ComboFix report

Spybot found Virtumondo on my PC. I ried to remove it with VundoFix then
TrojanVundoRemovalTool, then Virtuojmondo be gone and finally I run ComboFix. Not sure whether I succeded. Can someone have look at the following logs please?..

Cheers

yAro

VundoFix

VundoFix V7.0.6

Scan started at 13:17:46 06/08/2008

Listing files found while scanning…

C:\Windows\system32\cbXnkLff.dll
C:\Windows\system32\dlnpbwcq.dll
C:\Windows\system32\evzbny.dll
C:\Windows\system32\ffLknXbc.ini
C:\Windows\system32\ffLknXbc.ini2
C:\Windows\system32\hbrmutjf.dll
C:\Windows\system32\iifefDUN.dll
C:\Windows\system32\jxrnzm.dll
C:\Windows\system32\jyqfefsm.dll
C:\Windows\system32\kyvjwkvm.dll
C:\Windows\system32\mbtkynqm.dll
C:\Windows\system32\msfefqyj.tmp
C:\Windows\system32\mvkwjvyk.ini
C:\Windows\system32\mvkwjvyk.ini2
C:\Windows\system32\mvkwjvyk.tmp
C:\Windows\system32\swfrtldt.dll
C:\Windows\system32\xcloee.dll
C:\Windows\system32\xgfwekbd.dll
C:\Windows\system32\xxyxYrQj.dll
C:\Windows\system32\ydidfcwd.dll

Beginning removal…

Attempting to delete C:\Windows\system32\cbXnkLff.dll
C:\Windows\system32\cbXnkLff.dll Has been deleted!

Attempting to delete C:\Windows\system32\dlnpbwcq.dll
C:\Windows\system32\dlnpbwcq.dll Has been deleted!

Attempting to delete C:\Windows\system32\evzbny.dll
C:\Windows\system32\evzbny.dll Has been deleted!

Attempting to delete C:\Windows\system32\ffLknXbc.ini
C:\Windows\system32\ffLknXbc.ini Has been deleted!

Attempting to delete C:\Windows\system32\ffLknXbc.ini2
C:\Windows\system32\ffLknXbc.ini2 Has been deleted!

Attempting to delete C:\Windows\system32\hbrmutjf.dll
C:\Windows\system32\hbrmutjf.dll Has been deleted!

Attempting to delete C:\Windows\system32\iifefDUN.dll
C:\Windows\system32\iifefDUN.dll Could not be deleted.

Attempting to delete C:\Windows\system32\jxrnzm.dll
C:\Windows\system32\jxrnzm.dll Has been deleted!

Attempting to delete C:\Windows\system32\jyqfefsm.dll
C:\Windows\system32\jyqfefsm.dll Has been deleted!

Attempting to delete C:\Windows\system32\kyvjwkvm.dll
C:\Windows\system32\kyvjwkvm.dll Has been deleted!

Attempting to delete C:\Windows\system32\mbtkynqm.dll
C:\Windows\system32\mbtkynqm.dll Has been deleted!

Attempting to delete C:\Windows\system32\msfefqyj.tmp
C:\Windows\system32\msfefqyj.tmp Has been deleted!

Attempting to delete C:\Windows\system32\mvkwjvyk.ini
C:\Windows\system32\mvkwjvyk.ini Has been deleted!

Attempting to delete C:\Windows\system32\mvkwjvyk.ini2
C:\Windows\system32\mvkwjvyk.ini2 Has been deleted!

Attempting to delete C:\Windows\system32\mvkwjvyk.tmp
C:\Windows\system32\mvkwjvyk.tmp Has been deleted!

Attempting to delete C:\Windows\system32\swfrtldt.dll
C:\Windows\system32\swfrtldt.dll Has been deleted!

Attempting to delete C:\Windows\system32\xcloee.dll
C:\Windows\system32\xcloee.dll Has been deleted!

Attempting to delete C:\Windows\system32\xgfwekbd.dll
C:\Windows\system32\xgfwekbd.dll Has been deleted!

Attempting to delete C:\Windows\system32\xxyxYrQj.dll
C:\Windows\system32\xxyxYrQj.dll Has been deleted!

Attempting to delete C:\Windows\system32\ydidfcwd.dll
C:\Windows\system32\ydidfcwd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.6

Scan started at 14:06:00 06/08/2008

Listing files found while scanning…

No infected files were found.

VirtumondoBeGone

[08/06/2008, 14:03:58] - VirtumundoBeGone v1.5 ( “E:\Vundo Warmachine\VirtumundoBeGone.exe” )
[08/06/2008, 14:04:07] - Detected System Information:
[08/06/2008, 14:04:07] - Windows Version: 5.1.2600, Service Pack 2
[08/06/2008, 14:04:07] - Current Username: Administrator (Admin)
[08/06/2008, 14:04:07] - Windows is in SAFE mode with Networking.
[08/06/2008, 14:04:07] - Searching for Browser Helper Objects:
[08/06/2008, 14:04:07] - BHO 1: AutorunsDisabled ()
[08/06/2008, 14:04:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:04:07] - No filename found. Continuing.
[08/06/2008, 14:04:07] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[08/06/2008, 14:04:07] - BHO 3: {62326729-D3FE-44FF-AE33-9C0C34382844} ()
[08/06/2008, 14:04:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:04:07] - Checking for HKLM.…\Winlogon\Notify\cbXnkLff
[08/06/2008, 14:04:07] - Key not found: HKLM.…\Winlogon\Notify\cbXnkLff, continuing.
[08/06/2008, 14:04:07] - BHO 4: {BB81FE02-F70B-46C2-82C3-DE5C6652E677} ()
[08/06/2008, 14:04:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:04:07] - Checking for HKLM.…\Winlogon\Notify\iifefDUN
[08/06/2008, 14:04:07] - Found: HKLM.…\Winlogon\Notify\iifefDUN - This is probably Virtumundo.
[08/06/2008, 14:04:07] - Assigning {BB81FE02-F70B-46C2-82C3-DE5C6652E677} MSEvents Object
[08/06/2008, 14:04:07] - BHO list has been changed! Starting over…
[08/06/2008, 14:04:07] - BHO 1: AutorunsDisabled ()
[08/06/2008, 14:04:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:04:07] - No filename found. Continuing.
[08/06/2008, 14:04:07] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[08/06/2008, 14:04:07] - BHO 3: {62326729-D3FE-44FF-AE33-9C0C34382844} ()
[08/06/2008, 14:04:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:04:07] - Checking for HKLM.…\Winlogon\Notify\cbXnkLff
[08/06/2008, 14:04:07] - Key not found: HKLM.…\Winlogon\Notify\cbXnkLff, continuing.
[08/06/2008, 14:04:07] - BHO 4: {BB81FE02-F70B-46C2-82C3-DE5C6652E677} (MSEvents Object)
[08/06/2008, 14:04:07] - ALERT: Found MSEvents Object!
[08/06/2008, 14:04:07] - Finished Searching Browser Helper Objects
[08/06/2008, 14:04:07] - *** Detected MSEvents Object
[08/06/2008, 14:04:07] - Trying to remove MSEvents Object…
[08/06/2008, 14:04:08] - Terminating Process: IEXPLORE.EXE
[08/06/2008, 14:04:08] - Terminating Process: RUNDLL32.EXE
[08/06/2008, 14:04:08] - Disabling Automatic Shell Restart
[08/06/2008, 14:04:08] - Terminating Process: EXPLORER.EXE
[08/06/2008, 14:04:09] - Suspending the NT Session Manager System Service
[08/06/2008, 14:04:09] - Terminating Windows NT Logon/Logoff Manager
[08/06/2008, 14:04:09] - Re-enabling Automatic Shell Restart
[08/06/2008, 14:04:09] - File to disable: C:\WINDOWS\system32\iifefDUN.dll
[08/06/2008, 14:04:09] - Renaming C:\WINDOWS\system32\iifefDUN.dll → C:\WINDOWS\system32\iifefDUN.dll.vir
[08/06/2008, 14:04:09] - File successfully renamed!
[08/06/2008, 14:04:09] - Removing HKLM.…\Browser Helper Objects{BB81FE02-F70B-46C2-82C3-DE5C6652E677}
[08/06/2008, 14:04:09] - Removing HKCR\CLSID{BB81FE02-F70B-46C2-82C3-DE5C6652E677}
[08/06/2008, 14:04:09] - Adding Kill Bit for ActiveX for GUID: {BB81FE02-F70B-46C2-82C3-DE5C6652E677}
[08/06/2008, 14:04:09] - Deleting ATLEvents/MSEvents Registry entries
[08/06/2008, 14:04:09] - Removing HKLM.…\Winlogon\Notify\iifefDUN
[08/06/2008, 14:04:09] - Searching for Browser Helper Objects:
[08/06/2008, 14:04:09] - BHO 1: AutorunsDisabled ()
[08/06/2008, 14:04:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:04:09] - No filename found. Continuing.
[08/06/2008, 14:04:09] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[08/06/2008, 14:04:09] - BHO 3: {62326729-D3FE-44FF-AE33-9C0C34382844} ()
[08/06/2008, 14:04:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:04:09] - Checking for HKLM.…\Winlogon\Notify\cbXnkLff
[08/06/2008, 14:04:09] - Key not found: HKLM.…\Winlogon\Notify\cbXnkLff, continuing.
[08/06/2008, 14:04:09] - Finished Searching Browser Helper Objects
[08/06/2008, 14:04:09] - Finishing up…
[08/06/2008, 14:04:09] - A restart is needed.
[08/06/2008, 14:04:14] - Attempting to Restart via STOP error (Blue Screen!)

[08/06/2008, 14:15:36] - VirtumundoBeGone v1.5 ( “E:\Vundo Warmachine\VirtumundoBeGone.exe” )
[08/06/2008, 14:15:42] - Detected System Information:
[08/06/2008, 14:15:42] - Windows Version: 5.1.2600, Service Pack 2
[08/06/2008, 14:15:42] - Current Username: Administrator (Admin)
[08/06/2008, 14:15:42] - Windows is in NORMAL mode.
[08/06/2008, 14:15:42] - Searching for Browser Helper Objects:
[08/06/2008, 14:15:42] - BHO 1: AutorunsDisabled ()
[08/06/2008, 14:15:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:15:42] - No filename found. Continuing.
[08/06/2008, 14:15:42] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[08/06/2008, 14:15:42] - BHO 3: {62326729-D3FE-44FF-AE33-9C0C34382844} ()
[08/06/2008, 14:15:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/06/2008, 14:15:42] - Checking for HKLM.…\Winlogon\Notify\cbXnkLff
[08/06/2008, 14:15:42] - Key not found: HKLM.…\Winlogon\Notify\cbXnkLff, continuing.
[08/06/2008, 14:15:42] - Finished Searching Browser Helper Objects
[08/06/2008, 14:15:42] - Finishing up…
[08/06/2008, 14:15:42] - Nothing found! Exiting…

ComboFix 08-08-04.09 - Administrator 2008-08-06 14:24:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2854 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator.ATI-10042007\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Adam\Application Data\macromedia\Flash Player#SharedObjects\2L33ESM2\interclick.com
C:\Documents and Settings\Adam\Application Data\macromedia\Flash Player#SharedObjects\2L33ESM2\interclick.com\ud.sol
C:\Documents and Settings\Adam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#interclick.com
C:\Documents and Settings\Adam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#interclick.com\settings.sol
C:\WINDOWS\BM3316b9cf.txt
C:\WINDOWS\BM3316b9cf.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drvzac.dll
C:\WINDOWS\system32\ewsdmsum.ini
C:\WINDOWS\system32\ewsdmsum.tmp
C:\WINDOWS\system32\ewsdmsum.tmp2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msfefqyj.tmp2
C:\WINDOWS\system32\qvxffoou.dll
C:\WINDOWS\system32\winjpf32.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 13:17 . 2008-08-06 14:05 d-------- C:\VundoFix Backups
2008-08-06 13:12 . 2008-08-06 13:12 d-------- C:\Program Files\PrevxCSI
2008-08-06 13:12 . 2008-08-06 14:05 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-06 13:12 . 2008-08-06 14:05 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-08-06 13:11 . 2008-08-06 13:11 d-------- C:\Documents and Settings\Administrator.ATI-10042007\Application Data\EPSON
2008-08-06 13:09 . 2008-08-06 13:09 d-------- C:\Documents and Settings\Administrator.ATI-10042007
2008-08-06 08:55 . 2008-08-06 08:55 2,048 --a------ C:\WINDOWS\system32\usxrjsup.exe
2008-08-05 17:15 . 2008-08-05 17:15 d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-05 17:15 . 2008-08-05 17:23 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 16:06 . 2008-08-05 16:06 d-------- C:\Program Files\Windows Defender
2008-08-05 08:52 . 2008-08-05 08:52 d-------- C:\Documents and Settings\administrator\Application Data\Autodesk
2008-08-04 13:14 . 2008-08-04 13:14 d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-04 13:12 . 2008-08-04 13:12 145 --a------ C:\WINDOWS\system32\winver.bat
2008-08-04 13:11 . 2008-08-04 13:11 36,864 --a------ C:\WINDOWS\system32\iifefDUN.dll.vir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 13:26 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-08 13:01 --------- d-----w C:\Program Files\Google
2006-02-28 12:00 94,784 --sh–w C:\WINDOWS\twain.dll
2006-02-28 12:00 50,688 --sh–w C:\WINDOWS\twain_32.dll
2006-02-28 12:00 1,028,096 --sh–w C:\WINDOWS\system32\mfc42.dll
2006-02-28 12:00 54,784 --sh–w C:\WINDOWS\system32\msvcirt.dll
2006-02-28 12:00 413,696 --sh–w C:\WINDOWS\system32\msvcp60.dll
2006-02-28 12:00 343,040 --sh–w C:\WINDOWS\system32\msvcrt.dll
2006-02-28 12:00 553,472 --sh–w C:\WINDOWS\system32\oleaut32.dll
2006-02-28 12:00 83,456 --sh–w C:\WINDOWS\system32\olepro32.dll
2006-02-28 12:00 11,776 --sh–w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-02-28 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IntelAudioStudio”=“C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” [2006-09-21 10:36 9138176]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-08-08 07:54 7630848]
“SW20”=“C:\WINDOWS\system32\sw20.exe” [2006-06-01 10:22 208896]
“SW24”=“C:\WINDOWS\system32\sw24.exe” [2006-06-01 10:22 69632]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-08-08 07:54 86016]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2005-04-08 15:52 48752]
“vptray”=“C:\PROGRA~1\SYMANT~1\VPTray.exe” [2005-04-17 12:30 85184]
“EEventManager”=“C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe” [2004-08-05 15:19 118784]
“\atiserver\EPSON Stylus Photo R2400”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SE.EXE” [2004-11-09 04:00 98304]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 23:16 39792]
“EPSON Stylus Photo R2400 (from ATISERVER)”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SE.EXE” [2004-11-09 04:00 98304]
“nwiz”=“nwiz.exe” [2006-08-08 07:54 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-02-28 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-25 18:25:05 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoWelcomeScreen”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE”=
“C:\Program Files\Google\Google SketchUp 6\SketchUp.exe”=
“C:\WINDOWS\system32\winver.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-08-06 14:05]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-08-06 14:05]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys

Newly Created Service - PXARK
.
Contents of the ‘Scheduled Tasks’ folder

2008-08-06 C:\WINDOWS\Tasks\MP Scheduled Scan.job

  • C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
    .
        • ORPHANS REMOVED - - - -

BHO-{62326729-D3FE-44FF-AE33-9C0C34382844} - C:\WINDOWS\system32\cbXnkLff.dll
Toolbar-{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
HKLM-Run-MSDisp32 - C:\WINDOWS\system32\drvzac.dll
HKLM-Run-30258a53 - C:\WINDOWS\system32\jyqfefsm.dll
HKLM-Run-BM3316b9cf - C:\WINDOWS\system32\xgfwekbd.dll
HKLM-Run-SigmatelSysTrayApp - sttray.exe
ShellExecuteHooks-{BB81FE02-F70B-46C2-82C3-DE5C6652E677} - (no file)
Notify-winjpf32 - winjpf32.dll


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 14:33:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
“\\atiserver\EPSON Stylus Photo R2400”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SE.EXE /P36 "\\atiserver\EPSON Stylus Photo R2400" /O6 "USB001" /M "Stylus Photo R2400"”
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.


.
Completion time: 2008-08-06 14:37:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 13:37:56

Pre-Run: 143,891,697,664 bytes free
Post-Run: 144,599,298,048 bytes free

141

And finally HJT report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:48:59, on 06/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [IntelAudioStudio] “C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” TRAY
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM..\Run: [\atiserver\EPSON Stylus Photo R2400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SE.EXE /P36 “\atiserver\EPSON Stylus Photo R2400” /O6 “USB001” /M “Stylus Photo R2400”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [EPSON Stylus Photo R2400 (from ATISERVER)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9SE.EXE /P41 “EPSON Stylus Photo R2400 (from ATISERVER)” /O5 “TS003” /M “Stylus Photo R2400”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ATI.local
O17 - HKLM\Software..\Telephony: DomainName = ATI.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ATI.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ATI.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


End of file - 7017 bytes

I scanned my PC with Malwarebytes. Found a lot of threats. Then scanned it again. Somewhat less but still lots of threats.
Where do I go from here?..
Thanks
yAro

Hi yaro137,

You seem not to be an avast user. Combofix has cleansed a lot crap from your machine, the HJT log has not much out of the ordinary, clean your temp files using ATFCleaner and ClearProg and do a full scan with DrWeb’sCureIt non-resident scanner, update to the latest version,

polonus

Norton AV is craps as you see your computer is infected with plenty of virus. Try Avast and you will see the different. :wink:

You’re using Norton but asking for help on avast forums ???