Micro AV Attacks again

Hi,

I'm yet another victim of the infamous MICRO AV Spyware/Rogue Software.
I have gone through many of the post and found that running the HIJACK THIS and pasting the log was the first thing that people have suggested. I also have downloaded the Combo Fix on to my comp. The following is the HIJACK THIS log from my comp..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:52 PM, on 9/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Windows\system32\YUR23.exe
C:\Windows\system32\YUR24.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Windows\system32\YUR25.exe
C:\Windows\system32\YUR26.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Hareesh.HAREESH-48E88FE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\Microsoft Office\Office12\WINWORD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O4 - HKLM\..\Run: [CTDVDDET] "D:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [\YUR23.exe] C:\Windows\system32\YUR23.exe
O4 - HKLM\..\Run: [\YUR24.exe] C:\Windows\system32\YUR24.exe
O4 - HKLM\..\Run: [\YUR25.exe] C:\Windows\system32\YUR25.exe
O4 - HKLM\..\Run: [\YUR26.exe] C:\Windows\system32\YUR26.exe
O4 - HKLM\..\Run: [\YUR1.exe] C:\Windows\system32\YUR1.exe
O4 - HKLM\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKLM\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\RunOnce: [Index.dat cleaner] D:\Program Files\Internet Cleaner\delindex.exe
O4 - HKCU\..\Run: [Creative Detector] D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [\YUR23.exe] C:\Windows\system32\YUR23.exe
O4 - HKCU\..\Run: [\YUR24.exe] C:\Windows\system32\YUR24.exe
O4 - HKCU\..\Run: [\YUR25.exe] C:\Windows\system32\YUR25.exe
O4 - HKCU\..\Run: [\YUR26.exe] C:\Windows\system32\YUR26.exe
O4 - HKCU\..\Run: [\YUR1.exe] C:\Windows\system32\YUR1.exe
O4 - HKCU\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe
O4 - HKCU\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKCU\..\Run: [Internet Cleaner] D:\Program Files\Internet Cleaner\ICleaner.exe -c
O4 - HKCU\..\RunOnce: [Index.dat cleaner] D:\Program Files\Internet Cleaner\delindex.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Program Files\Internet Cleaner\ICleaner.exe (HKCU)
O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - D:\Program Files\Internet Cleaner\ICleaner.exe (HKCU)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8512 bytes

HELP ME OUT PLEASE..!!

 

Hi dowatnow

Delete your current version of Combofix, and follow the instructions below.

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards

 

Hi cdavfrew,

Thanks for choosing to help me out here..!!

I downloaded another copy of COMBO FIX and saved the file as instructed. During the file execution the machine was restarted automatically and a log file was created.

Please find the info from the log file below

ComboFix 08-09-20.05 - Hareesh 2008-09-23 18:55:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2584 [GMT 5.5:30]
Running from: C:\Documents and Settings\Hareesh.HAREESH-48E88FE\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MicroAV
C:\Program Files\MicroAV\MicroAV.cpl
C:\Program Files\MicroAV\MicroAV.exe
C:\Program Files\MicroAV\MicroAV.ooo
C:\Program Files\MicroAV\MicroAV0.dat
C:\Program Files\MicroAV\MicroAV1.dat
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\1.ico
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\2.ico
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sc.html
C:\WINDOWS\system32\1.ico
C:\WINDOWS\system32\2.ico

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-23 12:02 . 2008-09-23 12:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-22 23:37 . 2008-09-23 18:59 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-09-22 01:21 . 2008-09-19 03:06 166,400 --a------ C:\WINDOWS\system32\MicroAV.cpl
2008-09-13 16:41 . 2008-09-20 12:17 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-23 12:58 . 2004-04-30 09:37 160,640 --a------ C:\WINDOWS\system32\drivers\a347bus.sys
2008-08-23 12:58 . 2004-04-30 09:33 5,248 --a------ C:\WINDOWS\system32\drivers\a347scsi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 13:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-09-22 17:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-09-22 15:42 --------- d-----w C:\Documents and Settings\Hareesh.HAREESH-48E88FE\Application Data\Creative
2008-09-05 06:28 --------- d-----w C:\Program Files\Google
2008-08-15 13:39 --------- d-----w C:\Documents and Settings\Hareesh.HAREESH-48E88FE\Application Data\U3
2008-08-05 11:42 --------- d-----w C:\Documents and Settings\Hareesh.HAREESH-48E88FE\Application Data\COWON
.

((((((((((((((((((((((((((((( snapshot@2008-09-22_23.21.26.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-21 15:48:21 197,752 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-09-22 17:56:01 197,752 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"Internet Cleaner"="D:\Program Files\Internet Cleaner\ICleaner.exe" [2007-10-15 729600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTDVDDET"="D:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="D:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-21 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-21 86016]
"CTHelper"="CTHELPER.EXE" [2005-06-18 C:\WINDOWS\CTHELPER.EXE]
"nwiz"="nwiz.exe" [2006-10-21 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 20:16 133104 C:\Documents and Settings\Hareesh.HAREESH-48E88FE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"mW[íµ�ˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>�­Ý\†Ð=ŸàÛ±Þ"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Downloads\\Adobe Photoshop CS3 Extended Incl. Keygen\\Keygen\\Adobe Photoshop CS3 Extended VOLUME LICENSE KEYGEN.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16628:TCP"= 16628:TCP:BitComet 16628 TCP
"16628:UDP"= 16628:UDP:BitComet 16628 UDP


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5edeab1-4b0f-11dd-aacd-0018f3a32264}]
\Shell\AutoRun\command - K:\System\DriveGuard\DriveProtect.exe -run 
\Shell\Explore\Command - K:\System\DriveGuard\DriveProtect.exe -run  
\Shell\Open\Command - K:\System\DriveGuard\DriveProtect.exe -run 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8bd0180-6aa1-11dd-abbc-0018f3a32264}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8bd0181-6aa1-11dd-abbc-0018f3a32264}]
\Shell\AutoRun\command - L:\System\Security\FlashGuard.exe -run
\Shell\Explore\Command - L:\System\Security\FlashGuard.exe --run
\Shell\Open\Command - L:\System\Security\FlashGuard.exe -run
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Hareesh.HAREESH-48E88FE\Application Data\Mozilla\Firefox\Profiles\z1yp958q.default\
FF -: plugin - C:\Documents and Settings\Hareesh.HAREESH-48E88FE\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - D:\Program Files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 19:00:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Combo-Fix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-23 19:06:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-23 13:36:43
ComboFix2.txt 2008-09-22 17:52:40

Pre-Run: 8,423,903,232 bytes free
Post-Run: 8,402,759,680 bytes free

169 --- E O F --- 2008-09-20 06:37:03


There were also 2 PORNO Shortcut Icons on the desktop which I still see and has not been removed. Other than that everything looks fine for now..

Regards
Dowatnow

 

Hey dowatnow

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

Open Notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\MicroAV.cpl 

Folder::
C:\Program Files\PCHealthCenter

Save this as CFScript.txt in the same folder as ComboFix.

Then drag the CFScript.txt into Combo-Fix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).

Do not click on the ComoboFix window, as it may cause it to stall.

After that, post a new HijackThis log and tell me what problems you have left.

Best Regards

 

Hi cdavfrew,

Before I worked on what you mentioned, I happened to go to the Control Panel and found something strange there..
Please check the same
I'm not sure if the image is gonna come through. But basically I saw an Icon that is not supposed to be there.
Any suggestions before I work upon the next set of troubleshooting steps.??

Your patience and support is appreciated

Regards
Dowatnow

 

Hey dowatnow

Doing what I told you to will remove the icon.

Also, after you have completed the previous set of instructions, please follow these new ones as well.

Please download Superantispyware Free and install it. Follow the prompts and reboot if required.

Launch Superantispyware Free either by running C:\Program Files\SUPERANTISPYWARE.exe or right-click on the SuperAntispyware icon in your task bar (it looks like a bug) and click on Scan for Spyware, Adware, Malware...

Configuring SuperAntispyware

• Click on Preferences.
• In the tab General and Startup, make sure the box Start SuperAntispyware when Windows starts is unchecked. This will prevent SuperAntispyware from starting everytime, because it may interfere with other fixes that may be run.
• Navigate to the tab Scanning Control.
• Make sure only these boxes are checked:

Code:

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining
Scan Alternate Data Streams
Use Kernel Direct File Access (recommended)
Use Kernel Direct Registry Access (recommended)
Use Direct Disk Access (recommended)

• Click on Close.

Updating SuperAntispyware

• At the main window, click on Check for Updates....
• Wait for SuperAntispyware to be fully updated.

Scanning Time

• Boot into safe mode by repeatedly pressing the F8 key after you press the power button. If safe mode does not work, tell me and do the scan in normal mode.
• Launch SuperAntispyware.
• At the main window, click on Scan your Computer....
• Make sure all drives (excluding CD drives) are checked, select Perform Complete Scan, and then click on Next.
• Wait for the scan to complete, and then click on Next>. This will quarantine and remove all detected items.
• Reboot your computer.

Post A Log

• Launch SuperAntispyware
• Click on Preferences
• Navigate to the tab Statistics/Logs.
• Choose the latest scan log, and the click on View Log....
• Copy and paste the contents of the log here in your next post.

Best Regards