View Full Version : spy still found virtumonde check my older thread
I have virtumonde on my sons computer and tried a number of ways to remove it without success. I have hijackthis and will paste the log below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:19 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\slrundll.exe
C:\Documents and Settings\brent\Desktop\HijackThis.exe
D:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=byte77&login=b9c923d5a93e7a2a153c8c813209b26b/byte77:netzero.net/1160499071/30/sss.7.93116/&ts=452bcf7f&A=562880930000009&B=1138953600000&C=1138953600000&D=1141804800000&I=8.NH3&N=PLHS&O=A&UT=
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-3.dll (file missing)
O2 - BHO: ads_optimizer - {26E45419-7205-4fac-BBFE-174BC7337A79} - C:\WINDOWS\system32\nsa1A.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {38520576-DE70-466A-9C96-3501786C43CE} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zwszixca.dll
O2 - BHO: 0 - {E22149FF-6B00-4B0F-5FBF-348C5BA2E0F6} - C:\Program Files\Messenger\laculyt664.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zwszixca.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F73C5EC-72A7-44E8-8719-9293BE73CCF5}: NameServer = 65.196.203.193 65.196.203.194
O20 - Winlogon Notify: xxywxwx - xxywxwx.dll (file missing)
O20 - Winlogon Notify: zwszixca - C:\WINDOWS\SYSTEM32\zwszixca.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 5462 bytes
Hello mbyte22
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
We need it to have HJT in its own folder for backup purposes. I would prefer that you delete HJT from where you have it installed and reinstall it like this
Download and install Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download)
Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
I need to see the Combofix log and a new HJT log in its own folder and renamed to scanner.exe please
here are the logs requested:
ComboFix 07-10-26.5 - brent 2007-10-27 16:36:17.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.663 [GMT -4:00]
Running from: C:\Documents and Settings\brent\Desktop\Virtumonde.generic fix\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\brent\Desktop\Live Safety Center.lnk
C:\Documents and Settings\brent\Desktop\Online Security Guide.lnk
C:\Documents and Settings\brent\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\zwszixca.dllbox
.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.
2007-10-27 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 12:19 <DIR> d-------- C:\Documents and Settings\brent\Application Data\Grisoft
2007-10-27 11:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-26 15:01 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-26 13:42 1,994 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-26 10:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 13:42 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\AVG7
2007-10-25 13:34 <DIR> d-------- C:\WINDOWS\pss
2007-10-24 16:04 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-10-24 16:04 52,736 --a--c--- C:\WINDOWS\system32\dllcache\i8042prt.sys
2007-10-20 23:34 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-20 23:34 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-20 23:34 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-20 17:24 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-20 15:38 574,464 -----c--- C:\WINDOWS\system32\dllcache\ntfs.sys
2007-10-19 16:43 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-10-19 15:23 421,242 --ahs---- C:\WINDOWS\system32\wybeg.ini2
2007-10-19 14:51 340,032 --a------ C:\WINDOWS\system32\zwszixca.dll
2007-10-19 14:50 340,032 --a------ C:\WINDOWS\system32\jocowbkv.dll
2007-10-19 14:47 410,378 --ahs---- C:\WINDOWS\system32\wybeg.bak2
2007-10-18 20:50 <DIR> d-------- C:\WINDOWS\system32\bak
2007-10-18 20:50 <DIR> d-------- C:\WINDOWS\bak
2007-10-18 17:54 6,465 --ahs---- C:\WINDOWS\system32\wybeg.bak1
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\xx1
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\od2
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\ib1
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\cp1
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\bo2
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\ap1
2007-10-18 17:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-18 13:25 <DIR> d-------- C:\Documents and Settings\brent\Application Data\Adssite Advanced Toolbar
2007-09-30 18:15 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2007-09-30 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 17:08 --------- d-----w C:\Documents and Settings\brent\Application Data\MSN6
2007-10-25 12:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-23 22:10 --------- d-----w C:\Documents and Settings\brent\Application Data\AVG7
2007-10-23 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-23 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 19:18 --------- d-----w C:\Program Files\Yahoo!
2007-10-23 19:08 --------- d-----w C:\Program Files\LimeWire
2007-10-19 22:02 --------- d-----w C:\Documents and Settings\brent\Application Data\LimeWire
2007-10-19 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2007-10-19 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-19 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-18 21:49 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(2).dsk
2007-10-18 17:37 --------- d-----w C:\Program Files\AstroAvenger
2007-09-25 20:46 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-25 20:46 --------- d--h--r C:\Documents and Settings\brent\Application Data\SecuROM
2007-09-25 20:41 --------- d-----w C:\Program Files\Sierra Entertainment
2007-09-25 20:40 --------- d-----w C:\Documents and Settings\brent\Application Data\InstallShield
2007-09-08 00:23 --------- d-----w C:\Program Files\ReflexiveArcade
2007-08-29 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-08-29 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-08-26 21:02 1,761 ----a-w C:\WINDOWS\Fonts\acrsecB.fon
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2004-03-11 17:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( snapshot@2007-10-26_10.42.44.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-25 13:52:29 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-10-26 19:01:14 2,355,200 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-10-26 19:01:14 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-25 13:52:29 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-10-26 19:01:07 2,355,200 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-10-26 19:01:07 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 411,648 2007-02-17 19:28:44 C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe
----a-w 36,864 2002-08-12 14:07:26 C:\Program Files\Scansoft\PaperPort\bak\IndexSearch.exe
----a-w 45,108 2002-08-12 13:33:34 C:\Program Files\Scansoft\PaperPort\bak\pptd40nt.exe
----a-w 4,670,968 2007-03-01 22:11:26 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 118,784 2007-10-18 21:49:25 C:\WINDOWS\system32\bak\artchker.exe
----a-w 15,360 2004-08-04 04:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 04:56:50 C:\WINDOWS\system32\ctfmon.exe
----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 1,400,944 2004-09-07 13:25:58 D:\Program Files\Ahead\InCD\bak\InCD.exe
----a-w 32,768 2003-12-08 21:35:14 D:\Program Files\CyberLink DVD Solution\PowerDVD\bak\PDVDServ.exe
----a-w 81,920 2004-08-22 21:05:02 D:\Program Files\D-Tools\bak\daemon.exe
----a-w 36,975 2005-06-03 07:52:54 D:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe
----a-w 98,304 2006-10-10 18:44:21 D:\Program Files\QuickTime\bak\qttask.exe
----a-w 26,640 2007-10-19 00:49:41 D:\Program Files\QuickTime\qttask.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-3.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E45419-7205-4fac-BBFE-174BC7337A79}]
C:\WINDOWS\system32\nsa1A.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38520576-DE70-466A-9C96-3501786C43CE}]
C:\WINDOWS\system32\gebyw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-19 14:51 340032 --a------ C:\WINDOWS\system32\zwszixca.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E22149FF-6B00-4B0F-5FBF-348C5BA2E0F6}]
C:\Program Files\Messenger\laculyt664.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\zwszixca.dll [2007-10-19 14:51 340032]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-14 06:36 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="D:\Program Files\QuickTime\bak\qttask.exe" [2006-10-10 14:44]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 18:02]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 22:43]
"nwiz"="nwiz.exe" [2006-08-11 22:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 22:43]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywxwx]
xxywxwx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zwszixca]
zwszixca.dll 2007-10-19 14:51 340032 C:\WINDOWS\system32\zwszixca.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\tsitra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
.
**************************************************************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 16:39:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-27 16:41:44 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-27 11:25
C:\ComboFix3.txt ... 2007-10-26 10:51
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:42 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=byte77&login=b9c923d5a93e7a2a153c8c813209b26b/byte77:netzero.net/1160499071/30/sss.7.93116/&ts=452bcf7f&A=562880930000009&B=1138953600000&C=1138953600000&D=1141804800000&I=8.NH3&N=PLHS&O=A&UT=
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-3.dll (file missing)
O2 - BHO: ads_optimizer - {26E45419-7205-4fac-BBFE-174BC7337A79} - C:\WINDOWS\system32\nsa1A.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {38520576-DE70-466A-9C96-3501786C43CE} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zwszixca.dll
O2 - BHO: 0 - {E22149FF-6B00-4B0F-5FBF-348C5BA2E0F6} - C:\Program Files\Messenger\laculyt664.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zwszixca.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F73C5EC-72A7-44E8-8719-9293BE73CCF5}: NameServer = 65.196.203.193 65.196.203.194
O20 - Winlogon Notify: xxywxwx - xxywxwx.dll (file missing)
O20 - Winlogon Notify: zwszixca - C:\WINDOWS\SYSTEM32\zwszixca.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 5397 bytes
Hello,
Do this please.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\nsa1A.dl
C:\WINDOWS\system32\wybeg.ini2
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak2
C:\WINDOWS\system32\zwszixca.dll
C:\WINDOWS\system32\jocowbkv.dll
Folder::
C:\Program Files\ContextTool
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
C:\Program Files\ContextTool\ContextTool-3.dll
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26E45419-7205-4fac-BBFE-174BC7337A79}]
C:\WINDOWS\system32\nsa1A.dll
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38520576-DE70-466A-9C96-3501786C43CE}]
C:\WINDOWS\system32\gebyw.dll
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-19 14:51 340032 --a------ C:\WINDOWS\system32\zwszixca.dll
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\zwszixca.dll [2007-10-19 14:51 340032]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywxwx]
xxywxwx.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zwszixca]
zwszixca.dll 2007-10-19 14:51 340032 C:\WINDOWS\system32\zwszixca.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\tsitra.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
Some of these may be gone, not to worry.
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - C:\Program Files\ContextTool\ContextTool-3.dll (file missing)
O2 - BHO: ads_optimizer - {26E45419-7205-4fac-BBFE-174BC7337A79} - C:\WINDOWS\system32\nsa1A.dll (file missing)
O2 - BHO: (no name) - {38520576-DE70-466A-9C96-3501786C43CE} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zwszixca.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zwszixca.dll
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O20 - Winlogon Notify: xxywxwx - xxywxwx.dll (file missing)
O20 - Winlogon Notify: zwszixca - C:\WINDOWS\SYSTEM32\zwszixca.dll
Lets do this, there is a file that is questionable, we will address that after I see the new logs.
here are the logs requested:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:09 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
D:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=byte77&login=b9c923d5a93e7a2a153c8c813209b26b/byte77:netzero.net/1160499071/30/sss.7.93116/&ts=452bcf7f&A=562880930000009&B=1138953600000&C=1138953600000&D=1141804800000&I=8.NH3&N=PLHS&O=A&UT=
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: 0 - {E22149FF-6B00-4B0F-5FBF-348C5BA2E0F6} - C:\Program Files\Messenger\laculyt664.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F73C5EC-72A7-44E8-8719-9293BE73CCF5}: NameServer = 65.196.203.193 65.196.203.194
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 4547 bytes
ComboFix 07-10-26.5 - brent 2007-10-27 17:56:54.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.672 [GMT -4:00]
Running from: C:\Documents and Settings\brent\Desktop\Virtumonde.generic fix\ComboFix.exe
Command switches used :: C:\Documents and Settings\brent\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\jocowbkv.dll
C:\WINDOWS\system32\nsa1A.dl
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak2
C:\WINDOWS\system32\wybeg.ini2
C:\WINDOWS\system32\zwszixca.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\brent\Desktop\Live Safety Center.lnk
C:\Documents and Settings\brent\Desktop\Online Security Guide.lnk
C:\Documents and Settings\brent\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\jocowbkv.dll
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak2
C:\WINDOWS\system32\wybeg.ini2
C:\WINDOWS\system32\zwszixca.dll
C:\WINDOWS\system32\zwszixca.dllbox
.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.
2007-10-27 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 12:19 <DIR> d-------- C:\Documents and Settings\brent\Application Data\Grisoft
2007-10-27 11:30 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-26 15:01 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-26 13:42 1,994 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-26 10:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 13:42 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\AVG7
2007-10-25 13:34 <DIR> d-------- C:\WINDOWS\pss
2007-10-24 16:04 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-10-24 16:04 52,736 --a--c--- C:\WINDOWS\system32\dllcache\i8042prt.sys
2007-10-20 23:34 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-20 23:34 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-20 23:34 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-20 17:24 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-20 15:38 574,464 -----c--- C:\WINDOWS\system32\dllcache\ntfs.sys
2007-10-19 16:43 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-10-18 20:50 <DIR> d-------- C:\WINDOWS\system32\bak
2007-10-18 20:50 <DIR> d-------- C:\WINDOWS\bak
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\xx1
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\od2
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\ib1
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\cp1
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\bo2
2007-10-18 17:49 <DIR> d-------- C:\WINDOWS\system32\ap1
2007-10-18 17:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-18 13:25 <DIR> d-------- C:\Documents and Settings\brent\Application Data\Adssite Advanced Toolbar
2007-09-30 18:15 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2007-09-30 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 17:08 --------- d-----w C:\Documents and Settings\brent\Application Data\MSN6
2007-10-25 12:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-23 22:10 --------- d-----w C:\Documents and Settings\brent\Application Data\AVG7
2007-10-23 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-23 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-23 19:18 --------- d-----w C:\Program Files\Yahoo!
2007-10-23 19:08 --------- d-----w C:\Program Files\LimeWire
2007-10-19 22:02 --------- d-----w C:\Documents and Settings\brent\Application Data\LimeWire
2007-10-19 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2007-10-19 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-19 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-18 21:49 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(2).dsk
2007-10-18 17:37 --------- d-----w C:\Program Files\AstroAvenger
2007-09-25 20:46 --------- d--h--r C:\Documents and Settings\brent\Application Data\SecuROM
2007-09-25 20:41 --------- d-----w C:\Program Files\Sierra Entertainment
2007-09-25 20:40 --------- d-----w C:\Documents and Settings\brent\Application Data\InstallShield
2007-09-08 00:23 --------- d-----w C:\Program Files\ReflexiveArcade
2007-08-29 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-08-29 23:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-08-26 21:02 1,761 ----a-w C:\WINDOWS\Fonts\acrsecB.fon
2004-03-11 17:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( snapshot@2007-10-26_10.42.44.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-25 13:52:29 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-10-26 19:01:14 2,355,200 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-10-26 19:01:14 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-25 13:52:29 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-10-26 19:01:07 2,355,200 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-10-26 19:01:07 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 411,648 2007-02-17 19:28:44 C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe
----a-w 36,864 2002-08-12 14:07:26 C:\Program Files\Scansoft\PaperPort\bak\IndexSearch.exe
----a-w 45,108 2002-08-12 13:33:34 C:\Program Files\Scansoft\PaperPort\bak\pptd40nt.exe
----a-w 4,670,968 2007-03-01 22:11:26 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 118,784 2007-10-18 21:49:25 C:\WINDOWS\system32\bak\artchker.exe
----a-w 15,360 2004-08-04 04:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 04:56:50 C:\WINDOWS\system32\ctfmon.exe
----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 1,400,944 2004-09-07 13:25:58 D:\Program Files\Ahead\InCD\bak\InCD.exe
----a-w 32,768 2003-12-08 21:35:14 D:\Program Files\CyberLink DVD Solution\PowerDVD\bak\PDVDServ.exe
----a-w 81,920 2004-08-22 21:05:02 D:\Program Files\D-Tools\bak\daemon.exe
----a-w 36,975 2005-06-03 07:52:54 D:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe
----a-w 98,304 2006-10-10 18:44:21 D:\Program Files\QuickTime\bak\qttask.exe
----a-w 26,640 2007-10-19 00:49:41 D:\Program Files\QuickTime\qttask.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E22149FF-6B00-4B0F-5FBF-348C5BA2E0F6}]
C:\Program Files\Messenger\laculyt664.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-06-14 06:36 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="D:\Program Files\QuickTime\bak\qttask.exe" [2006-10-10 14:44]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 18:02]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 22:43]
"nwiz"="nwiz.exe" [2006-08-11 22:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 22:43]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)
.
**************************************************************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 18:00:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-27 18:01:53 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-27 16:41
C:\ComboFix3.txt ... 2007-10-27 11:25
.
--- E O F ---
Your doing quite well :bigthumb: Things are looking better, just a bit more to do.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Go to this site Jotti Upload (http://virusscan.jotti.org/) and under the browse feature, browse to these files
C:\Program Files\Messenger\laculyt664.dll
Then click on Submit and it will give you a report, post the report in your next reply.
Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.
Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Post the Jotti report and a New HJT log please
here are the reports you requested. The jotti report did not show a log file but the scans said nothing found.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:15 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=byte77&login=b9c923d5a93e7a2a153c8c813209b26b/byte77:netzero.net/1160499071/30/sss.7.93116/&ts=452bcf7f&A=562880930000009&B=1138953600000&C=1138953600000&D=1141804800000&I=8.NH3&N=PLHS&O=A&UT=
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: 0 - {E22149FF-6B00-4B0F-5FBF-348C5BA2E0F6} - C:\Program Files\Messenger\laculyt664.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 4403 bytes
Ken,
I will be checking your response to my last post tomorrow to finish my problem.
thanks for your help so far.
This is what I would do, I have a bad feeling about this one. I am going to show you how to restore the removal of this entry with HJT in case it causes you a problem, but I believe it won't.
To restore the backups:
Open HiJackThis
Click on "View the list of Backups"
Place a check mark next to anything you want to restore
Click Restore
Click Yes
Reboot your computer
Remove this with HJT.
O2 - BHO: 0 - {E22149FF-6B00-4B0F-5FBF-348C5BA2E0F6} - C:\Program Files\Messenger\laculyt664.dll (file missing)
Run this system cleaner, its a free program and yours to keep, I run it on my own systems about once aweek.
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
The rest of your log looks fine :bigthumb: How is your system behaving now??
The changes and cleaning are done.
My system is running fine. I am no longer getting the popups from the system tray.
mbyte22,
Thats great, glad to hear that. :bigthumb:
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, these are must haves to help keep you secure
Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken
I did a scan with spybot to see if virtubonde was still there and it found it again but only had one registry entry instead of three. Here is the report.
Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
Virtumonde.generic: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-606747145-1592454029-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11A69AE4-FBED-4832-A2BF-45AF82825583}
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-10-26 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2004-05-12 SDHelper.dll (1.3.0.12)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-10-24 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-10-24 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-10-24 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-10-24 Includes\KeyloggersC.sbi (*)
2004-05-12 Includes\LSP.sbi (*)
2007-10-24 Includes\Malware.sbi (*)
2007-10-24 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-10-24 Includes\PUPSC.sbi (*)
2007-10-24 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-10-24 Includes\SecurityC.sbi (*)
2007-10-24 Includes\Spybots.sbi (*)
2007-10-24 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-10-24 Includes\Trojans.sbi (*)
2007-10-24 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Ken, right after I posted my last thread, I ran spybot and it found virtumonde in one registry entry. Here is the report from spybot. Also you were concerned about another issue in the thread.
Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
Virtumonde.generic: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-606747145-1592454029-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11A69AE4-FBED-4832-A2BF-45AF82825583}
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-10-26 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2004-05-12 SDHelper.dll (1.3.0.12)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-10-24 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-10-24 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-10-24 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-10-24 Includes\KeyloggersC.sbi (*)
2004-05-12 Includes\LSP.sbi (*)
2007-10-24 Includes\Malware.sbi (*)
2007-10-24 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-10-24 Includes\PUPSC.sbi (*)
2007-10-24 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-10-24 Includes\SecurityC.sbi (*)
2007-10-24 Includes\Spybots.sbi (*)
2007-10-24 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-10-24 Includes\Trojans.sbi (*)
2007-10-24 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
The infection is gone , Spybot will clean out any leftover registry entries, your fine :bigthumb:
mbyte22
You need to reply to this thread only if you start a new topic I am not notified and won't know that you posted.
These infections leave registry entries that are no longer valid with the infection gone. Run Spybot again and remove all it finds, REBOOT your computer and run Spybot again and see if it comes up clean,
If not the run this program and post the report.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
mbyte22, please update to Spybot-S&D version 1.5.
Spybot - Search & Destroy Version 1.5 Download (http://www.spybot.info/en/download/index.html)
Uninstall previous version (http://www.safer-networking.org/en/howto/uninstall.html)
Tutorial (http://www.spybot.info/en/tutorial/index.html)
Frequently Asked Questions:
http://www.spybot.info/en/faq/index.html
You will also have to update your new version using the integrated updater.
This topic has been moved to archives. If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.
Best regards.