View Full Version : Virtumonde (+others?) HELP
GanymeDes
2007-09-09, 15:47
This damn Virtumonde is really annoying. Also I keep getting alerts from Avira Antivir but no matter what option I choose, they always just keep coming. So I guess I should post my HiJackThis logs now? I guess I will then.
--------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 15:44:28, on 9.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Wallpaper Master\Wallpaper.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Teamspeak2_RC2\server_windows.exe
C:\Program Files\VentriloMIX\TeamSpeakRC2 2.0.32.60.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Last.fm\LastFM.exe
C:\Documents and Settings\GanymeDes\Työpöytä\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\bhwgunfl.dll",forkonce
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] D:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
steamwiz
2007-09-10, 00:23
Hi
Please rename your hijackthis.exe file ...
from this :-
C:\Documents and Settings\GanymeDes\Työpöytä\hijackthis\HijackThis.exe
To this :-
C:\Documents and Settings\GanymeDes\Työpöytä\hijackthis\problems.exe.exe
Some vundo entries will hide from hijackthis unless you rename it first.
steam
GanymeDes
2007-09-10, 01:16
Did as you said. Here you go.
----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:12:01, on 10.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Wallpaper Master\Wallpaper.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Teamspeak2_RC2\server_windows.exe
C:\Program Files\VentriloMIX\TeamSpeakRC2 2.0.32.60.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Last.fm\LastFM.exe
D:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\GanymeDes\Työpöytä\hijackthis\problems.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FE5DF9B-370D-4275-AFB2-3BFFBE75655F} - (no file)
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - \iesplg.dll (file missing)
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Rghoitgp\klvarnvp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {984544AB-5FA6-46AF-BE1D-E21804DAD281} - C:\WINDOWS\system32\rqrqopq.dll (file missing)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\vsuhiina.dll (file missing)
O2 - BHO: (no name) - {EA94B01E-1590-4144-BAD1-7B1A4B5A2D41} - C:\WINDOWS\system32\ddabx.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\bhwgunfl.dll",forkonce
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] D:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rqrqopq - rqrqopq.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
steamwiz
2007-09-10, 21:16
Hi
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".
7. Please post the contents of C:\vundofix.txt
If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...
Keep running vundofix untill it gives you the message "no infected files were found"
THEN ...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
Please remember to post ...
1. C:\vundofix.txt
2. C:\ComboFix.txt
3. A new hijackthis log (run after the other 2 programs)
steam
GanymeDes
2007-09-11, 13:49
Followed your instructions. Just so you know, that as I'm posting this I'm still getting pop-ups from Avira Antivir, but I guess you can see that from the logs.
Anyways, here is the vundofix.txt:
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 13:27:40 11.9.2007
Listing files found while scanning....
C:\WINDOWS\system32\bhwgunfl.dll
C:\windows\system32\drvnopr.dll
C:\WINDOWS\system32\lfnugwhb.ini
C:\WINDOWS\system32\vsuhiina.dll
Beginning removal...
Attempting to delete C:\windows\system32\drvnopr.dll
C:\windows\system32\drvnopr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lfnugwhb.ini
C:\WINDOWS\system32\lfnugwhb.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 13:32:03 11.9.2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 13:35:33 11.9.2007
Listing files found while scanning....
No infected files were found.
----------------------------------------------------
...And then combofix.txt:
ComboFix 07-09-11.1 - "GanymeDes" 2007-09-11 13:37:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.113 [GMT 3:00]
* Created a new restore point
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2007-08-11 to 2007-09-11 )))))))))))))))))
.
2007-09-11 13:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 13:27 <KANSIO> d-------- C:\VundoFix Backups
2007-09-10 02:24 674,393 ---hs---- C:\WINDOWS\system32\xbadd.bak2
2007-09-09 15:13 672,630 ---hs---- C:\WINDOWS\system32\xbadd.ini2
2007-09-09 15:07 <KANSIO> d-------- C:\Program Files\Avira
2007-09-09 15:07 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira
2007-09-09 02:43 <KANSIO> d-------- C:\Program Files\Safer Networking
2007-09-07 14:24 701,743 ---hs---- C:\WINDOWS\system32\xbadd.bak1
2007-09-07 14:23 244,832 --a------ C:\WINDOWS\system32\ddabx.dll
2007-09-07 01:06 <KANSIO> d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\Uniblue
2007-09-06 19:47 <KANSIO> d-------- C:\Program Files\Rghoitgp
2007-09-06 18:50 <KANSIO> d-------- C:\Program Files\Windows Live
2007-09-06 18:49 <KANSIO> d-------- C:\Program Files\Messenger Plus! Live
2007-09-06 18:46 <KANSIO> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-06 18:46 <KANSIO> d-------- C:\DOCUME~1\GANYME~1\Contacts
2007-09-04 20:06 <KANSIO> d-------- C:\Program Files\Ahead
2007-08-30 03:43 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GRETECH
2007-08-30 03:42 <KANSIO> d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\GRETECH
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 13:40 --------- d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\OpenOffice.org2
2007-09-11 08:08 --------- d-------- C:\Program Files\Teamspeak2_RC2
2007-09-10 15:43 --------- d-------- C:\Program Files\mIRC
2007-09-08 22:53 --------- d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\Hamachi
2007-09-06 19:11 --------- d-------- C:\Program Files\MSN Messenger
2007-09-06 00:22 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-08-23 00:44 --------- d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\foobar2000
2007-08-19 20:53 --------- d-------- C:\Program Files\Razer
2007-08-17 13:51 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-22 00:34 --------- d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\Real
2007-07-22 00:33 --------- d-------- C:\Program Files\Real
2007-07-22 00:33 --------- d-------- C:\Program Files\Common Files\xing shared
2007-07-22 00:33 --------- d-------- C:\Program Files\Common Files\Real
2007-07-18 14:02 --------- d-------- C:\Program Files\InterActual
2007-07-14 19:55 6811648 --a------ C:\WINDOWS\system32\logonuiX.exe
2007-07-14 16:10 163712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2007-07-14 16:01 --------- d-------- C:\Program Files\Common Files\Stardock
2007-07-14 15:38 --------- d-------- C:\Program Files\RoyaleNoirThemePack
2007-06-28 20:23 8 --a------ C:\DFIMB.DAT
2007-06-13 22:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 22:24 268288 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 22:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 22:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 22:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 22:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 22:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 22:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 22:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 22:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 22:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 22:07 2922208 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-06-13 21:57 1512960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 21:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 21:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 21:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 21:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 21:36 368640 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0FE5DF9B-370D-4275-AFB2-3BFFBE75655F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C3C4699-B285-475F-BE47-0B26088CE876}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E9C4FBD-7EA8-401A-A8A4-130F6AFF8BF5}]
2007-09-07 14:23 244832 --a------ C:\WINDOWS\system32\ddabx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39C6B6C8-E01E-3175-B583-04FDA1EE088B}]
C:\Program Files\Rghoitgp\klvarnvp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{984544AB-5FA6-46AF-BE1D-E21804DAD281}]
C:\WINDOWS\system32\rqrqopq.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 00:48]
"NetLimiter"="D:\Program Files\NetLimiter\NetLimiter.exe" [2007-06-29 04:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"BootSkin Startup Jobs"="D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21]
"LogonStudio"="D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 18:38]
"Tarantula"="C:\Program Files\Razer\Tarantula\razerhid.exe" [2007-05-07 10:52]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15]
"CmUsbSound"="cmcnfgu.cpl" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00]
"WallpaperChanger"="D:\Program Files\Wallpaper Master\Wallpaper.exe" [2005-11-08 13:13]
"MessengerPlus3"="D:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-07-03 05:39]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-09-06 19:11]
C:\DOCUME~1\ALLUSE~1\KYNNIS~1\Ohjelmat\KYNNIS~1\
Last.fm Helper.lnk - D:\Program Files\Last.fm\LastFMHelper.exe [2007-06-29 04:15:35]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{984544AB-5FA6-46AF-BE1D-E21804DAD281}"= C:\WINDOWS\system32\rqrqopq.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqopq]
rqrqopq.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddabx
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"smgr"=mgrs.exe
R3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys
S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudau.sys
S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2acb81a-259d-11dc-ae02-000129f54c9a}]
AutoRun\command- J:\bluescreen.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d49f69c1-bfd6-11d3-830a-806d6172696f}]
AutoRun\command- D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d49f69c2-bfd6-11d3-830a-806d6172696f}]
AutoRun\command- E:\SETUP.EXE /UPDATE
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 13:39:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-11 13:40:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-11 13:40
.
--- E O F ---
------------------------------------------------------
And finally new HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 13:48:31, on 11.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\GanymeDes\Työpöytä\hijackthis\problems.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FE5DF9B-370D-4275-AFB2-3BFFBE75655F} - (no file)
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - \iesplg.dll (file missing)
O2 - BHO: (no name) - {1E9C4FBD-7EA8-401A-A8A4-130F6AFF8BF5} - C:\WINDOWS\system32\ddabx.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Rghoitgp\klvarnvp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {984544AB-5FA6-46AF-BE1D-E21804DAD281} - C:\WINDOWS\system32\rqrqopq.dll (file missing)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] D:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rqrqopq - rqrqopq.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
steamwiz
2007-09-11, 23:30
Hi
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O2 - BHO: (no name) - {0FE5DF9B-370D-4275-AFB2-3BFFBE75655F} - (no file)
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - \iesplg.dll (file missing)
O2 - BHO: (no name) - {1E9C4FBD-7EA8-401A-A8A4-130F6AFF8BF5} - C:\WINDOWS\system32\ddabx.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Rghoitgp\klvarnvp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {984544AB-5FA6-46AF-BE1D-E21804DAD281} - C:\WINDOWS\system32\rqrqopq.dll (file missing)
O20 - Winlogon Notify: rqrqopq - rqrqopq.dll (file missing)
Then...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\ddabx.dll
Folder::
C:\Program Files\Rghoitgp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{984544AB-5FA6-46AF-BE1D-E21804DAD281}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"smgr"=-
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
GanymeDes
2007-09-12, 00:49
Combofix.txt:
ComboFix 07-09-11.1 - "GanymeDes" 2007-09-12 0:41:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.358.1035.18.210 [GMT 3:00]
Command switches used :: C:\Documents and Settings\GanymeDes\Ty”p”yt„\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\ddabx.dll
.
(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Rghoitgp
C:\Program Files\Rghoitgp\klvarnvp.VIR
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\xbadd.ini2
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2007-08-11 to 2007-09-11 )))))))))))))))))
.
2007-09-11 13:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 13:27 <KANSIO> d-------- C:\VundoFix Backups
2007-09-09 15:07 <KANSIO> d-------- C:\Program Files\Avira
2007-09-09 15:07 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avira
2007-09-09 02:43 <KANSIO> d-------- C:\Program Files\Safer Networking
2007-09-07 01:06 <KANSIO> d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\Uniblue
2007-09-06 18:50 <KANSIO> d-------- C:\Program Files\Windows Live
2007-09-06 18:49 <KANSIO> d-------- C:\Program Files\Messenger Plus! Live
2007-09-06 18:46 <KANSIO> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-06 18:46 <KANSIO> d-------- C:\DOCUME~1\GANYME~1\Contacts
2007-09-04 20:06 <KANSIO> d-------- C:\Program Files\Ahead
2007-08-30 03:43 <KANSIO> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GRETECH
2007-08-30 03:42 <KANSIO> d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\GRETECH
.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 00:44 --------- d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\OpenOffice.org2
2007-09-12 00:29 --------- d-------- C:\Program Files\mIRC
2007-09-12 00:21 --------- d-------- C:\Program Files\Teamspeak2_RC2
2007-09-08 22:53 --------- d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\Hamachi
2007-09-06 19:11 --------- d-------- C:\Program Files\MSN Messenger
2007-09-06 00:22 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-08-23 00:44 --------- d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\foobar2000
2007-08-19 20:53 --------- d-------- C:\Program Files\Razer
2007-08-17 13:51 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-22 00:34 --------- d-------- C:\DOCUME~1\GANYME~1\APPLIC~1\Real
2007-07-22 00:33 --------- d-------- C:\Program Files\Real
2007-07-22 00:33 --------- d-------- C:\Program Files\Common Files\xing shared
2007-07-22 00:33 --------- d-------- C:\Program Files\Common Files\Real
2007-07-18 14:02 --------- d-------- C:\Program Files\InterActual
2007-07-14 19:55 6811648 --a------ C:\WINDOWS\system32\logonuiX.exe
2007-07-14 16:10 163712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2007-07-14 16:01 --------- d-------- C:\Program Files\Common Files\Stardock
2007-07-14 15:38 --------- d-------- C:\Program Files\RoyaleNoirThemePack
2007-06-28 20:23 8 --a------ C:\DFIMB.DAT
2007-06-13 22:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 22:24 268288 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 22:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 22:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 22:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 22:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 22:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 22:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 22:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 22:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 22:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 22:07 2922208 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-06-13 21:57 1512960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 21:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 21:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 21:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 21:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 21:36 368640 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 00:48]
"NetLimiter"="D:\Program Files\NetLimiter\NetLimiter.exe" [2007-06-29 04:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"BootSkin Startup Jobs"="D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21]
"LogonStudio"="D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 18:38]
"Tarantula"="C:\Program Files\Razer\Tarantula\razerhid.exe" [2007-05-07 10:52]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15]
"CmUsbSound"="cmcnfgu.cpl" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-15 15:00]
"WallpaperChanger"="D:\Program Files\Wallpaper Master\Wallpaper.exe" [2005-11-08 13:13]
"MessengerPlus3"="D:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-07-03 05:39]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-09-06 19:11]
C:\DOCUME~1\ALLUSE~1\KYNNIS~1\Ohjelmat\KYNNIS~1\
Last.fm Helper.lnk - D:\Program Files\Last.fm\LastFMHelper.exe [2007-06-29 04:15:35]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddabx
R3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys
S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudau.sys
S3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2acb81a-259d-11dc-ae02-000129f54c9a}]
AutoRun\command- J:\bluescreen.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d49f69c1-bfd6-11d3-830a-806d6172696f}]
AutoRun\command- D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d49f69c2-bfd6-11d3-830a-806d6172696f}]
AutoRun\command- E:\SETUP.EXE /UPDATE
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 00:43:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-12 0:44:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-12 00:44
C:\ComboFix2.txt ... 2007-09-11 13:40
.
--- E O F ---
---------------------------------------------------
And HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 0:45:00, on 12.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Razer\Tarantula\razertra.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\GanymeDes\Työpöytä\hijackthis\problems.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] D:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
steamwiz
2007-09-13, 00:31
HI
Your logs are clean now ... I take it your problem is resolved ?
Even so, I would still like you to run & post this log ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
steam
GanymeDes
2007-09-13, 16:53
SUPERantispyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/13/2007 at 04:43 AM
Application Version : 3.9.1008
Core Rules Database Version : 3305
Trace Rules Database Version: 1311
Scan type : Complete Scan
Total Scan Time : 02:52:38
Memory items scanned : 573
Memory threats detected : 0
Registry items scanned : 3721
Registry threats detected : 0
File items scanned : 50761
File threats detected : 23
Adware.Tracking Cookie
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@bs.serving-sys[2].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@overture[1].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@track.adform[1].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@windowsmedia[1].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@2o7[1].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@67.15.239[5].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@pacificpoker[2].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@cgi-bin[2].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@67.15.239[2].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@adtech[2].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@cpvfeed[2].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@67.15.239[4].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@serving-sys[1].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@questionmarket[2].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@ads.pointroll[1].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@atdmt[2].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@new-pcp[1].txt
C:\Documents and Settings\GanymeDes\Cookies\ganymedes@67.15.239[3].txt
Trojan.Downloader-Gen/BigTkt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E0888E65-95FE-4960-BA44-91D2B9171CCF}\RP2\A0000037.DLL
C:\VUNDOFIX BACKUPS\DRVNOPR.DLL.BAD
Malware.Ultimate Defender
C:\WINDOWS\SYSTEM32\WOWRLEGL\WOWRLEGL1.EXE
C:\WINDOWS\SYSTEM32\WOWRLEGL\WOWRLEGL2.EXE
C:\WINDOWS\SYSTEM32\WOWRLEGL\WOWRLEGL3.EXE
-----------------------------------------------------
So it did found some stuff. Also I got one or two warnings from Avira Antivir after last time, but I'm not experiencing any problems or anything. So I figured it doesn't hurt if I post one more HiJackThis log just to be sure if there is still some stealh programs that have downloaded something. So here it goes:
Logfile of HijackThis v1.99.1
Scan saved at 16:52:15, on 13.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Wallpaper Master\Wallpaper.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
D:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Teamspeak2_RC2\server_windows.exe
C:\Program Files\VentriloMIX\TeamSpeakRC2 2.0.32.60.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\GanymeDes\Työpöytä\hijackthis\problems.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] D:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Last.fm Helper.lnk = D:\Program Files\Last.fm\LastFMHelper.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
steamwiz
2007-09-13, 23:50
Hi
Your log's clean :)
If you have no further problems .... happy surfing
steam
GanymeDes
2007-09-14, 03:01
Ok, I'm glad to hear that. Thank you so much for your help, this really saved my computer.
Hope we don't meet again, atleast on this matter.. ;D
And once again: THANK YOU.
Bye.
steamwiz
2007-09-14, 21:04
Hi
You're very welcome :)
Happy surfing
steam