@="Driver"

R1 o2adj;o2adj;C:\WINDOWS\system32\drivers\o2adj.sys [2002-10-18 15:22]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys [2002-09-28 12:47]
S3 R20_W2K;Reflex 20 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20_W2K.sys [2002-03-08 04:06]
S3 R20V2W2K;Reflex 20 v.2 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20V2W2K.sys [2003-04-16 17:48]
S3 Reflex USB v.2 Smart card reader;Reflex USB v.2 Smart card reader;C:\WINDOWS\system32\DRIVERS\rusb2w2k.sys [2002-10-28 20:39]
S3 Reflex20 v3 Smart card reader;Reflex20 v3 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20V3.sys [2004-09-09 17:42]
S3 SCR24x PCMCIA Smart Card Reader;SCR24x PCMCIA Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR24X.sys [2005-03-09 02:20]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-06 04:24]
S3 stcusb;Reflex USB;C:\WINDOWS\system32\DRIVERS\RUSB_W2K.sys [2002-03-14 03:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{651099f0-591e-11dc-8ce9-0010dc7cc095}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 12:00:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-01-07 10:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 01:03:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 21:05:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 21:08:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 13:08:12
ComboFix2.txt 2008-01-27 08:28:18
.
2008-01-09 13:46:50 --- E O F ---


What's next ?

Can you tell me if the following exist on your pc;

C:\Program Files\O2Micro\AudioDJ\o2cd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\REGSHAVE\REGSHAVE.exe
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
C:\Program Files\iTunes\iTunesHelper.exe

==========================

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O20 - Winlogon Notify: ??€ - ??€ (file missing)
    O20 - Winlogon Notify: crehcjid - crehcjid.dll (file missing)

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\rvivgern.exe

RENV::
C:\Program Files\QuickTime\QTTask .exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


7. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hi,

I have this two in my PC:
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

ComboFix log:

ComboFix 08-01-23.1C - acer 2008-01-27 22:34:33.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.155 [GMT 8:00]
Running from: C:\Documents and Settings\acer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\acer\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\rvivgern.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 21:53 . 2005-11-17 14:05 53,248 --a------ C:\WINDOWS\UpdtNv28.exe
2008-01-27 21:44 . 2008-01-27 21:44 32 --ahs---- C:\WINDOWS\system32\{BB109396-B0BF-4013-89BD-0C685F26EF48}.dat
2008-01-27 21:44 . 2008-01-27 21:44 32 --ahs---- C:\WINDOWS\{4B523643-60C5-497B-86D8-F29DB17F7852}.dat
2008-01-27 21:44 . 2008-01-27 21:44 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-01-27 21:43 . 2008-01-27 21:43 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-01-27 15:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-27 08:01 . 2008-01-27 15:43 0 --a------ C:\WINDOWS\system32\stdoleh.tlb
2008-01-27 08:00 . 2008-01-27 15:43 0 --a------ C:\WINDOWS\system32\stdolex.tlb
2008-01-26 22:40 . 2008-01-26 22:40 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-26 22:17 . 2008-01-26 22:17 <DIR> d-------- C:\Program Files\Windows Live
2008-01-26 22:17 . 2008-01-26 22:17 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-26 20:14 . 2008-01-26 20:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 09:55 . 2008-01-26 09:55 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-25 22:08 . 2008-01-27 21:03 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-01-25 22:08 . 2008-01-25 22:08 2 --a------ C:\794366681

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 05:14 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-15 05:14 --------- d-----w C:\Program Files\Power Video Capture Convert Burn DVD Studio
2008-03-12 05:17 --------- d-----w C:\Program Files\Anvsoft
2008-03-11 11:08 --------- d-----w C:\Program Files\Free iPod Video Converter
2008-03-01 05:56 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-28 00:24 --------- d-----w C:\Program Files\Common Files\Canon
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 09:39 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-27 09:37 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-06-05 13:04 2,068,128 ----a-w C:\Program Files\timeleft.exe
2006-01-01 10:24 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
2005-10-20 14:13 5,691,288 ----a-w C:\Program Files\InstallAble2Doc.exe
2005-10-20 14:02 643,276 ----a-w C:\Program Files\pdf2word.exe
2005-09-04 09:03 1,013,627 ----a-w C:\Program Files\wrar350.exe
2003-09-27 06:09 1,492,645 ----a-w C:\Program Files\mp3cinst.exe
2004-11-25 08:00 0 --sha-r C:\WINDOWS\system32\mcc(2).exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-27_16.07.26.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 07:54:14 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 14:34:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 07:54:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 14:34:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 07:54:14 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 14:34:24 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 07:54:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 14:34:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 07:54:14 6,516,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-27 14:34:24 6,516,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-27 07:54:14 16,384 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 14:34:24 16,384 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
- 2003-12-02 08:11:10 99,352 ----a-w C:\WINDOWS\system32\ccPasswd.dll
+ 2002-08-19 14:23:08 100,040 ----a-w C:\WINDOWS\system32\ccPasswd.dll
- 2003-11-06 00:22:48 95,480 ----a-w C:\WINDOWS\system32\ccTrust.dll
+ 2002-08-08 13:29:32 87,752 ----a-w C:\WINDOWS\system32\ccTrust.dll
- 2003-09-24 04:07:20 124,168 ----a-w C:\WINDOWS\system32\SymStore.dll
+ 2002-08-15 09:45:58 63,192 ----a-w C:\WINDOWS\system32\SymStore.dll
- 2002-08-24 07:00:46 50,904 ----a-w C:\WINDOWS\system32\SymTdiRg.exe
+ 2002-08-15 09:46:04 50,904 ----a-w C:\WINDOWS\system32\SymTdiRg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-19 02:44 46592 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2002-05-24 12:42 372736 C:\WINDOWS\system32\nwiz.exe]
"o2cd"="C:\Program Files\O2Micro\AudioDJ\o2cd.exe" [ ]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [ ]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 12:00 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00 455168]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"MPTBox"="C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"NAV CfgWiz"="C:\PROGRA~1\NORTON~1\Cfgwiz.exe" [2002-11-15 00:08 476792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23 34504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-05-15 18:24 67264]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 03:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2007-07-10 21:43:15 55296]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hlp61.sys]
@="Driver"

R1 o2adj;o2adj;C:\WINDOWS\system32\drivers\o2adj.sys [2002-10-18 15:22]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys [2002-09-28 12:47]
S3 R20_W2K;Reflex 20 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20_W2K.sys [2002-03-08 04:06]
S3 R20V2W2K;Reflex 20 v.2 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20V2W2K.sys [2003-04-16 17:48]
S3 Reflex USB v.2 Smart card reader;Reflex USB v.2 Smart card reader;C:\WINDOWS\system32\DRIVERS\rusb2w2k.sys [2002-10-28 20:39]
S3 Reflex20 v3 Smart card reader;Reflex20 v3 Smart card reader;C:\WINDOWS\system32\DRIVERS\R20V3.sys [2004-09-09 17:42]
S3 SCR24x PCMCIA Smart Card Reader;SCR24x PCMCIA Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR24X.sys [2005-03-09 02:20]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-06 04:24]
S3 stcusb;Reflex USB;C:\WINDOWS\system32\DRIVERS\RUSB_W2K.sys [2002-03-14 03:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{651099f0-591e-11dc-8ce9-0010dc7cc095}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-27 13:49:14 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-01-07 10:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 01:03:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 22:38:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 22:39:18
ComboFix-quarantined-files.txt 2008-01-27 14:39:16
ComboFix3.txt 2008-01-27 08:28:18
ComboFix2.txt 2008-01-27 13:08:14
.
2008-01-09 13:46:50 --- E O F ---


Latest HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:59 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [o2cd] C:\Program Files\O2Micro\AudioDJ\o2cd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O15 - Trusted Zone: http://schdnavdo.schooldna.com
O15 - Trusted Zone: http://schdnaweb.schooldna.com
O15 - Trusted Zone: http://schdnaweb1.schooldna.com
O15 - Trusted Zone: http://schdnaweb2.schooldna.com
O15 - Trusted Zone: http://www.schooldna.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: Yahoo! Reversi - http://download2.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://netgil.chevrontexaco.com/ica32/wficat.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166446513187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-wt01.morganstanley.com/prx/000/http/rc-fe.ms.com:8180/mydesk/common/htdocs/SPX/2.0.1.10/TerminalSvcsTCS.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://portal.morganstanley.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9513 bytes

Please advise me on what should I do next..Thanks.

From the list below, you will need to reinstall the programs that they refer to, other than the two that you said are there.

C:\Program Files\O2Micro\AudioDJ\o2cd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\REGSHAVE\REGSHAVE.exe
C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
C:\Program Files\iTunes\iTunesHelper.exe

Your log looks clear. How is the pc?

I think we have finally killed the viruses, my pc is ok now, the email proxy pop up has stopped. Thank you for your GREAT HELP !! :)

Let's get rid of Combofix now that we are finished with it.


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • When shown the disclaimer, Select "2"

The above procedure will:


  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

==

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.

  1. Uncheck "Cookies" under "Internet Explorer".
  2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
  3. Close when finished.

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Hi,

Sorry to bother you again.

I could have deleted something in the process of killing the virus. Now my printer is not linked up to my PC. I got this message while trying to add printer:

"Operation could not be completed. The print spooler service is not running."

Would appreciate your advice.

Thank you.

Go to Start | Run and type in services.msc and hit ok. Check that that service is running. If it's not, set it to automatic and reboot your pc. If still no good, you will have to reinstall your printer :).

Hi crunchie,

I went to : Go to Start | Run and type in services.msc and hit ok, I couldn't find the Print Spooler under services at all. I tried to reinstall the printer again, but I got this error message : "RPC Server is not available"... I really don't understand computer, so many problems at one go... :(

That is a Windows file so it should be there. I have exported a branch of my registry (XP PRO SP2) which can be found here; HKLM\System\CurrentControlSet\Services\Spooler
If you unzip the file I uploaded and double clicked to run it, hopefully that will fix you up.
Set a system restore point first!!

Bravo!! My printer is printing again... Thank you very much for all your help. Hope I don't have to bother you with more problems again..:$

You are welcome :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.