Virus... please help

[mauserme]

I think you've handled the initial problem(s) pretty well on your own Tara.  You have a clean HJT log except for the "iffy" line I mentioned earlier.  Since you don't know it we'll take care of it.

SmitFraudFix found nothing so possibly you ran Rogue Remover, SuperAntiSpyware or something else that got rid of it (I see recently installed  ESET drivers in your ComboFix log).

And there are just a couple files in the ComboFix log I'll ask you to check at Virus Total and post the results (I think you've done this before)

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\SpoonUninstall.exe



In regard to the worm, it seems like it might be related to P2P but I don't see any P2P applications in your log.  Does your brother download?

[tryan21]

File tmp.reg received on 10.18.2007 21:57:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 61 and 87 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 -
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.17 -
AVG 7.5.0.488 2007.10.18 -
BitDefender 7.2 2007.10.18 -
CAT-QuickHeal 9.00 2007.10.18 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.18 -
Fortinet 3.11.0.0 2007.10.18 -
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.18 -
Ikarus T3.1.1.12 2007.10.18 -
Kaspersky 7.0.0.125 2007.10.18 -
McAfee 5144 2007.10.18 -
Microsoft 1.2908 2007.10.18 -
NOD32v2 2601 2007.10.18 -
Norman 5.80.02 2007.10.18 -
Panda 9.0.0.4 2007.10.18 -
Prevx1 V2 2007.10.18 -
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 -
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.18 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.17 -
VirusBuster 4.3.26:9 2007.10.18 -
Webwasher-Gateway 6.6.1 2007.10.18 -
Additional information
File size: 2244 bytes
MD5: 64c818e4fa8a71677d3fea717ae51cbf
SHA1: 8a8008a1d2a138eb5897cfaa4b507bc9a34bf686
packers: Unicode
packers: Unicode

[tryan21]

I Disabled System Restore like Tech suggested, but the pop ups just started again.

File SpoonUninstall.exe received on 10.18.2007 22:58:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 -
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.18 -
AVG 7.5.0.488 2007.10.18 -
BitDefender 7.2 2007.10.18 -
CAT-QuickHeal 9.00 2007.10.18 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.18 -
Fortinet 3.11.0.0 2007.10.18 -
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.18 -
Ikarus T3.1.1.12 2007.10.18 -
Kaspersky 7.0.0.125 2007.10.18 -
McAfee 5144 2007.10.18 -
Microsoft 1.2908 2007.10.18 -
NOD32v2 2601 2007.10.18 -
Norman 5.80.02 2007.10.18 -
Panda 9.0.0.4 2007.10.18 -
Prevx1 V2 2007.10.18 Heuristic: Suspicious Hijacker
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 -
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.18 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.17 -
VirusBuster 4.3.26:9 2007.10.18 -
Webwasher-Gateway 6.6.1 2007.10.18 -
Additional information
File size: 4229496 bytes
MD5: 229968985617a21fdf492ad31f9013b8
SHA1: 57e6abbc0784af4d4f147a721af8e40572552702
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=BB2191B578ADB5DD8920401F9B924F0070EB4A30

[mauserme]

author=tryan21 link=topic=30982.msg257244#msg257244 date=1192742379]
... the pop ups just started again

Is it still WinAntiVirus, dating and such or something new now?  If you go to sites you don't normally visit do the ads seem to go along with the subject of the new sites?  Try some gardening or vehicle repair sites (or anything) to see if the ads change topic.

[mauserme]

If you don't mind I would like to try a new program (new for me - its been in use in France for almost a year) that targets a rootkit adware with symptoms similar to yours. 

Please download Navilog1 by IL-MAFIOSO: 

http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

Extract its contents to the desktop.
Double click on navilog1.exe to install it on your computer.
When the installation is complete, the tool will start automatically.
If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
Press E for English from the language Menu.
Type 1 in the next Menu to select Search and press Enter.
Wait for the Scan to finish (It may take a reasonable amount of time)
Press any key as requested .
A new document will be produced: fixnavi.txt.
Please copy/paste the contents of this report in your next reply.
The report is also saved in the root of the directory, "%SystemDrive% ixnavi.txt". (usually C: ixnavi.txt)

Please don't use any options other than #1 or Q(uit) for now.



Follow this with a WinPFind3U log:

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  <list of options>
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and Copy/Paste the log back here, all the way to the < End of Report > marker (it will tke several posts).

[tryan21]

In regard to the worm, it seems like it might be related to P2P but I don't see any P2P applications in your log.  Does your brother download?

I don't have any P2P applications, I don't use any of that. My brother said he was downloading something to edit his MySpace page, not real sure what exactly.

Is it still WinAntiVirus, dating and such or something new now?  If you go to sites you don't normally visit do the ads seem to go along with the subject of the new sites?  Try some gardening or vehicle repair sites (or anything) to see if the ads change topic.

Yeah, it's pretty much the same thing. It doesn't change with different sites.

I'm going to try the Navilog1 and WinPFind3U now. I'll post back soon.

[tryan21]

Search Navipromo version 3.3.0 began on Thu 10/18/2007 at 20:43:18.68

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 17.10.2007 at 20h00 by IL-MAFIOSO

Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 6.0.2900.2096

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\WINDOWS ***



*** Search folders in C:\Program Files ***



*** Search folders in C:\Documents and Settings\All Users\Application Data ***






*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

!! Not same hidden file(s)/process(es) found !!
!! Scan results from Catchme not processed by Navilog1 !!


*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in C:\DOCUME~1\TARA *

gnc.exe missing, Scan not done in C:\DOCUME~1\TARA !


*** Search files ***




*** Search specific Registry keys ***


*** Complementary Search ***
(Search specific files)

1)Search known files:
C:\WINDOWS\system32\cefhk.ini2 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\cefhk.bak1 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\cefhk.bak2 found ! Possible Vundo infection, not cleaned with this tool !

2)Heuristic Search :



3)Certificates Search :

Egroup certificate not found !


*** Search completed on Thu 10/18/2007 at 20:45:01.87 ***

[mauserme]

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.bak1
C:\WINDOWS\system32\cefhk.bak2

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

EDIT:   Before running HJT again rename the executable to hjtara.exe


Please also run ComboFix again and give me a fresh log.

[tryan21]

Ok I will do all that in a minute. I just wanted to give you an update. I got on my computer this morning and it's going crazy with pop-ups. I get about 20 with in 1 minute. I also keep getting these wierd alerts; it's a yellow triangle in the bottom right corner of my computer and a ballon will pop out of it saying Security Alert:Spyware found or System Alert:trojan-spy:win32@mx. Also WinPFind3U won't run. I keep getting an "encountered an error can't continue" message. I'll post back soon.

[Lisandro]

I also keep getting these wierd alerts; it's a yellow triangle in the bottom right corner of my computer and a ballon will pop out of it saying Security Alert:Spyware found or System Alert:trojan-spy:win32@mx.

Don't use (click) these alerts! They could give you much more trouble.
Install and run safe antispyware tools like AVGas, SpywareTerminator, Spybot.
You should also run a boot time scanning with avast.

[mauserme]

I also keep getting these wierd alerts; it's a yellow triangle in the bottom right corner of my computer and a ballon will pop out of it saying Security Alert:Spyware found or System Alert:trojan-spy:win32@mx.

Don't use (click) these alerts! They could give you much more trouble.
Install and run safe antispyware tools like AVGas, SpywareTerminator, Spybot.
You should also run a boot time scanning with avast.

For sure don't click them ...

This sounds like another SmitFraud variant.  Now that we've found Vundo I hope to make better progress with this as Vundo is probably downloading the rest.  Go ahead with HJTara.exe and ComboFix and we see what they show (if you have any trouble running ComboFix rename it and try again).


EDIT:  Just to clarify, move the 3 files listed above with OTMoveIt first, then the logs.

[tryan21]

C:\WINDOWS\system32\cefhk.ini2 moved successfully.
C:\WINDOWS\system32\cefhk.bak1 moved successfully.
C:\WINDOWS\system32\cefhk.bak2 moved successfully.
 
Created on 10/19/2007 10:39:35

[tryan21]

ComboFix 07-10-17.8 - Tara & Paul 2007-10-19 10:47:27.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.31 [GMT -7:00]
Running from: C:\Documents and Settings\Tara & Paul\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cefhk.ini
C:\WINDOWS\system32\cefhk.ini
C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.ini2
C:\WINDOWS\system32\cefhk.tmp
C:\WINDOWS\system32\cefhk.tmp
C:\WINDOWS\system32\khfec.dll
C:\WINDOWS\system32\khfec.dll
C:\WINDOWS\system32\kyinieiy.dll
C:\WINDOWS\system32\nuasmuqv.dll
C:\WINDOWS\system32\yieiniyk.ini

.
(((((((((((((((((((((((((   Files Created from 2007-09-19 to 2007-10-19  )))))))))))))))))))))))))))))))
.

2007-10-18 20:41   <DIR>   d--------   C:\Program Files\Navilog1
2007-10-17 19:02   8,192   --a------   C:\sysudiq.exe
2007-10-17 09:38   <DIR>   d--------   C:\Program Files\Trend Micro
2007-10-16 14:32   <DIR>   d--------   C:\VundoFix Backups
2007-10-16 09:51   <DIR>      C:\Documents and Settings\Tara 2007-10-16  09:51    <DIR>           Paul\Application Data\Help
2007-10-07 09:31   <DIR>      C:\Documents and Settings\Tara 2007-10-07  09:31    <DIR>           Paul\Application Data\AccurateRip
2007-10-07 09:30   <DIR>   d--------   C:\Program Files\Illustrate
2007-10-04 15:00   <DIR>   d--------   C:\Program Files\Java
2007-10-04 14:57   <DIR>   d--------   C:\Program Files\Common Files\Java
2007-09-27 08:00   <DIR>   d--------   C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18   <DIR>      C:\Documents and Settings\Tara 2007-09-24  13:18    <DIR>           Paul\Application Data\Yahoo!
2007-09-24 13:10   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03   <DIR>   d--------   C:\Program Files\Yahoo!
2007-09-23 11:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-09-20 14:33   <DIR>   d--------   C:\Program Files\Common Files\Download Manager
2007-09-19 19:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-19 19:14   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-09-19 19:14   <DIR>      C:\Documents and Settings\Tara 2007-09-19  19:14    <DIR>           Paul\Application Data\SUPERAntiSpyware.com
2007-09-19 19:12   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 10:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-19 09:52   <DIR>   d--------   C:\Program Files\RogueRemover FREE

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 15:13   340,032   ----a-w   C:\WINDOWS\system32\rmqgcave.dll
2007-10-19 15:13   340,032   ----a-w   C:\WINDOWS\system32\pttryjxd.dll
2007-10-18 02:02   55,808   ----a-w   C:\WINDOWS\system32\sysdl133.exe
2007-10-18 02:02   33,792   ----a-w   C:\WINDOWS\system32\vtuuvsr.dll
2007-10-18 02:02   167,945   ----a-w   C:\WINDOWS\system32\sysdl132.exe
2007-10-13 13:35   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00   ---------   d-----w   C:\Program Files\Norton Security Scan
2007-10-08 18:54   ---------   d-----w   C:\Program Files\mobile PhoneTools
2007-10-08 18:54   ---------   d-----w   C:\Program Files\LiveUpdate
2007-10-07 16:31   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-10-07 16:30   4,229,496   ----a-w   C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-03 17:56   ---------   d-----w   C:\Program Files\Coupons
2007-09-25 23:33   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-09-25 17:16   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16   ---------   d-----w   C:\Program Files\Google
2007-09-21 16:17   28,680   ----a-w   C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 16:15   33,288   ----a-w   C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 16:15   25,096   ----a-w   C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 02:14   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-09 07:06   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09   801,144   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05   94,416   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05   92,848   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-08-19 03:11   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\Ahead
2007-08-19 03:09   ---------   d-----w   C:\Program Files\Common Files\LightScribe
2007-07-31 02:18   207,736   ----a-w   C:\WINDOWS\system32\muweb.dll

[tryan21]

.

(((((((((((((((((((((((((((((   snapshot@2007-10-16_ 9.36.09.50   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-15 17:13:10   181,248   ----a-w   C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-16 17:14:41   181,760   ----a-w   C:\WINDOWS\BDOSCAN8\bdcore.dll
- 2007-10-16 16:18:25   274,432   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-19 17:46:53   274,432   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-19 17:56:20   16,384   ----atw   C:\WINDOWS\TEMP\Perflib_Perfdata_604.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02   33792   --a------   C:\WINDOWS\system32\vtuuvsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-19 08:13   340032   --a------   C:\WINDOWS\system32\pttryjxd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pttryjxd.dll [2007-10-19 08:13 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2007-09-07 18:42]
"EPSON Stylus CX5800F Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe" [2005-05-09 22:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-09-07 18:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"="C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 16:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pttryjxd]
pttryjxd.dll 2007-10-19 08:13 340032 C:\WINDOWS\system32\pttryjxd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfec.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 10:57:58
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  P2kAutostart = C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe?0???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-19 11:04:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-17 10:15
C:\ComboFix3.txt ... 2007-10-16 09:37
.
   --- E O F ---

[tryan21]

Logfile of HijackThis v1.99.1
Scan saved at 11:07:22 AM, on 10/19/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\hijacktryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pttryjxd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pttryjxd.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pttryjxd - C:\WINDOWS\SYSTEM32\pttryjxd.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe