Trojan Downloaders! help

I

ii lucky charm i

New Member
So I received an email from a student at my college. The address came from his school address so I thought I could trust him. Anyway, I clicked on the link in his email and was redirected to another site. After that, I did a scan with malwarebyte and 68 trojan downloaders showed up. I did a quick scan, follow up with a full scan, which shows that there are 0 files infected. Since quick scan showed that I had 68 trojans, I'm paranoid that there might still be more. Is there a way to dig up these remaining trojans?

Here's my scan from malwarebyte:
Malwarebytes' Anti-Malware 1.41
Database version: 3287
Windows 5.1.2600 Service Pack 3

12/3/2009 1:07:04 PM
mbam-log-2009-12-03 (13-07-04).txt

Scan type: Quick Scan
Objects scanned: 103861
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 68

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\append.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comm.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drwatson.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\edlin.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\exe2bin.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fastopen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gdi.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krnl386.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mem.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mouse.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mscdexnt.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nlsfunc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\debug.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olecli.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olesvr.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\setver.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysedit.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\system.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\user.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vga.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vwipxspx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\share.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wfwnet.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win87em.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winnls.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winoldap.mod (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winspool.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wowdeb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wowexec.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\system.LOG (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\Perflib_Perfdata_648.dat (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\Perflib_Perfdata_1bc.dat (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\Perflib_Perfdata_4d0.dat (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Nhan Nguyen\Local Settings\Temp\Perflib_Perfdata_90c.dat (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Fonts\8514oeme.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\8514oemg.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\8514oemr.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\8514oemt.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga80852.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga80857.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga80866.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga80869.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\dos737.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ega40737.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ega40857.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ega40866.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ega40869.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ega80737.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ega80869.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga80737.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ega80857.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\vga852.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\vga857.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\vga866.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\vgasys.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga40737.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga40852.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga40857.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga40866.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\cga40869.fon (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system\MOUSE.DRV (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system\OLECLI.DLL (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system\OLESVR.DLL (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system\SHELL.DLL (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system\SYSTEM.DRV (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system\VGA.DRV (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system\WFWNET.DRV (Trojan.Downloader) -> Quarantined and deleted successfully.

Here's HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:38 PM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
E:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Nhan Nguyen\Desktop\Core Temp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: CStat - {DD92DE22-ED91-4560-B788-DEE2B26612E6} - C:\Program Files\DeviceVM\Browser Configuration Utility\IEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Core Temp] "C:\Documents and Settings\Nhan Nguyen\Desktop\Core Temp.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248374402312
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\WINDOWS\system32\SUPDSvc.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - e:\Program Files\SiSoftware\SiSoftware Sandra Professional Home 2009.SP3c\RpcAgentSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7550 bytes
 
Hello please do the following;

1. Run a scan with ComboFix

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
NOTE: IF COMBOFIX FAILS TO RUN TRY RENAMING THE FILE TO 'ANYTHING.EXE' WITHOUT THE QUOTES

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

2. Choose whether or not to uninstall Viewpoint Manager (i strongly suggest you do.)

Optional - VIEWPOINT MANAGER
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

I suggest you remove the program now.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar


Your call.

In your next reply i will need:
  • The ComboFix log
  • A fresh Malwarebytes' log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Combofix Log:
ComboFix 09-12-03.03 - Nhan Nguyen 12/03/2009 17:59.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2896 [GMT -6:00]
Running from: c:\documents and settings\Nhan Nguyen\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091127-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\hid.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\hid.dll

Infected copy of c:\windows\system32\midimap.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\midimap.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-03 22:12 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-03 22:12 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-03 22:12 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-03 22:12 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-03 22:12 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-03 22:12 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-03 22:12 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-03 22:12 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-03 22:12 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-03 20:35 . 2009-12-03 20:35 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-03 20:35 . 2009-12-03 20:35 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-12-03 20:34 . 2009-12-03 20:34 -------- d-----w- c:\program files\Gigabyte
2009-12-03 00:24 . 2009-12-03 20:34 -------- d-----w- c:\program files\Heroes of Newerth(2)
2009-12-02 14:14 . 2009-12-02 14:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-11-22 20:32 . 2009-11-22 20:32 152576 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-20 17:18 . 2009-11-20 17:18 -------- d-----w- c:\program files\Gravity
2009-11-20 17:18 . 2009-11-20 17:25 65536 ----a-w- c:\windows\IFinst27.exe
2009-11-17 06:43 . 2009-11-17 06:43 -------- d-----w- c:\program files\Ventrilo
2009-11-10 21:49 . 2009-11-10 21:49 1408800 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-10 00:24 . 2009-11-10 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-11-10 00:24 . 2009-11-10 00:24 -------- d-----w- c:\program files\AIM
2009-11-10 00:01 . 2009-11-10 00:03 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 23:50 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-03 23:29 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-03 23:26 . 2009-09-22 01:25 -------- d-----w- c:\program files\Warcraft III
2009-12-03 22:32 . 2009-08-20 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 22:32 . 2009-09-21 03:32 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 22:14 . 2009-07-23 16:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-07-23 16:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 20:34 . 2009-10-17 00:57 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks
2009-12-03 20:33 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\Ventrilo
2009-12-02 14:07 . 2009-08-20 16:31 -------- d-----w- c:\program files\McAfee
2009-12-02 06:50 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\vlc
2009-12-02 01:14 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-01 21:16 . 2009-10-26 00:42 -------- d-----w- c:\program files\Steam
2009-12-01 20:35 . 2009-09-22 01:28 77674 ----a-w- c:\windows\War3Unin.dat
2009-12-01 20:04 . 2009-08-20 15:20 17488 ----a-w- c:\windows\gdrv.sys
2009-11-23 07:49 . 2009-10-17 15:17 -------- d-----w- c:\program files\PeerGuardian2
2009-11-22 20:22 . 2009-08-20 16:28 -------- d-----w- c:\program files\DivX
2009-11-17 06:43 . 2009-08-20 16:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-10 21:49 . 2009-10-17 00:57 127325 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\uninstall.exe
2009-11-10 21:49 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-10 19:31 . 2009-08-21 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-05 19:04 . 2009-08-22 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-03 05:37 . 2009-10-06 00:13 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\gtk-2.0
2009-11-01 22:41 . 2009-11-01 22:40 -------- d-----w- c:\program files\iTunes
2009-11-01 22:40 . 2009-11-01 22:40 -------- d-----w- c:\program files\iPod
2009-11-01 22:40 . 2009-08-20 16:27 -------- d-----w- c:\program files\Common Files\Apple
2009-11-01 22:35 . 2009-11-01 22:35 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-26 21:59 . 2009-08-20 16:28 -------- d-----w- c:\program files\CPUID
2009-10-26 21:57 . 2009-08-20 16:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-26 21:55 . 2009-10-12 23:26 -------- d-----w- c:\program files\Nexus Radio
2009-10-19 00:27 . 2009-08-20 16:27 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-18 15:39 . 2009-10-18 15:39 -------- d-----w- c:\program files\Trend Micro
2009-10-17 00:57 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-14 04:21 . 2009-10-14 04:21 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\IrfanView
2009-10-13 18:17 . 2009-10-13 18:17 -------- d-----w- c:\program files\Microsoft
2009-10-13 18:17 . 2009-10-13 18:17 -------- d-----w- c:\program files\Windows Live
2009-10-13 18:17 . 2009-10-13 18:17 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-13 18:13 . 2009-10-13 18:13 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-13 00:12 . 2009-10-13 00:12 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-13 00:12 . 2009-10-13 00:12 -------- d-----w- c:\program files\LSoft Technologies Inc
2009-10-11 10:17 . 2009-08-21 09:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 21:47 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\Apple Computer
2009-09-22 01:34 . 2009-09-22 01:28 2829 ----a-w- c:\windows\War3Unin.pif
2009-09-22 01:34 . 2009-09-22 01:28 139264 ----a-w- c:\windows\War3Unin.exe
2009-09-11 14:18 . 2004-08-04 05:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="c:\documents and settings\Nhan Nguyen\Desktop\Core Temp.exe" [2009-01-23 319504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home 2009.SP3c\\RpcAgentSrv.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home 2009.SP3c\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/12/2009 6:12 PM 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/3/2009 4:12 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2009 4:12 PM 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [8/20/2009 9:08 AM 212232]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/22/2009 11:49 PM 210216]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\NHANNG~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\NHANNG~1\LOCALS~1\Temp\ALSysIO.sys [?]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\NHANNG~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\NHANNG~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [8/21/2009 10:09 AM 127656]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;e:\program files\SiSoftware\SiSoftware Sandra Professional Home 2009.SP3c\RpcAgentSrv.exe [8/21/2009 7:43 AM 98488]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2/20/2002 1:34 AM 72576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALSYSIO
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-12-03 c:\windows\Tasks\User_Feed_Synchronization-{B278C105-6434-4A00-A115-93BB4B50399C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nhan Nguyen\Application Data\Mozilla\Firefox\Profiles\uhuy7inl.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Nhan Nguyen\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: e:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: e:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: e:\program files\Netscape6\nppl3260.dll
FF - plugin: e:\program files\Netscape6\nprjplug.dll
FF - plugin: e:\program files\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
AddRemove-Steam App 240 - c:\program files\Steam\steam.exe steam://uninstall/240
AddRemove-Steam App 9890 - c:\program files\Steam\steam.exe steam://uninstall/9890



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 18:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sprf.sys >>UNKNOWN [0x8AFB4938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> ACPI.sys @ 0xb7e67cb8
\Driver\atapi -> atapi.sys @ 0xb7dfcb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
e:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-12-03 18:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 00:10

Pre-Run: 74,679,349,248 bytes free
Post-Run: 74,838,335,488 bytes free

- - End Of File - - 528440B22FAC657106A02EB5EBD87AE5

Malwarebytes Log:
Malwarebytes' Anti-Malware 1.42
Database version: 3290
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/3/2009 6:41:40 PM
mbam-log-2009-12-03 (18-41-40).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 219321
Time elapsed: 24 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:46 PM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
E:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Nhan Nguyen\Desktop\Core Temp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: CStat - {DD92DE22-ED91-4560-B788-DEE2B26612E6} - C:\Program Files\DeviceVM\Browser Configuration Utility\IEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Core Temp] "C:\Documents and Settings\Nhan Nguyen\Desktop\Core Temp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248374402312
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\WINDOWS\system32\SUPDSvc.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - e:\Program Files\SiSoftware\SiSoftware Sandra Professional Home 2009.SP3c\RpcAgentSrv.exe

--
End of file - 7140 bytes
 
Last edited:
The only strange thing that I still notice after the scans is that my aim window takes longer to appear, maybe it's not so significant. The computer is running fine, I guess it's suppose to be running fine since these things are trojan and not viruses or worms. How are the logs?
 
ii lucky charm i said:
The only strange thing that I still notice after the scans is that my aim window takes longer to appear, maybe it's not so significant. The computer is running fine, I guess it's suppose to be running fine since these things are trojan and not viruses or worms. How are the logs?
Click to expand...

The logs don't look to bad, however i have a few more steps i think you should complete.

1. Fix some HiJackThis entries;

Please open HiJackThis and place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)


2. Clear up some temporary files which can slow down your computer;

Download: CCleaner (freeware)
http://www.majorgeeks.com/download4191.html
Run the installer, and uncheck the option to install Yahoo toolbar.
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
CCleanerA.png

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

3. Make sure your Java is up to date;

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

How is your computer running now?
 
For some reason, HJT can't delete this:

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

I deleted it 10 times, and it still reappears after every HJT scan.
 
You still have 1 remaining infection.

Open Notepad and copy and paste the text present inside the code box below

Code: 
File::
c:\windows\IFinst27.exe


Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.

If you don't have combofix.exe located on your desktop, please do so now.

Click and rag CFScript.txt into ComboFix.exe.

CFScriptB-4.gif



ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log
 
ii lucky charm i said:
For some reason, HJT can't delete this:

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

I deleted it 10 times, and it still reappears after every HJT scan.
Click to expand...

Please run Notepad and copy the following text into a new file

Code: 
sc config npggsvc start= disabled
sc stop npggsvc
sc delete npggsvc

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. Please note any errors encountered.

Then using Windows Explorer, delete the following file if present:
GameMon.des.exe
 
johnb35 said:
You still have 1 remaining infection.

Open Notepad and copy and paste the text present inside the code box below

Code: 
File::
c:\windows\IFinst27.exe


Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.

If you don't have combofix.exe located on your desktop, please do so now.

Click and rag CFScript.txt into ComboFix.exe.

CFScriptB-4.gif



ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log
Click to expand...

COMBOFIX LOG:
ComboFix 09-12-03.03 - Nhan Nguyen 12/03/2009 19:38.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2901 [GMT -6:00]
Running from: c:\documents and settings\Nhan Nguyen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nhan Nguyen\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091127-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\IFinst27.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IFinst27.exe

Infected copy of c:\windows\system32\hid.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\hid.dll

Infected copy of c:\windows\system32\midimap.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\midimap.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-04 01:31 . 2009-12-04 01:31 -------- d-----w- c:\program files\CCleaner
2009-12-03 22:12 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-03 22:12 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-03 22:12 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-03 22:12 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-03 22:12 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-03 22:12 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-03 22:12 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-03 22:12 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-03 22:12 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-03 20:35 . 2009-12-03 20:35 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-03 20:35 . 2009-12-03 20:35 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-12-03 20:34 . 2009-12-03 20:34 -------- d-----w- c:\program files\Gigabyte
2009-12-03 00:24 . 2009-12-03 20:34 -------- d-----w- c:\program files\Heroes of Newerth(2)
2009-12-02 14:14 . 2009-12-02 14:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-11-22 20:32 . 2009-11-22 20:32 152576 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-20 17:18 . 2009-11-20 17:18 -------- d-----w- c:\program files\Gravity
2009-11-17 06:43 . 2009-11-17 06:43 -------- d-----w- c:\program files\Ventrilo
2009-11-10 21:49 . 2009-11-10 21:49 1408800 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-10 00:24 . 2009-11-10 00:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-11-10 00:24 . 2009-11-10 00:24 -------- d-----w- c:\program files\AIM
2009-11-10 00:01 . 2009-11-10 00:03 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 01:25 . 2009-08-20 16:31 -------- d-----w- c:\program files\McAfee
2009-12-03 23:50 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-03 23:29 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-03 23:26 . 2009-09-22 01:25 -------- d-----w- c:\program files\Warcraft III
2009-12-03 22:32 . 2009-08-20 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 22:32 . 2009-09-21 03:32 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 22:14 . 2009-07-23 16:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-07-23 16:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 20:34 . 2009-10-17 00:57 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks
2009-12-03 20:33 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\Ventrilo
2009-12-02 06:50 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\vlc
2009-12-02 01:14 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-01 21:16 . 2009-10-26 00:42 -------- d-----w- c:\program files\Steam
2009-12-01 20:35 . 2009-09-22 01:28 77674 ----a-w- c:\windows\War3Unin.dat
2009-12-01 20:04 . 2009-08-20 15:20 17488 ----a-w- c:\windows\gdrv.sys
2009-11-23 07:49 . 2009-10-17 15:17 -------- d-----w- c:\program files\PeerGuardian2
2009-11-22 20:22 . 2009-08-20 16:28 -------- d-----w- c:\program files\DivX
2009-11-17 06:43 . 2009-08-20 16:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-10 21:49 . 2009-10-17 00:57 127325 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\uninstall.exe
2009-11-10 21:49 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-10 19:31 . 2009-08-21 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-05 19:04 . 2009-08-22 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-03 05:37 . 2009-10-06 00:13 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\gtk-2.0
2009-11-01 22:41 . 2009-11-01 22:40 -------- d-----w- c:\program files\iTunes
2009-11-01 22:40 . 2009-11-01 22:40 -------- d-----w- c:\program files\iPod
2009-11-01 22:40 . 2009-08-20 16:27 -------- d-----w- c:\program files\Common Files\Apple
2009-11-01 22:35 . 2009-11-01 22:35 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-26 21:59 . 2009-08-20 16:28 -------- d-----w- c:\program files\CPUID
2009-10-26 21:57 . 2009-08-20 16:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-26 21:55 . 2009-10-12 23:26 -------- d-----w- c:\program files\Nexus Radio
2009-10-19 00:27 . 2009-08-20 16:27 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-18 15:39 . 2009-10-18 15:39 -------- d-----w- c:\program files\Trend Micro
2009-10-17 00:57 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-14 04:21 . 2009-10-14 04:21 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\IrfanView
2009-10-13 18:17 . 2009-10-13 18:17 -------- d-----w- c:\program files\Microsoft
2009-10-13 18:17 . 2009-10-13 18:17 -------- d-----w- c:\program files\Windows Live
2009-10-13 18:17 . 2009-10-13 18:17 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-13 18:13 . 2009-10-13 18:13 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-13 00:12 . 2009-10-13 00:12 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-13 00:12 . 2009-10-13 00:12 -------- d-----w- c:\program files\LSoft Technologies Inc
2009-10-11 10:17 . 2009-08-21 09:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 21:47 . 2009-08-20 16:14 -------- d-----w- c:\documents and settings\Nhan Nguyen\Application Data\Apple Computer
2009-09-22 01:34 . 2009-09-22 01:28 2829 ----a-w- c:\windows\War3Unin.pif
2009-09-22 01:34 . 2009-09-22 01:28 139264 ----a-w- c:\windows\War3Unin.exe
2009-09-11 14:18 . 2004-08-04 05:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-04_00.06.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-04 01:44 . 2009-12-04 01:44 16384 c:\windows\Temp\Perflib_Perfdata_660.dat
+ 2009-12-04 01:44 . 2009-12-04 01:44 16384 c:\windows\Temp\Perflib_Perfdata_4c0.dat
+ 2009-12-04 01:36 . 2009-12-04 01:36 16384 c:\windows\Temp\Perflib_Perfdata_4b4.dat
+ 2001-08-23 11:00 . 2009-12-04 01:40 40836 c:\windows\system32\perfc009.dat
- 2001-08-23 11:00 . 2009-12-04 00:02 40836 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2009-12-04 01:40 314508 c:\windows\system32\perfh009.dat
- 2001-08-23 11:00 . 2009-12-04 00:02 314508 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="c:\documents and settings\Nhan Nguyen\Desktop\Core Temp.exe" [2009-01-23 319504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home 2009.SP3c\\RpcAgentSrv.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Home 2009.SP3c\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/12/2009 6:12 PM 717296]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/3/2009 4:12 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2009 4:12 PM 20560]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [8/20/2009 9:08 AM 212232]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/22/2009 11:49 PM 93320]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\NHANNG~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\NHANNG~1\LOCALS~1\Temp\ALSysIO.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\NHANNG~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\NHANNG~1\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [8/21/2009 10:09 AM 127656]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;e:\program files\SiSoftware\SiSoftware Sandra Professional Home 2009.SP3c\RpcAgentSrv.exe [8/21/2009 7:43 AM 98488]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2/20/2002 1:34 AM 72576]
S4 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALSYSIO
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-12-03 c:\windows\Tasks\User_Feed_Synchronization-{B278C105-6434-4A00-A115-93BB4B50399C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nhan Nguyen\Application Data\Mozilla\Firefox\Profiles\uhuy7inl.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Nhan Nguyen\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Nhan Nguyen\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: e:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: e:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: e:\program files\Netscape6\nppl3260.dll
FF - plugin: e:\program files\Netscape6\nprjplug.dll
FF - plugin: e:\program files\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 19:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spys.sys >>UNKNOWN [0x8AFB4938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> ACPI.sys @ 0xb7e67cb8
\Driver\atapi -> atapi.sys @ 0xb7dfcb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
e:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-12-03 19:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 01:48
ComboFix2.txt 2009-12-04 00:10

Pre-Run: 74,847,563,776 bytes free
Post-Run: 74,804,502,528 bytes free

- - End Of File - - 6519D33897ADA6F4502708D866D2E938

HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:20 PM, on 12/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
E:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Nhan Nguyen\Desktop\Core Temp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: CStat - {DD92DE22-ED91-4560-B788-DEE2B26612E6} - C:\Program Files\DeviceVM\Browser Configuration Utility\IEHelper.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Core Temp] "C:\Documents and Settings\Nhan Nguyen\Desktop\Core Temp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248374402312
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\WINDOWS\system32\SUPDSvc.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - e:\Program Files\SiSoftware\SiSoftware Sandra Professional Home 2009.SP3c\RpcAgentSrv.exe

--
End of file - 6765 bytes
 
Why

I dont understand it, why did you reinstall your OS? Your computer was clean there at the end.

Well now you need to go in and update everything, and make sure all applicable policies are set to a secure level.
 
You must log in or register to reply here.
Back
Top