Virtumonde infection.

Viruses and worms
1

Good Morning all, i have a virtumonde Trojan infection that i cannot seem to shake. I was hoping that some one out there could help. I spent hours reading through the forums last night especially “confused and out of steam”. If “oldman” & “essexboy” would like to go for another round would you please get in touch with me.
to date- i was running Norton Av which said that it had blocked the infection but obviously did not. i have since installed Avast and this still is coming up with lots of Trojan but will not remove them from the system.
i also run Spybot, avg anti spyware( so far these recognise that there is a problem but have not removed the cause)

I have run virtumonde be gone & fixvundo however both of these find no infections.

i am hoping that someone will be able to help

regards in advance Dave (apeman1977)

2

I forgot to mention that the rundll32.exe file has either been deleted or remdered useless due to the infection.

dave

3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:14 AM, on 20/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Hijackthis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [osCheck] “C:\Program Files\Norton AntiVirus\osCheck.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Creative Mouse Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM..\Run: [Symantec PIF AlertEng] “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll”
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [a-squared] “C:\Program Files\a-squared Anti-Malware\a2guard.exe” /d=60
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200725434593
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.youplay.com/games/3rdParty/PopCap/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winhoq32 - winhoq32.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

4

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe


End of file - 11181 bytes

5

Did you run the Norton Removal Tool before installing avast!? If not, remove avast! through add & remove, then use the avast! uninstall utility. Run the Norton Removal Tool. Now install avast!.

Try SUPERAntiSpyware Free, it can remove malware that others can’t, it also has some good repair tools.

I’m sure someone will shortly help you, I’ve just given you something to get you started.

6

i cannot get to the add/remove feature as my rundll32.exe file has been deleted/disabled. can i do this through the start menu?

7

Try Revo Uninstaller.

8

norton uninstalled and avast being reinstalled at this minute. do you want another hjt report?

do you know of any reason that the rundll32 file would be deleted?

9

I’m not sure it was deleted. Give this a run and we’ll have a peek under the hood. Run HJT aftrwards. You can attach both logs by using the additional options button on the reply page.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

10

ComboFix 08-01-20.1 - David 2008-01-20 10:57:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.472 [GMT 10:00]
Running from: C:\Documents and Settings\David\My Documents\My Received Files\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\sfsync02.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 10:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 10:16 . 2008-01-20 10:16 d-------- C:\Program Files\VS Revo Group
2008-01-20 09:56 . 2008-01-20 10:51 d-------- C:\Hijackthis
2008-01-19 21:03 . 2008-01-19 21:03 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-19 21:02 . 2008-01-20 08:46 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-19 21:02 . 2008-01-19 21:02 d-------- C:\Documents and Settings\David\Application Data\SUPERAntiSpyware.com
2008-01-19 21:00 . 2008-01-19 21:00 d-------- C:\Documents and Settings\David\Application Data\Grisoft
2008-01-19 20:58 . 2008-01-19 20:58 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-19 20:58 . 2007-05-30 22:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-19 20:57 . 2008-01-20 10:46 d-------- C:\Program Files\a-squared Anti-Malware
2008-01-19 19:31 . 2008-01-19 19:02 27,448,192 --a------ C:\a2AntiMalwareSetup.exe
2008-01-19 19:31 . 2008-01-19 18:13 14,113,576 --a------ C:\avgas-setup-7.5.1.43-3339.exe
2008-01-19 19:31 . 2008-01-19 19:10 5,914,648 --a------ C:\SUPERAntiSpyware.exe
2008-01-19 19:31 . 2008-01-19 18:11 132,608 --a------ C:\VundoFix.exe
2008-01-19 19:31 . 2008-01-19 18:12 96,978 --a------ C:\VirtumundoBeGone.exe
2008-01-19 16:57 . 2008-01-19 16:57 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-16 21:45 . 2007-12-04 23:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-16 21:45 . 2004-01-09 19:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-16 21:45 . 2007-12-04 22:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-16 21:45 . 2007-12-05 00:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-16 21:45 . 2007-12-05 00:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-16 21:45 . 2007-12-05 00:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-16 21:45 . 2007-12-05 00:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-16 21:45 . 2007-12-05 00:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-16 21:43 . 2008-01-16 21:43 d-------- C:\Program Files\Alwil Software
2008-01-15 23:20 . 2008-01-15 23:20 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-14 22:01 . 2008-01-14 22:01 166,064 --a------ C:\FixVundo.exe
2008-01-14 21:08 . 2008-01-14 21:08 150 --a------ C:\WINDOWS\wininit.ini
2008-01-14 20:12 . 2006-01-18 00:19 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-14 20:12 . 2006-01-18 00:19 31,616 --a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-14 20:12 . 2006-01-18 00:19 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-14 20:12 . 2006-01-18 00:19 25,856 --a–c— C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-14 20:09 . 2008-01-14 20:09 d-------- C:\Program Files\Common Files\CANON
2008-01-14 19:56 . 2008-01-14 19:56 d–h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-01-14 19:56 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-01-14 19:56 . 2001-08-17 13:53 6,784 --a–c— C:\WINDOWS\system32\dllcache\serscan.sys
2008-01-14 19:54 . 2008-01-14 19:54 d–h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-01-14 19:54 . 2007-04-17 10:08 1,400,832 --a------ C:\WINDOWS\system32\CNC970C.DLL
2008-01-14 19:54 . 2007-05-22 06:00 215,040 --a------ C:\WINDOWS\system32\CNMLM91.DLL
2008-01-14 19:54 . 2007-07-11 09:54 208,896 --a------ C:\WINDOWS\system32\CNC970L.DLL
2008-01-14 19:54 . 2007-03-15 15:12 188,416 --a------ C:\WINDOWS\system32\CNC970O.DLL
2008-01-14 19:54 . 2007-04-17 10:07 98,304 --a------ C:\WINDOWS\system32\CNC970I.DLL
2008-01-14 19:53 . 2008-01-14 19:53 d–h----- C:\Program Files\CanonBJ
2008-01-14 19:53 . 2007-05-14 16:49 362,496 --a------ C:\WINDOWS\system32\CNMNPPM.DLL
2008-01-14 19:53 . 2007-05-14 16:49 142,336 --a------ C:\WINDOWS\system32\CNMNPUI.DLL
2008-01-14 19:53 . 2007-03-20 01:14 117,850 --a------ C:\WINDOWS\system32\Cnmnput.chm
2008-01-01 16:02 . 2008-01-01 16:02 d-------- C:\Documents and Settings\David\Application Data\Nokia Multimedia Player
2008-01-01 15:59 . 2008-01-01 15:59 d-------- C:\Documents and Settings\David\Phone Browser
2008-01-01 15:56 . 2008-01-01 15:58 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-01 15:55 . 2008-01-01 15:58 d-------- C:\Documents and Settings\David\Application Data\Nokia
2008-01-01 15:54 . 2008-01-01 15:54 d-------- C:\Program Files\PC Connectivity Solution
2008-01-01 15:54 . 2008-01-01 15:54 d-------- C:\Program Files\DIFX
2008-01-01 15:54 . 2008-01-01 15:54 d-------- C:\Program Files\Common Files\PCSuite
2008-01-01 15:54 . 2008-01-01 15:55 d-------- C:\Program Files\Common Files\Nokia
2008-01-01 15:54 . 2008-01-01 15:59 d-------- C:\Documents and Settings\David\Application Data\PC Suite
2008-01-01 15:54 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-01 15:54 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-01-01 15:54 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-01 15:53 . 2008-01-01 15:54 d-------- C:\Program Files\Nokia
2008-01-01 15:53 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-01 15:53 . 2007-02-22 11:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-01 15:53 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-01 15:52 . 2008-01-01 15:52 d-------- C:\Documents and Settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 00:39 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2008-01-20 00:35 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-20 00:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-20 00:33 --------- d-----w C:\Program Files\Symantec
2008-01-20 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-19 12:43 --------- d-----w C:\Program Files\fsupport
2008-01-19 11:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 10:03 --------- d-----w C:\Program Files\Canon
2008-01-12 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-08 05:42 --------- d-----w C:\Program Files\Winamp
2008-01-01 10:12 --------- d-----w C:\Documents and Settings\David\Application Data\TransRender
2007-11-25 12:01 --------- d-----w C:\Program Files\ieSpell
2007-11-20 01:09 104,320 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
.

11

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-05 06:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-05 06:06 1135968]

[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” [2007-01-19 12:54 5674352]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 22:00 15360]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2005-12-10 03:06 7311360]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792]
“Creative Mouse Software”=“C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe” [2004-09-23 14:13 49152]
“Symantec PIF AlertEng”=“C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2007-11-28 19:51 583048]
“PCSuiteTrayApplication”=“C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe” [2007-06-18 15:10 271360]
“Winupdate Engine”=“C:\WINDOWS\system32\wupeng.exe”
“CanonSolutionMenu”=“C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe” [2007-05-15 02:01 644696]
“CanonMyPrinter”=“C:\Program Files\Canon\MyPrinter\BJMyPrt.exe” [2007-04-04 02:50 1603152]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 23:00 79224]
“a-squared”=“C:\Program Files\a-squared Anti-Malware\a2guard.exe” [2008-01-07 17:56 1816208]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 19:25 6731312]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 22:00 15360]
“ALUAlert”=“C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe” [2006-09-03 09:36 100032]
“Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2007-06-19 10:17 1241088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoq32]
winhoq32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“CTFMON.EXE”=C:\WINDOWS\system32\ctfmon.exe
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
“NeroFilterCheck”=C:\WINDOWS\system32\NeroCheck.exe
“High Definition Audio Property Page Shortcut”=HDAShCut.exe
“SunJavaUpdateSched”=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
“NvMediaCenter”=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
“NvCplDaemon”=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
“nwiz”=nwiz.exe /install
“RemoteControl”=“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
“RoxioEngineUtility”=“C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe”
“SoundMAXPnP”=C:\Program Files\Analog Devices\Core\smax4pnp.exe
“WinampAgent”=C:\Program Files\Winamp\winampa.exe
“SoundMAX”=“C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray

S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

.
Contents of the ‘Scheduled Tasks’ folder
“2007-12-07 07:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job”

  • C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
    “2008-01-15 23:08:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 11:05:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-20 11:09:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 01:08:53
.
2008-01-09 10:28:45 — E O F —

12

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:05 AM, on 20/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Creative Mouse Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM..\Run: [Symantec PIF AlertEng] “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” /a /m “C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll”
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [a-squared] “C:\Program Files\a-squared Anti-Malware\a2guard.exe” /d=60
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200725434593
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.youplay.com/games/3rdParty/PopCap/popcaploader_v10.cab

13

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winhoq32 - winhoq32.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe


End of file - 10411 bytes

14

Hi. There still a lot of norton in your system.

The usuall wat to remove it is

uninstall via add/remove
boot
run the tool for your version
boot

Please tell me what’s going on at your end. Fix these lines and get back to me.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O20 - Winlogon Notify: winhoq32 - winhoq32.dll (file missing)

Close all other browsers/windows, click fix, close HJT.

15

Here is the latest hjt file after removing those entrys.

i cannot get to add/remove files at present due to rundll32 missing/deleted.

i can use revo uninstaller. all gone. do you want new scan logs?

Dave

16

as for what is going on at my end- i did something that i normally don’t do and that was open a downloaded file without scanning it first. It was winrar! anyway my system started running really slow and stalling on simple things. i also noticed that my adsl speed dropped from approx 512 to about 130 or so. i have been running scans via norton, avast, spybot, superantispyware, avg anti spyware and a2 in both normal and safe modes. i have run avast in boot mode and even though i do all of this the infection comes back.

also like i said rundll32 is playing up for whatever reason.

Dave

17

Have a look in this folder for rundll32.exe

C:\Windows\System32

I don’t know what the other tools removed.

Some files are backed up on the computer, I’ll see if I can find if this is one of them.

When you say you can’t get to add remove, are you refering to control panel it’s self?

There was nothing to see in the combofix log, except for the service it removed (bad one) but if you still are experiencing problems, we’ll look with other tools.

edit after I saw your latest post:

We did remove more with combofix.

18

what i mean is that when i go to control pannel and click on add/remove it states

“”“windows cannot find the file c:windows\system32\rundll32.exe” make sure you typed the name correctly ,than try it again. to search for a file click on the start button then click search"“”
this also happens when i right click desktop as if to change the background picture.

searching entire computer and i only get 3 x entrys for rundll32.exe
rundll32.exe-2b20730c.pf in c:\windows\prefetch
rundll32.exe-2e5af1d7.pf in c:\windows\prefetch
and
rundll32.exe in c:\windows\system32\dllcache

does that make sence to you?
D

19

i have to go out for approx 2 or 3 hours but will be back on as soon as i get home.
p.s. i am in australia and the time here is currently 12.25pm. i believe that you mentioned that you in california time zone so what time would that make you? talk soon when i get back.

Dave

20

Yes it does. but read on. :wink:

That looks better as far as nav goes, we can remove the last few keys that show up in HJT

Open HJT, run a system scan only, check mark these lines if present

O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Close all other browsers/windows, click fix, close HJT.

And as a bonus, try this.

Download rundll32.zip here: http://www.spywareinfo.com/~merijn/files/windows/rundll32_xp.zip

Unzip all of its contents to this folder: C:\Windows\System32

I think the one in the ddll chache is a backup, though windows should have replced it. Give the zip a go. BTW merijn is the author of HJT

Let me know. :slight_smile: