The aplication or dll C:\WINNT\system32 is not a valid windows image

[martin-737]

Actualy, another of my friend's computer gets this message at strat up "The aplication or dll C:\WINNT\system32\__c00798B8.dat is not a valid windows image. Please check this against your installation diskette." and when we hit the "ok" button it cycles through an endless list of applications,here are some of them:
manhattan:SBTV.exe
ctfmon.exe
hpcmpmgr.exe
Yahoo!Messenger:YAHOOM~1.EXE
HideWindow:devcheck.exe
hpotdd01.exe
BJCFD:CFD.exe


The computer takes almost literally hours to finish the startup process while many pop up windows show:

Spyware Doctor
Malicious Action Blocked

Spyware Doctor has blocked an application ***.exe attempting to access a file.
Path: C:\WINNT\system32\__c00798B8.dat

Threat: Trojan.Virtumode
Rissk: Elevated

His active desktop is gone, but we get that screen saying "Active desktop recovery>Restore my Active Desktop<"

It also takes years to shut down

I noticed he's got Live AntiSpy and Privacy Watch runing during the time of start up. I brought his computer to my home to see what I could do about it. I am still searchig for possible solutions. Do y'all think spybot and hijck this could do some good to his infected machine? What could be the nastie responsible for this problem?
ANy suggestions?

[geoscomp]

The Virtumonde Trojan that spyware doctor identified is also known as vundo
download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.

Note: If VundoFix finds a file it can't remove,
it will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

It certainly can't hurt to run both Spybot and Hijack This as well.

[slgrieb]

Personally, martin, I'd go straight for ComboFix. With the variants of Virtumondo I'm encountering, I haven't found VundoFix and some of the other dedicated removers to be very effective. The current version of ComboFix has changed quite a bit from older versions, and you should read the tutorial before you run it. Be sure to rename the program before you run it. You can call it FuzzyBunny or anything you please.

It goes through a lot of removal steps, then reboots the computer, and it may run for a really long time after the restart. "Long" as in go out for coffee.

When it's done, I'd run your existing removal tools and see how things look. It certainly wouldn't hurt to run Spybot and HijackThis (again, rename it first).

[martin-737]

Ok I can get to Windows 2000 professional but...
PC Tools Spyware Doctor is disabled (my choice)
I do not have active desktop, not even the button to get it. In properties, the option for desktop is not working, and...
There are still many IE opening on me with offers of everything. And if I close one, they all close down.
I only ran Spybot S&D and HijackThis.
Vundofix did not find anything and I did not dare to try Combofix, seemed a little too complicated for a newbie like me and I do not want to caus emore harm than good. But I'll probably dare to use it now.

Anywho here is the log file from HJT the last time

Logfile of HijackThis v1.99.1
Scan saved at 8:37:43 PM, on 4/24/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! &#164;u&#168;&#227;&#166;C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: Yahoo! &#164;u&#168;&#227;&#166;C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09. exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Win2KService] C:\WINNT\system32\nero.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.21\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.21\ShoppingReport.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187196502281
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187210920343
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: __c00798B8 - C:\WINNT\system32\__c00798B8.dat
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINNT\system32\afinding.exe
O23 - Service: UPS Service (CyberPowerUPS) - Unknown owner - C:\PowerPanel\upssrv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\system32\routing.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\SBCSEL~1\SMARTB~1\SBHookSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINNT\system32\wserving.exe

If anyone knows about SDFix.exe whether or not it works in Windows 2000, please let me know. It worked fine for me in the last problem we all helped to solve

[slgrieb]

Martin, you still have multiple infections, and I'd still suggest ComboFix. I didn't mean to make it sound intimidating, because the removal process is essentially automatic. I just think you should be aware, at least in a general sense, of what you'll see when it runs, and especially the potentially long time ComboFix may run after it reboots the machine. That make the whole process a lot less scary.

[martin-737]

As I write this reply in my laptop, I am trying to make a set of bootable floppy disks (it's win2k, what did y'all expect?). Then I am going for the whole enchilada with that combo fix.

[martin-737]

I read your other post about Vundo, I downloaded Combofix to my laptop and copied it to my friend's infected machine with a USB drive. After I made a bootable floppy diskette I tried it and worked. So far no other IE has opened on me. I will re-install HJT (with other name) and run it (or maybe not. It's too late, I have to give him his computer back 2morrow).
Anyhow, here's the Combofix log
ComboFix 08-04-24.1 - Medina 04/25/2008 20:38:32.1 - NTFSx86 NETWORK
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.663 [GMT -5:00]
Running from: C:\Documents and Settings\Medina\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Medina\Application Data\Install.dat
C:\Documents and Settings\Medina\Application Data\ShoppingReport
C:\Documents and Settings\Medina\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Medina\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Medina\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Medina\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Medina\Application Data\ShoppingReport\cs\persist.dbs
C:\Documents and Settings\Medina\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Medina\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Medina\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Documents and Settings\Medina\Application Data\SpamBlockerUtility_Icons
C:\Documents and Settings\Medina\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ic o
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\cs\persist.dbs
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINNT\system32\__c00663A8.exe
C:\WINNT\system32\__c00853FF.exe
C:\WINNT\system32\__c00A930A.exe
C:\WINNT\system32\drmgs.sys
C:\WINNT\system32\eMnonnpo.ini
C:\WINNT\system32\eMnonnpo.ini2
C:\WINNT\system32\Indt2.sys
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\routing.exe
C:\WINNT\Web\default.htt
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Service_perfmons
-------\Service_Routing


((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-25 20:19 . 08-04-25 20:19 127 --a------ C:\WINNT\system32\MRT.INI
2008-04-25 20:18 . 08-04-25 20:20 1,429 --a------ C:\WINNT\imsins.BAK
2008-04-25 20:09 . 08-04-25 20:32 554,278 ---h----- C:\WINNT\ShellIconCache
2008-04-25 20:03 . 08-04-25 20:03 126 --a------ C:\WINNT\system32\g73.reg
2008-04-24 20:55 . 08-04-24 20:55 <DIR> d-------- C:\VundoFix Backups
2008-04-24 13:50 . 08-04-24 13:56 44,058 --a------ C:\WINNT\wininit.ini
2008-04-24 13:32 . 08-04-25 20:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 07:56 . 03-06-19 14:05 30,768 --a------ C:\WINNT\system32\drivers\disk.sys
2008-04-22 20:44 . 08-04-22 21:02 16,384 --a------ C:\WINNT\Active Setup Log.BAK
2008-04-17 12:04 . 08-04-25 15:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 12:03 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-04-17 12:03 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-04-17 12:03 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-04-17 12:03 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-04-10 17:29 . 08-04-24 22:03 <DIR> d-------- C:\Program Files\Privacy Watcher
2008-04-10 09:58 . 08-04-10 09:58 <DIR> d-------- C:\Documents and Settings\Medina\Application Data\Motive
2008-04-10 00:01 . 08-04-24 21:05 <DIR> d-------- C:\Program Files\LiveAntispy
2008-04-05 00:09 . 08-04-05 00:09 194 --a------ C:\WINNT\system32\nthk77446.bat
2008-04-02 23:41 . 08-04-02 23:41 145 --a------ C:\WINNT\system32\1.tsk
2008-04-01 18:50 . 08-04-01 18:50 183 --a------ C:\WINNT\system32\nthk7653.bat
2008-04-01 16:43 . 08-04-01 16:43 194 --a------ C:\WINNT\system32\nthk89370.bat
2008-03-27 22:09 . 08-03-27 22:09 <DIR> d-------- C:\Program Files\Scholastic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-30 09:54 --------- d-----w C:\Documents and Settings\Medina\Application Data\Yahoo!
2008-03-28 03:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 04:15 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-18 18:39 --------- d-----w C:\Program Files\Scholastic's Clifford
2008-03-16 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-08-15 16:41 271 ---h--w C:\Program Files\desktop.ini
2007-08-15 16:41 21,952 ---h--w C:\Program Files\folder.htt
1999-12-06 21:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

99-12-06 16:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\svchost.exe
99-12-06 16:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\dllcache\svchost.exe

03-06-19 14:05 403216 11ed538db87d8cf38017a63a82aa805d C:\WINNT\$NtUpdateRollupPackUninstall$\user32.dll
03-06-19 14:05 403216 11ed538db87d8cf38017a63a82aa805d C:\WINNT\ServicePackFiles\i386\user32.dll
07-03-06 06:17 381200 40023a7103796b1af6ca41a6dbc54775 C:\WINNT\system32\USER32.DLL
07-03-06 06:17 381200 40023a7103796b1af6ca41a6dbc54775 C:\WINNT\system32\dllcache\USER32.DLL

03-06-19 14:05 69904 0190c62de42396d78db9be771cf2403e C:\WINNT\ServicePackFiles\i386\ws2_32.dll
03-06-19 14:05 69904 0190c62de42396d78db9be771cf2403e C:\WINNT\system32\ws2_32.dll

03-06-19 14:05 181008 3980c28d116d438bbb36fb38526fde1a C:\WINNT\$NtUpdateRollupPackUninstall$\winlogon.ex e
03-06-19 14:05 181008 3980c28d116d438bbb36fb38526fde1a C:\WINNT\ServicePackFiles\i386\winlogon.exe
05-04-08 06:51 186640 bb1daf6a5737652646d52665251a0265 C:\WINNT\system32\WINLOGON.EXE
05-04-08 06:51 186640 bb1daf6a5737652646d52665251a0265 C:\WINNT\system32\dllcache\WINLOGON.EXE

03-06-19 14:05 170928 fb4f2d0595bd3546a4dd915e4a9b4809 C:\WINNT\ServicePackFiles\i386\ndis.sys
03-06-19 14:05 170928 fb4f2d0595bd3546a4dd915e4a9b4809 C:\WINNT\system32\drivers\ndis.sys

03-06-19 14:05 1694080 541daef38c9c82541690aa7e6f52f654 C:\WINNT\$NtUpdateRollupPackUninstall$\ntkrnlpa.ex e
07-03-05 10:52 1713536 d63ccca44ab92d8b819054e2af6202ae C:\WINNT\Driver Cache\i386\ntkrnlpa.exe
03-06-19 14:05 1694080 541daef38c9c82541690aa7e6f52f654 C:\WINNT\ServicePackFiles\i386\ntkrnlpa.exe
07-03-05 10:52 1713536 d63ccca44ab92d8b819054e2af6202ae C:\WINNT\system32\NTKRNLPA.EXE
07-03-05 10:52 1713536 d63ccca44ab92d8b819054e2af6202ae C:\WINNT\system32\dllcache\ntkrnlpa.exe

03-06-19 14:05 1719056 61a2dcfce1abf5340d2128e45b5f52b7 C:\WINNT\$NtUpdateRollupPackUninstall$\ntoskrnl.ex e
07-03-05 10:51 1690880 a9b95a62c4f298aadd3bec2fdf49fcbe C:\WINNT\Driver Cache\i386\ntoskrnl.exe
03-06-19 14:05 1719056 61a2dcfce1abf5340d2128e45b5f52b7 C:\WINNT\ServicePackFiles\i386\ntoskrnl.exe
07-03-05 10:51 1690880 a9b95a62c4f298aadd3bec2fdf49fcbe C:\WINNT\system32\NTOSKRNL.EXE
07-03-05 10:51 1690880 a9b95a62c4f298aadd3bec2fdf49fcbe C:\WINNT\system32\dllcache\ntoskrnl.exe

03-06-19 14:05 243472 59cf2b7dced9111f48f51b4b570e672d C:\WINNT\explorer.exe
03-06-19 14:05 243472 59cf2b7dced9111f48f51b4b570e672d C:\WINNT\ServicePackFiles\i386\explorer.exe

05-03-21 15:13 11264 ab176f2171db704d51b8809e8a5c38bd C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="ctfmon.exe" [05-03-21 15:13 11264 C:\WINNT\system32\CTFMON.EXE]

[martin-737]

Part II (sorry, it was too long)



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [04-11-02 09:03 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [04-11-02 08:59 126976]
"LTMSG"="LTMSG.exe" [03-07-14 09:52 40960 C:\WINNT\ltmsg.exe]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [03-06-25 11:24 49152]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3 \hpztsb09.exe" [03-07-28 09:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [03-04-11 15:25 212992]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [03-05-21 18:37 229437]
"Win2KService"="C:\WINNT\system32\nero.exe" [07-03-04 18:12 2052608]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [02-09-10 22:26 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.ex e" [06-07-21 17:19 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\Motive SB.exe" [05-08-24 08:51 442455]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-08-15 15:34:46 82026]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2008-01-26 20:00:41 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00798B8]
C:\WINNT\system32\__c00798B8.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 Cdr4vsd;Cdr4vsd;C:\WINNT\system32\drivers\Cdr4vsd. sys [97-11-24 03:01 ]
R1 oreans32;oreans32;C:\WINNT\system32\drivers\oreans 32.sys [07-09-02 12:34 ]
R2 AFinding;AFinding Service;C:\WINNT\system32\afinding.exe [03-06-19 14:05 ]
R2 WServing;WServing Service;C:\WINNT\system32\wserving.exe [03-06-19 14:05 ]
S2 Serv-U;Serv-U FTP Server;C:\WINNT\system32\MSupdate.exe []

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}]
C:\WINNT\svchost.pif
.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 02:04:18 C:\WINNT\Tasks\CCleaner.job"
- C:\Program Files\CCleaner\CCleaner.exe
"2008-03-20 13:30:08 C:\WINNT\Tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY37N3N1197A.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe+/#Hewlett-Packard#deskjet5100#MY37N3N1197A
.
************************************************** ************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 20:41:36
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-04-25 20:43:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 01:43:40

Pre-Run: 75,956,490,240 bytes free
Post-Run: 76,002,865,152 bytes free

166 --- E O F --- 2008-04-26 01:22:40

[NooNoo]

O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL

This you need to remove - I am surprised Spybot didn't remove it... what version Spybot are you running?


But this is the most likely candidate for your problems
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINNT\system32\wserving.exe

Read Here about it

[martin-737]

I coppied Spybot from my laptop into a USB drive, then into my friend's mahcine. It updated itself when I ran it from the infected computer. I guess that decreased in some way Spybot's performance and that's why it missed the WeatherBug browser bar. I think that should be the latest version available. Thanks for the advice on the Wserving line.

[NooNoo]

No, that wouldn't do it... The version should be 1.5 - please check that you have version 1.5.

[martin-737]

I will. THX alot