View Full Version : Help me please with Virtumonde have included HJT log and online scan log. 2posts.
Well I've been fighting with this for several days now and I had it partly locked down until my father clicked one of the pop ups -_- and it completely took over until I did a more intense scan with Nod32. Now its to the point I think I've gotten most of it except for the annoying fake "System, and Security alerts" and other pop ups that look like warning boxes. I've tried several methods to try to get rid of it which include. Vundofix, Smitfraudfix, look2me destroyer, and fix wareout.
These helped some as in I can run the pc with out it locking up like it was. The vundofix found 5 got rid of all but 2 and then on reboot was able to remove 1 of the 2 remaining. So its still there. Also I've noticed its using iexplore.exe (I thought I had fully uninstalled IE but I guess not, seeing as I use only FireFox)and putting 2 icons on my desktop which are links to some website which I've been able to block with Nod32. Of course killing the Iexplore.exe process doesn't work it just comes back.
I can't make it though a scan with Spybot S&D (I have fully updated and immunized the system.) about a minute and a half into the scan I get a ton of invalid floating point operation boxes that lock up the whole desktop and makes SB S&D lockup and I have to use the task manager to kill the process to regain control.
As I said I'm at a lose now and done everything except go and delete the registry entrys in question (which I was going to if I could get spybot to get though a scan.) So heres the Hijack this log and I hope you can help me out.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:18 PM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download
Directory
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no
file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583}
- C:\WINDOWS\system32\zvrrjhyl.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe"
/WAITSERVICE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster
X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared
Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared
Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program
Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster
X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner
v2.03\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner
v2.03\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Diamondback] C:\Program
Files\Razer\Diamondback\razerhid.exe
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\fbxfknhu.exe
O8 - Extra context menu item: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client
/wuweb_site.cab?1190752160359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client
/muweb_site.cab?1190752120140
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
- http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero
BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common
Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program
Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program
Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program
Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program
Files\Raxco\PerfectDisk\PDExchange.exe
--
End of file - 5315 bytes
Well I didn't want to double post >_< but I cant get the online scanner you guys suggested to work with out crashing the browser. I'm useing the ESET online scanner (guys who make Nod32) its been goiing for a few hours now and its still on my first drive and its scanned over 10k files. I now have a new problem -_- the infection has installed a security tool bar.
Please merge this with my above post thanks and I'm sorry again.
I think I'm following the rules correctly this time here is the link to my old thread http://forums.spybot.info/showthread.php?p=126958#post126958
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:53 AM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hrovdooa.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.03\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.03\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\jpnxknxm.dll",sitypnow
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\fbxfknhu.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190752160359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190752120140
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
--
End of file - 5566 bytes
C:\acidmax21\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Documents and Settings\All Users\Application Data\Creative\CADI\Preset\PCI_BUS1102-5-211102-E000.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Office\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Office\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\history.dat Object is locked skipped
C:\Documents and Settings\Office\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\key3.db Object is locked skipped
C:\Documents and Settings\Office\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Office\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Office\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Office\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Office\Desktop\Moms games\7-wonders-2-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\7-wonders-2-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\7-wonders-2-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\ancient-spiders-solitaire-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\ancient-spiders-solitaire-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\ancient-spiders-solitaire-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\azada-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\azada-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\azada-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\bejeweled-2-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\bejeweled-2-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\bejeweled-2-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\bookworm-adventures-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\bookworm-adventures-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\bookworm-adventures-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\da-vinci-code-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\da-vinci-code-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\da-vinci-code-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\fairies-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\fairies-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\fairies-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewel-quest-ii-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewel-quest-ii-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewel-quest-ii-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewel-quest-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewel-quest-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewel-quest-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewels-of-cleopatra-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewels-of-cleopatra-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jewels-of-cleopatra-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\jig-art-quest-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jig-art-quest-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jig-art-quest-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\jigsaw-mania-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jigsaw-mania-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\jigsaw-mania-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\luxor-2-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\luxor-2-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\luxor-2-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\magic-match-2-genies-journey-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\magic-match-2-genies-journey-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\magic-match-2-genies-journey-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\magic-tale-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\magic-tale-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\magic-tale-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\professor-fizzwizzle-molten-mystery-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\professor-fizzwizzle-molten-mystery-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\professor-fizzwizzle-molten-mystery-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\runes-of-avalon-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\runes-of-avalon-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\runes-of-avalon-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\secrets-of-great-art-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\secrets-of-great-art-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\secrets-of-great-art-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\sproink-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\sproink-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\sproink-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\stone-of-destiny-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\stone-of-destiny-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\stone-of-destiny-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\wordjong-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\wordjong-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\wordjong-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\zenerchi-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\zenerchi-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\zenerchi-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\Moms games\zzed-setup.exe/data0002/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\zzed-setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Documents and Settings\Office\Desktop\Moms games\zzed-setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Office\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Office\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Office\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Office\Local Settings\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Office\Local Settings\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Office\Local Settings\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Office\Local Settings\Application Data\Mozilla\Firefox\Profiles\p5goo3dh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Office\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Office\Local Settings\History\History.IE5\MSHist012007101420071015\index.dat Object is locked skipped
C:\Documents and Settings\Office\Local Settings\Temp\qrjatydi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.bd skipped
C:\Documents and Settings\Office\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Office\My Documents\Мicrosoft.NET\cmd.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
C:\Documents and Settings\Office\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Office\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Creative\ShareDLL\CADI\CTPLang.dat Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\0BFF0CAA.NQF/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\ESET\infected\0BFF0CAA.NQF/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\ESET\infected\0BFF0CAA.NQF RarSFX: infected - 2 skipped
C:\Program Files\ESET\infected\0BFF0CAA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\2UWPQMCA.NQF Infected: Virus.Win32.Tenga.a skipped
C:\Program Files\ESET\infected\35FH2CDA.NQF Infected: Virus.Win32.Tenga.a skipped
C:\Program Files\ESET\infected\4VMGBECA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\E00OFGAA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\ECNKF3BA.NQF/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\ESET\infected\ECNKF3BA.NQF/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\ESET\infected\ECNKF3BA.NQF RarSFX: infected - 2 skipped
C:\Program Files\ESET\infected\ECNKF3BA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\FWMJJYAA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\HXPOMKCA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\K2IOEMCA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\NRKK00DA.NQF/data0000.cab/isys32.exe Infected: Trojan-Downloader.Win32.Agent.cad skipped
C:\Program Files\ESET\infected\NRKK00DA.NQF/data0000.cab Infected: Trojan-Downloader.Win32.Agent.cad skipped
C:\Program Files\ESET\infected\NRKK00DA.NQF Rsrc-Package: infected - 2 skipped
C:\Program Files\ESET\infected\NRKK00DA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\OVQR05DA.NQF Infected: Trojan-Downloader.Win32.Small.fwb skipped
C:\Program Files\ESET\infected\OYMCMIDA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\UL4LHPBA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\infected\YGAG5KCA.NQF Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\iWin Games\iWinGamesHookIE.dll Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\mmlsmdrr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ace skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\WINDOWS\Mom's\KenGames\mahjongsetup.exe/file03/MeMediaSetup.exe Infected: not-a-virus:AdTool.Win32.WhenU.k skipped
C:\WINDOWS\Mom's\KenGames\mahjongsetup.exe/file03 Infected: not-a-virus:AdTool.Win32.WhenU.k skipped
C:\WINDOWS\Mom's\KenGames\mahjongsetup.exe Inno: infected - 2 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nfxyrcqt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ace skipped
C:\WINDOWS\system32\syfngrvl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ace skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\acidmax21\download\other\Dreamscaped(lite).zip/Dreamscaped(lite).exe/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
E:\acidmax21\download\other\Dreamscaped(lite).zip/Dreamscaped(lite).exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
E:\acidmax21\download\other\Dreamscaped(lite).zip ZIP: infected - 2 skipped
E:\acidmax21\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_df7a0d80-c9e9-4655-8398-5a16e5484a9f Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
E:\Documents and Settings\Dragon\Desktop\Ect\Dreamscaped(lite).zip/Dreamscaped(lite).exe/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
E:\Documents and Settings\Dragon\Desktop\Ect\Dreamscaped(lite).zip/Dreamscaped(lite).exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
E:\Documents and Settings\Dragon\Desktop\Ect\Dreamscaped(lite).zip ZIP: infected - 2 skipped
E:\Documents and Settings\Dragon\Desktop\Ect\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
E:\Documents and Settings\Dragon\Desktop\Ect\mirc617.exe mIRC: infected - 1 skipped
E:\Documents and Settings\Dragon\My Documents\EXE's\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Documents and Settings\Dragon\My Documents\EXE's\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\Documents and Settings\Dragon\My Documents\EXE's\mirc621.exe NSIS: infected - 2 skipped
E:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D2Meep,
Welcome to the forum. Please reply to this thread only and not start a new topic or else your posts will be all over the forum and I won't be able to keep track of you.
For furture reference, if you ever get infected again, leave it alone and post to this forum for help, when you try to remove things on your own you may do a botched attempt and make things worse along with removing items that will show us what your infected with.
This is important
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I need to see the Combofix log and a New HJT log with it renamed please
stage 7 sed.cfexe gave an error report. same then when pc rebooted.
ComboFix 07-10-12.4 - Office 2007-10-14 13:00:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1642 [GMT -4:00]
Running from: C:\Documents and Settings\Office\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Office\My Documents\ICROSO~1.NET
C:\Documents and Settings\Office\My Documents\ICROSO~1.NET\?icrosoft.NET\
C:\Documents and Settings\Office\My Documents\ICROSO~1.NET\cmd.exe
C:\Program Files\Hammer.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\outerinfo.ico
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\bdeeg.ini2
C:\WINDOWS\system32\bdeeg.tmp
C:\WINDOWS\system32\bdeeg.tmp
C:\WINDOWS\system32\bdeeg.tmp
C:\WINDOWS\system32\dqdhjqoh.ini
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\goherarg.dll
C:\WINDOWS\system32\hoqjhdqd.dll
C:\WINDOWS\system32\jekoianv.dll
C:\WINDOWS\system32\jpnxknxm.dll
C:\WINDOWS\system32\lvrgnfys.ini
C:\WINDOWS\system32\mxnkxnpj.ini
C:\WINDOWS\system32\nfxyrcqt.dll
C:\WINDOWS\system32\ouxuybwo.dll
C:\WINDOWS\system32\syfngrvl.dll
C:\WINDOWS\system32\tqcryxfn.ini
.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.
2007-10-14 12:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 12:57 389,184 --a------ C:\WINDOWS\system32\oudckrba.exe
2007-10-14 12:57 339,968 --a------ C:\WINDOWS\system32\hanpqksy.dll
2007-10-14 09:24 389,184 --a------ C:\WINDOWS\system32\obosvfuv.exe
2007-10-14 07:38 389,184 --a------ C:\WINDOWS\system32\swsmybhd.exe
2007-10-14 07:08 389,184 --a------ C:\WINDOWS\system32\cdeqnmfo.exe
2007-10-13 19:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-10-13 19:36 389,184 --a------ C:\WINDOWS\system32\rkoxgcai.exe
2007-10-13 18:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-13 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-13 17:39 389,184 --a------ C:\WINDOWS\system32\gebwejux.exe
2007-10-13 16:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-13 10:47 389,184 --a------ C:\WINDOWS\system32\rgejmepu.exe
2007-10-13 10:34 389,184 --a------ C:\WINDOWS\system32\embhrsdr.exe
2007-10-13 10:18 2,726 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-13 09:36 389,184 --a------ C:\WINDOWS\system32\wwmxtqcn.exe
2007-10-13 08:02 389,184 --a------ C:\WINDOWS\system32\nhwinesg.exe
2007-10-12 21:07 389,184 --a------ C:\WINDOWS\system32\svogrtte.exe
2007-10-12 18:29 389,184 --a------ C:\WINDOWS\system32\kpxbxnce.exe
2007-10-12 18:07 389,184 --a------ C:\WINDOWS\system32\nwytlxaq.exe
2007-10-09 17:10 <DIR> d-------- C:\VundoFix Backups
2007-10-06 21:24 <DIR> d-------- C:\Program Files\Funcom
2007-10-06 21:17 36,352 --a------ C:\WINDOWS\system32\wvustrq.dll
2007-10-05 05:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cabela's Trophy Bucks Saves
2007-10-05 05:20 <DIR> d-------- C:\Program Files\Activision Value
2007-10-04 19:41 <DIR> d-------- C:\Program Files\Ubisoft
2007-10-04 19:16 <DIR> d-------- C:\Program Files\OpenAL
2007-10-04 19:16 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-09-29 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-09-29 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-09-29 12:51 <DIR> d-------- C:\Downloads
2007-09-29 11:50 <DIR> d-------- C:\Documents and Settings\Office\Application Data\Runes of Avalon
2007-09-28 11:01 <DIR> d-------- C:\WINDOWS\Fairies
2007-09-28 11:01 <DIR> d-------- C:\Program Files\Fairies
2007-09-25 17:13 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2007-09-25 17:12 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-09-25 17:11 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-25 17:11 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-25 16:35 <DIR> d-------- C:\Program Files\Razer
2007-09-25 16:35 <DIR> d-------- C:\Documents and Settings\Office\Application Data\InstallShield
2007-09-25 16:35 13,225 --a------ C:\WINDOWS\system32\drivers\Razerlow.sys
2007-09-20 19:22 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-09-20 19:19 <DIR> d-------- C:\Program Files\BatchDPG
2007-09-16 08:51 <DIR> d-------- C:\Program Files\Aspyr Media, Inc
2007-09-15 18:09 <DIR> d-------- C:\Documents and Settings\Office\Application Data\dvdcss
2007-09-15 14:09 <DIR> d-------- C:\Program Files\Jowood
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-14 00:08 --------- d-----w C:\Documents and Settings\Office\Application Data\uTorrent
2007-10-13 01:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 01:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-11 20:33 --------- d-----w C:\Program Files\iWin.com
2007-10-07 02:17 --------- d-----w C:\Program Files\Atari
2007-10-07 02:11 --------- d-----w C:\Program Files\Winamp
2007-10-04 23:16 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-10-04 23:16 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-09-29 20:05 --------- d-----w C:\Program Files\Games
2007-09-16 18:38 --------- d-----w C:\Program Files\ValuSoft
2007-09-15 18:00 --------- d-----w C:\Program Files\QuickTime
2007-09-14 22:29 --------- d-----w C:\Documents and Settings\Office\Application Data\Bioshock
2007-09-10 13:52 --------- d-----w C:\Program Files\RivaTuner v2.03
2007-09-10 12:29 --------- d--h--r C:\Documents and Settings\Office\Application Data\SecuROM
2007-09-01 19:28 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-01 19:26 --------- d-----w C:\Program Files\Datel
2007-08-30 13:53 --------- d-----w C:\Documents and Settings\Office\Application Data\iWin
2007-08-27 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2007-08-27 23:32 --------- d-----w C:\Program Files\iWin Games
2007-08-24 13:01 --------- d-----w C:\Documents and Settings\Office\Application Data\Ahead
2007-08-24 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-08-24 12:07 --------- d-----w C:\Program Files\The Rosetta Stone
2007-08-24 12:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-08-23 18:27 --------- d-----w C:\Documents and Settings\Office\Application Data\MusicIP
2007-08-17 21:25 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-08-17 21:25 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-08-17 20:23 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-08-17 20:23 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-08-17 20:23 8,478,720 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-08-17 20:23 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-08-17 20:23 6,842,208 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-08-17 20:23 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-08-17 20:23 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-08-17 20:23 5,860,736 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-08-17 20:23 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-08-17 20:23 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-08-17 20:23 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-08-17 20:23 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-08-17 20:23 360,448 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-08-17 20:23 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-08-17 20:23 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-08-17 20:23 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-08-17 20:23 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-08-17 20:23 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-08-17 20:23 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-08-17 20:23 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-08-17 20:23 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-08-17 20:23 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-08-17 20:23 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-08-17 20:23 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-08-17 20:23 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-08-17 20:23 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-08-17 20:23 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-08-17 20:23 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-08-17 20:23 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-08-17 20:23 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-08-17 20:23 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-08 20:30 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2007-08-02 22:11 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2007-08-02 22:11 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-27 19:49 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
2007-07-27 19:49 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
2007-07-26 00:36 70,656 ----a-w C:\WINDOWS\ScUnin.exe
2007-02-03 20:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-02-02 19:08 19,552 ----a-w C:\Documents and Settings\Office\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
2007-01-31 05:58 78848 --a------ C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-14 12:57 339968 --a------ C:\WINDOWS\system32\hanpqksy.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\hanpqksy.dll [2007-10-14 12:57 339968]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\hanpqksy.dll [2007-10-14 12:57 339968]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-11 00:10]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 11:34]
"RivaTuner"="C:\Program Files\RivaTuner v2.03\RivaTuner.exe" [2007-08-26 06:35]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.03\RivaTuner.exe" [2007-08-26 06:35]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hanpqksy]
hanpqksy.dll 2007-10-14 12:57 339968 C:\WINDOWS\system32\hanpqksy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvustrq]
wvustrq.dll 2007-10-06 21:17 36352 C:\WINDOWS\system32\wvustrq.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDC]
C:\WINDOWS\system32\ftisteks.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\syfngrvl.dll",sitypnow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uast]
"C:\DOCUME~1\Office\MYDOCU~1\ICROSO~1.NET\cmd.exe" --ru -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"UpdReg"=C:\WINDOWS\UpdReg.EXE
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
R3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.03\RivaTuner32.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command - F:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57c4f82e-1b55-11dc-8fc0-806d6172696f}]
AutoRun\command - G:\Autorun.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 13:10:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
disk error: C:\WINDOWS\
**************************************************************************
.
Completion time: 2007-10-14 13:12:22 - machine was rebooted
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:05 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\hanpqksy.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hanpqksy.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.03\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.03\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190752160359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190752120140
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: hanpqksy - C:\WINDOWS\SYSTEM32\hanpqksy.dll
O20 - Winlogon Notify: wvustrq - C:\WINDOWS\SYSTEM32\wvustrq.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
--
End of file - 6289 bytes
You have kind of a mess going on here, lets do this.
Go to your Add Remove Programs in the Control Panel and if it will let you uninstall anything to do with iWon
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Then rerun Combofix and post both the Vundofix log , the new Combofix log and a New HJT log please.
VundoFix V6.5.9
Checking Java version...
Scan started at 5:10:16 PM 10/9/2007
Listing files found while scanning....
C:\WINDOWS\system32\fxrtrviy.ini
C:\WINDOWS\system32\uipbveqv.dll
C:\WINDOWS\system32\yivrtrxf.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\fxrtrviy.ini
C:\WINDOWS\system32\fxrtrviy.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\uipbveqv.dll
C:\WINDOWS\system32\uipbveqv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yivrtrxf.dll
C:\WINDOWS\system32\yivrtrxf.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\yivrtrxf.dll
C:\WINDOWS\system32\yivrtrxf.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Scan started at 5:41:53 PM 10/9/2007
Listing files found while scanning....
C:\WINDOWS\system32\bdkpjsdj.ini
C:\WINDOWS\system32\gumuwjxv.dll
C:\WINDOWS\system32\jdsjpkdb.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bdkpjsdj.ini
C:\WINDOWS\system32\bdkpjsdj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\gumuwjxv.dll
C:\WINDOWS\system32\gumuwjxv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jdsjpkdb.dll
C:\WINDOWS\system32\jdsjpkdb.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Scan started at 9:52:28 PM 10/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\augurxyc.dll
C:\WINDOWS\system32\mmlsmdrr.dll
C:\WINDOWS\system32\rfxslnij.dll
C:\WINDOWS\system32\rrdmslmm.ini
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\mmlsmdrr.dll
C:\WINDOWS\system32\mmlsmdrr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rfxslnij.dll
C:\WINDOWS\system32\rfxslnij.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Scan started at 7:49:02 AM 10/13/2007
Listing files found while scanning....
C:\WINDOWS\system32\rfxslnij.dll
VundoFix V6.5.9
Checking Java version...
Scan started at 10:01:00 AM 10/13/2007
Listing files found while scanning....
C:\WINDOWS\system32\dvwimsuc.dll
C:\WINDOWS\system32\fjfjfncq.ini
C:\WINDOWS\system32\nrgslnfx.dll
C:\WINDOWS\system32\qcnfjfjf.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dvwimsuc.dll
C:\WINDOWS\system32\dvwimsuc.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\fjfjfncq.ini
C:\WINDOWS\system32\fjfjfncq.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nrgslnfx.dll
C:\WINDOWS\system32\nrgslnfx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qcnfjfjf.dll
C:\WINDOWS\system32\qcnfjfjf.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dvwimsuc.dll
C:\WINDOWS\system32\dvwimsuc.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\qcnfjfjf.dll
C:\WINDOWS\system32\qcnfjfjf.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.10
Checking Java version...
Scan started at 3:24:29 PM 10/14/2007
Listing files found while scanning....
C:\WINDOWS\system32\hanpqksy.dll
C:\windows\system32\wvustrq.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\hanpqksy.dll
C:\WINDOWS\system32\hanpqksy.dll Has been deleted!
Attempting to delete C:\windows\system32\wvustrq.dll
C:\windows\system32\wvustrq.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.10
Checking Java version...
Scan started at 3:32:44 PM 10/14/2007
Listing files found while scanning....
No infected files were found.
ComboFix 07-10-12.4 - Office 2007-10-14 15:36:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1655 [GMT -4:00]
Running from: C:\Documents and Settings\Office\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.
2007-10-14 12:59 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 12:57 389,184 --a------ C:\WINDOWS\system32\oudckrba.exe
2007-10-14 09:24 389,184 --a------ C:\WINDOWS\system32\obosvfuv.exe
2007-10-14 07:38 389,184 --a------ C:\WINDOWS\system32\swsmybhd.exe
2007-10-14 07:08 389,184 --a------ C:\WINDOWS\system32\cdeqnmfo.exe
2007-10-13 19:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-10-13 19:36 389,184 --a------ C:\WINDOWS\system32\rkoxgcai.exe
2007-10-13 18:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-13 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-13 17:39 389,184 --a------ C:\WINDOWS\system32\gebwejux.exe
2007-10-13 16:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-13 10:47 389,184 --a------ C:\WINDOWS\system32\rgejmepu.exe
2007-10-13 10:34 389,184 --a------ C:\WINDOWS\system32\embhrsdr.exe
2007-10-13 10:18 2,726 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-13 09:36 389,184 --a------ C:\WINDOWS\system32\wwmxtqcn.exe
2007-10-13 08:02 389,184 --a------ C:\WINDOWS\system32\nhwinesg.exe
2007-10-12 21:07 389,184 --a------ C:\WINDOWS\system32\svogrtte.exe
2007-10-12 18:29 389,184 --a------ C:\WINDOWS\system32\kpxbxnce.exe
2007-10-12 18:07 389,184 --a------ C:\WINDOWS\system32\nwytlxaq.exe
2007-10-09 17:10 <DIR> d-------- C:\VundoFix Backups
2007-10-06 21:24 <DIR> d-------- C:\Program Files\Funcom
2007-10-05 05:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cabela's Trophy Bucks Saves
2007-10-05 05:20 <DIR> d-------- C:\Program Files\Activision Value
2007-10-04 19:41 <DIR> d-------- C:\Program Files\Ubisoft
2007-10-04 19:16 <DIR> d-------- C:\Program Files\OpenAL
2007-10-04 19:16 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-09-29 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-09-29 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-09-29 12:51 <DIR> d-------- C:\Downloads
2007-09-29 11:50 <DIR> d-------- C:\Documents and Settings\Office\Application Data\Runes of Avalon
2007-09-28 11:01 <DIR> d-------- C:\WINDOWS\Fairies
2007-09-28 11:01 <DIR> d-------- C:\Program Files\Fairies
2007-09-25 17:13 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2007-09-25 17:12 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-09-25 17:11 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-25 17:11 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-25 16:35 <DIR> d-------- C:\Program Files\Razer
2007-09-25 16:35 <DIR> d-------- C:\Documents and Settings\Office\Application Data\InstallShield
2007-09-25 16:35 13,225 --a------ C:\WINDOWS\system32\drivers\Razerlow.sys
2007-09-20 19:22 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-09-20 19:19 <DIR> d-------- C:\Program Files\BatchDPG
2007-09-16 08:51 <DIR> d-------- C:\Program Files\Aspyr Media, Inc
2007-09-15 18:09 <DIR> d-------- C:\Documents and Settings\Office\Application Data\dvdcss
2007-09-15 14:09 <DIR> d-------- C:\Program Files\Jowood
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-14 19:21 --------- d-----w C:\Program Files\Games
2007-10-14 19:20 --------- d-----w C:\Program Files\iWin.com
2007-10-14 00:08 --------- d-----w C:\Documents and Settings\Office\Application Data\uTorrent
2007-10-13 01:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 01:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 02:17 --------- d-----w C:\Program Files\Atari
2007-10-07 02:11 --------- d-----w C:\Program Files\Winamp
2007-10-04 23:16 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-10-04 23:16 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-09-16 18:38 --------- d-----w C:\Program Files\ValuSoft
2007-09-15 18:00 --------- d-----w C:\Program Files\QuickTime
2007-09-14 22:29 --------- d-----w C:\Documents and Settings\Office\Application Data\Bioshock
2007-09-10 13:52 --------- d-----w C:\Program Files\RivaTuner v2.03
2007-09-10 12:29 --------- d--h--r C:\Documents and Settings\Office\Application Data\SecuROM
2007-09-01 19:28 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-01 19:26 --------- d-----w C:\Program Files\Datel
2007-08-30 13:53 --------- d-----w C:\Documents and Settings\Office\Application Data\iWin
2007-08-27 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2007-08-24 13:01 --------- d-----w C:\Documents and Settings\Office\Application Data\Ahead
2007-08-24 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-08-24 12:07 --------- d-----w C:\Program Files\The Rosetta Stone
2007-08-24 12:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-08-23 18:27 --------- d-----w C:\Documents and Settings\Office\Application Data\MusicIP
2007-08-17 21:25 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-08-17 21:25 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-08-17 20:23 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-08-17 20:23 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-08-17 20:23 8,478,720 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-08-17 20:23 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-08-17 20:23 6,842,208 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-08-17 20:23 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-08-17 20:23 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-08-17 20:23 5,860,736 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-08-17 20:23 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-08-17 20:23 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-08-17 20:23 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-08-17 20:23 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-08-17 20:23 360,448 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-08-17 20:23 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-08-17 20:23 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-08-17 20:23 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-08-17 20:23 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-08-17 20:23 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-08-17 20:23 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-08-17 20:23 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-08-17 20:23 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-08-17 20:23 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-08-17 20:23 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-08-17 20:23 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-08-17 20:23 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-08-17 20:23 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-08-17 20:23 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-08-17 20:23 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-08-17 20:23 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-08-17 20:23 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-08-17 20:23 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-08-08 20:30 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2007-08-02 22:11 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2007-08-02 22:11 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-27 19:49 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
2007-07-27 19:49 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
2007-07-26 00:36 70,656 ----a-w C:\WINDOWS\ScUnin.exe
2007-02-03 20:54 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-02-02 19:08 19,552 ----a-w C:\Documents and Settings\Office\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-11 00:10]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 11:34]
"RivaTuner"="C:\Program Files\RivaTuner v2.03\RivaTuner.exe" [2007-08-26 06:35]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.03\RivaTuner.exe" [2007-08-26 06:35]
"Diamondback"="C:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 11:15]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDC]
C:\WINDOWS\system32\ftisteks.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\syfngrvl.dll",sitypnow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uast]
"C:\DOCUME~1\Office\MYDOCU~1\ICROSO~1.NET\cmd.exe" --ru -vt yazb
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"UpdReg"=C:\WINDOWS\UpdReg.EXE
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
R3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.03\RivaTuner32.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command - F:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57c4f82e-1b55-11dc-8fc0-806d6172696f}]
AutoRun\command - G:\Autorun.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 15:38:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
disk error: C:\WINDOWS\
**************************************************************************
.
Completion time: 2007-10-14 15:39:19
C:\ComboFix2.txt ... 2007-10-14 14:33
C:\ComboFix3.txt ... 2007-10-14 14:22
.
--- E O F ---
I posted the vundofix log and combo fix log in the first post this is the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:58 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.03\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.03\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190752160359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190752120140
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
--
End of file - 5895 bytes
D2Meep,
Your doing well :bigthumb:
Remove these with HJT, I am including the instructions for restoring what we remove with HJT in the event that it causes you a problem you can restore it.
I have never saw an entry point to this.
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/z...ploader_v5.cab
To restore the backups:
Open HiJackThis
Click on "View the list of Backups"
Place a check mark next to anything you want to restore
Click Restore
Click Yes
Reboot your computer
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\WINDOWS\system32\dvwimsuc.dll
C:\WINDOWS\system32\yivrtrxf.dll
C:\WINDOWS\system32\rfxslnij.dll
C:\WINDOWS\system32\dvwimsuc.dll
C:\WINDOWS\system32\ftisteks.exe
C:\WINDOWS\system32\syfngrvl.dll
Folders to delete:
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDC]
C:\WINDOWS\system32\ftisteks.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\syfngrvl.dll",sitypnow
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Post the Avenger log and a New HJT log and let me know how things are running now??
Well the pop ups have stopped and the thing that kept showing up in the task bar is gone. The pc hasn't locked up once either so it might be fine now. I wasn't too sure of the order you wanted things done so I just went down the list 1.avenger, 2. registry fix, 3. the logs, 4. ran ccleaner.
Also heres the logs you requested.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kielxxne
*******************
Script file located at: \??\C:\Documents and Settings\ewqfchla.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\dvwimsuc.dll not found!
Deletion of file C:\WINDOWS\system32\dvwimsuc.dll failed!
Could not process line:
C:\WINDOWS\system32\dvwimsuc.dll
Status: 0xc0000034
File C:\WINDOWS\system32\yivrtrxf.dll not found!
Deletion of file C:\WINDOWS\system32\yivrtrxf.dll failed!
Could not process line:
C:\WINDOWS\system32\yivrtrxf.dll
Status: 0xc0000034
File C:\WINDOWS\system32\rfxslnij.dll not found!
Deletion of file C:\WINDOWS\system32\rfxslnij.dll failed!
Could not process line:
C:\WINDOWS\system32\rfxslnij.dll
Status: 0xc0000034
File C:\WINDOWS\system32\dvwimsuc.dll not found!
Deletion of file C:\WINDOWS\system32\dvwimsuc.dll failed!
Could not process line:
C:\WINDOWS\system32\dvwimsuc.dll
Status: 0xc0000034
File C:\WINDOWS\system32\ftisteks.exe not found!
Deletion of file C:\WINDOWS\system32\ftisteks.exe failed!
Could not process line:
C:\WINDOWS\system32\ftisteks.exe
Status: 0xc0000034
File C:\WINDOWS\system32\syfngrvl.dll not found!
Deletion of file C:\WINDOWS\system32\syfngrvl.dll failed!
Could not process line:
C:\WINDOWS\system32\syfngrvl.dll
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:30 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.03\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.03\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190752160359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190752120140
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDExchange - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDExchange.exe
--
End of file - 5714 bytes
Glad things are running well for you, your log looks fine :bigthumb:
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, these are must haves to help keep you secure
Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken
Thank you for all your help Ken, you were right and I will come here first if I get an infection that nod32 can't clear up by itself. I'm really glad I didn't mess things up further by trying to fix it myself >_<
I'm following your advice and downloading the off-line installer for java update 3.
I can't thank you enough, I thought I was going to have to reinstall the O/S and everything else.
Your very welcome :bigthumb:
FYI What you had was a trojan and most AV programs can not remove them.
The reason I had you rename HJT is because the thieves that have written that trojan have written it to evade a HJT scan and by renaming it to something else if Vundo is present it will then show up on your log, and it did, if you look at your original log and the one after you renamed it you will see additional entries on your log. You can keep it renamed , it will run fine if you need it again ( lets hope not :lip: )
Stay well,
Ken :)