View Full Version : virtumonde
tangerineftw
2007-12-17, 07:24
I have been trying to remove virtumonde for a while with no luck, so i've decided to ask for help here.
I've done all of the "Before you Post" steps, the kaspersky online virus scanner, booting into safemode and running spybot-s&d, then doing hijackthis
here is the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:01 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Dustin\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [782c97f0] rundll32.exe "C:\WINDOWS\system32\dwgfofvq.dll",b
O4 - HKCU\..\Run: [Ieri] "C:\WINDOWS\ECURIT~1\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197583692139
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197583767012
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 7243 bytes
I also have the kaspersky test log report if you want to see that too
Hello tangerineftw
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I see only one entry on your log for Vundo and I am sure there are more, so do this please.
C:\Documents and Settings\Dustin\Desktop\HiJackThis\HijackThis.exe <-- Right click on this ( looks like a man with a spyglass ) and rename it to Scanner.exe
Let me see the Vundo log, the Combofix log, the Kaspersky log and a new HJT log renamed. It all will most likely not fit in one post so take as many as you need to post it all.
Ken:santa:
tangerineftw
2007-12-18, 05:16
Thank you :)
Here is the VundoFix log
VundoFix V6.7.7
Checking Java version...
Scan started at 5:29:20 PM 12/17/2007
Listing files found while scanning....
C:\windows\system32\ddayy.dll
C:\WINDOWS\system32\ddvgwfqy.dll
C:\WINDOWS\system32\dwgfofvq.dll
C:\WINDOWS\system32\efcyyax.dll
C:\WINDOWS\system32\fccyaww.dll
C:\WINDOWS\system32\fjagbrwo.ini
C:\WINDOWS\system32\ljjgfcd.dll
C:\WINDOWS\system32\owrbgajf.dll
C:\WINDOWS\system32\qvfofgwd.ini
C:\WINDOWS\system32\ysupwlra.dll
C:\windows\system32\yyadd.ini
C:\windows\system32\yyadd.ini2
Beginning removal...
Attempting to delete C:\windows\system32\ddayy.dll
C:\windows\system32\ddayy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddvgwfqy.dll
C:\WINDOWS\system32\ddvgwfqy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dwgfofvq.dll
C:\WINDOWS\system32\dwgfofvq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\efcyyax.dll
C:\WINDOWS\system32\efcyyax.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccyaww.dll
C:\WINDOWS\system32\fccyaww.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fjagbrwo.ini
C:\WINDOWS\system32\fjagbrwo.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjgfcd.dll
C:\WINDOWS\system32\ljjgfcd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\owrbgajf.dll
C:\WINDOWS\system32\owrbgajf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qvfofgwd.ini
C:\WINDOWS\system32\qvfofgwd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ysupwlra.dll
C:\WINDOWS\system32\ysupwlra.dll Has been deleted!
Attempting to delete C:\windows\system32\yyadd.ini
C:\windows\system32\yyadd.ini Has been deleted!
Attempting to delete C:\windows\system32\yyadd.ini2
C:\windows\system32\yyadd.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
and here is the ComboFix log
ComboFix 07-12-17.1 - Dustin 2007-12-17 19:06:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1111 [GMT -8:00]
Running from: C:\Documents and Settings\Dustin\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Dustin\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Dustin\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Dustin\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\mbols~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\WINDOWS\ecurit~1
C:\WINDOWS\ecurit~1\?ecurity\
C:\WINDOWS\system32\wapiit32.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.
2007-12-16 21:47 . 2007-12-16 22:13 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-16 11:42 . 2007-12-16 11:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-16 11:42 . 2007-12-16 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-16 11:29 . 2007-12-17 18:33 <DIR> d-------- C:\VundoFix Backups
2007-12-16 11:09 . 2007-12-16 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-16 09:10 . 2007-12-17 18:24 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Launchy
2007-12-16 03:51 . 2007-12-16 03:52 <DIR> d-------- C:\WINDOWS\system32\PolarClock3 dir
2007-12-16 03:51 . 2007-12-16 03:51 201,728 --a------ C:\WINDOWS\system32\PolarClock3.scr
2007-12-16 01:28 . 2007-12-16 21:47 <DIR> d-------- C:\Program Files\Weather Watcher
2007-12-16 01:28 . 2004-05-27 02:32 102,400 --a------ C:\WINDOWS\system32\unzip32.dll
2007-12-16 00:54 . 2007-12-16 00:54 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-16 00:46 . 2007-12-16 00:46 <DIR> d-------- C:\Program Files\Launchy
2007-12-16 00:46 . 2007-12-17 19:04 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Launchy
2007-12-16 00:10 . 2007-12-16 00:10 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-12-16 00:01 . 2007-12-16 03:31 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\DivX
2007-12-16 00:00 . 2007-12-16 00:00 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\skypePM
2007-12-16 00:00 . 2007-12-16 00:00 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-15 23:59 . 2007-12-16 00:00 <DIR> d-------- C:\Program Files\DivX
2007-12-15 23:59 . 2007-12-16 00:01 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Skype
2007-12-15 23:56 . 2007-12-15 23:56 <DIR> d-------- C:\Program Files\Skype
2007-12-15 23:56 . 2007-12-15 23:56 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-15 23:56 . 2007-12-15 23:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-12-15 19:42 . 2007-12-15 19:42 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Talkback
2007-12-15 19:42 . 2007-12-15 19:42 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Comodo
2007-12-15 06:33 . 2007-12-15 06:33 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Talkback
2007-12-15 06:32 . 2007-12-15 06:32 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Comodo
2007-12-14 22:20 . 2007-12-14 22:20 25 --a------ C:\WINDOWS\cdplayer.ini
2007-12-14 22:17 . 2007-12-14 22:17 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-14 22:15 . 2007-12-14 22:17 <DIR> d-------- C:\Program Files\Real
2007-12-14 22:15 . 2007-12-14 22:17 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-14 21:06 . 2007-12-14 21:06 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-14 21:04 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-14 21:04 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-14 20:54 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-12-14 20:54 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-12-14 20:54 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-12-14 20:54 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-12-14 20:54 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-12-14 20:54 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-12-14 20:53 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-12-14 20:51 . 2007-12-14 20:54 <DIR> d-------- C:\Program Files\HP
2007-12-14 20:48 . 2007-12-14 21:08 68,268 --a------ C:\WINDOWS\hpoins05.dat
2007-12-14 20:48 . 2005-07-15 07:17 19,696 --------- C:\WINDOWS\hpomdl05.dat
2007-12-14 20:29 . 2007-12-14 20:29 <DIR> d-------- C:\temp\HP_WebRelease
2007-12-14 20:29 . 2007-12-16 00:10 <DIR> d-------- C:\temp
2007-12-14 17:21 . 2007-12-14 17:30 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-14 11:59 . 2007-12-14 11:59 <DIR> d-------- C:\Program Files\uTorrent
2007-12-14 11:59 . 2007-12-14 17:24 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\uTorrent
2007-12-14 11:49 . 2007-12-14 11:52 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-12-14 11:49 . 2007-12-14 11:49 <DIR> d-------- C:\Program Files\Innovative Solutions
2007-12-14 04:03 . 2007-12-14 04:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-13 23:02 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-13 23:02 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-13 22:51 . 2007-12-16 03:12 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-13 22:08 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-12-13 21:43 . 2007-12-13 21:43 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-13 21:42 . 2007-12-13 21:42 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-12-13 21:33 . 2007-12-13 21:33 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-13 21:28 . 2007-12-13 21:28 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Participatory Culture Foundation
2007-12-13 21:27 . 2007-12-13 21:27 <DIR> d-------- C:\Program Files\Participatory Culture Foundation
2007-12-13 21:23 . 2004-08-04 04:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-13 21:22 . 2007-12-13 21:22 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-12-13 21:18 . 2007-12-13 21:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-12-13 21:16 . 2007-12-13 21:16 <DIR> dr-h----- C:\MSOCache
2007-12-13 19:18 . 2007-12-16 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-13 19:05 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2007-12-13 18:52 . 2007-12-13 18:52 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-12-13 18:45 . 2007-12-13 22:20 <DIR> d-------- C:\Program Files\Logitech
2007-12-13 18:45 . 2007-12-13 22:20 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-12-13 18:23 . 2007-12-13 19:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-13 18:23 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-12-13 18:23 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-13 18:22 . 2007-12-15 22:27 99 --a------ C:\WINDOWS\(null)toolkit.ini
2007-12-13 18:20 . 2007-12-13 18:20 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Trillian
2007-12-13 18:19 . 2007-12-13 18:19 <DIR> d-------- C:\Program Files\Support Tools
2007-12-13 18:19 . 2007-12-13 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 18:16 . 2007-12-16 22:00 <DIR> d-------- C:\Program Files\trillian
2007-12-13 18:10 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-13 18:09 . 2007-12-13 18:10 <DIR> d-------- C:\Program Files\Java
2007-12-13 18:09 . 2007-12-13 18:09 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-13 18:03 . 2007-12-13 18:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-13 18:03 . 2007-12-13 18:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-13 18:03 . 2007-12-13 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-13 18:01 . 2006-06-14 01:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-12-13 18:01 . 2006-06-14 01:00 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-12-13 18:01 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-12-13 18:01 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2007-12-13 18:01 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-12-13 18:01 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2007-12-13 18:01 . 2006-06-14 00:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-12-13 18:01 . 2006-06-14 00:47 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-12-13 18:00 . 2007-12-13 18:00 <DIR> d-------- C:\Program Files\Analog Devices
2007-12-13 17:59 . 1999-05-07 13:24 645,616 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-12-13 17:59 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2007-12-13 17:59 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT332.OCX
2007-12-13 17:59 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2007-12-13 17:59 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2007-12-13 17:59 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2007-12-13 17:59 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-12-13 17:59 . 2001-08-22 08:42 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 18:38 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 18:38 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 18:38 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{268DCB02-F64C-4C5C-84F6-0FD7F2090061}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{780f2de5-4bbc-4003-8d65-e1b33ccc38bd}]
C:\WINDOWS\system32\ysupwlra.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B52FD2F7-0369-4BE8-AA4F-A188B62A5F58}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E15409C1-337E-4AAD-AF8D-1E18AFD0CF29}]
C:\WINDOWS\system32\ddayy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA665CFD-E2D0-4936-A5EE-9D011D6E9A63}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAE37C62-485C-4A24-AE1F-FCEBB028983D}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ieri"="C:\WINDOWS\ECURIT~1\wowexec.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-12-13 14:24]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-14 22:15]
"782c97f0"="C:\WINDOWS\system32\dwgfofvq.dll" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-12-16 00:46:30]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-13 18:52:48]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-12-13 17:39:57]
S3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys [2004-12-01 18:35]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d2d2c6f-a9c7-11dc-9221-b30633f48a10}]
\Shell\AutoRun\command - F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 19:11:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-17 19:12:32 - machine was rebooted
.
2007-12-14 12:03:35 --- E O F ---
tangerineftw
2007-12-18, 05:17
and here is the kaspersky test log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 16, 2007 6:48:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/12/2007
Kaspersky Anti-Virus database records: 484174
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 82980
Number of viruses found: 7
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 02:44:51
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Alan\Local Settings\Temporary Internet Files\Content.IE5\4XZZWG6R\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\Alan\Local Settings\Temporary Internet Files\Content.IE5\WXZ30QRO\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Alan\Local Settings\Temporary Internet Files\Content.IE5\WXZ30QRO\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\cert8.db Object is locked skipped
C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\history.dat Object is locked skipped
C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\key3.db Object is locked skipped
C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\zotero\zotero.sqlite Object is locked skipped
C:\Documents and Settings\Dustin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Application Data\Mozilla\Firefox\Profiles\p0fye6y5.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\History\History.IE5\MSHist012007121620071217\index.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temp\~DF6CC7.tmp Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temp\~DFB6AA.tmp Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temp\~DFDFD3.tmp Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temporary Internet Files\Content.IE5\4T005H0E\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\Dustin\Local Settings\Temporary Internet Files\Content.IE5\4XZZWG6R\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Dustin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temporary Internet Files\Content.IE5\WTWXUXOD\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\Dustin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dustin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Laura\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Laura\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Laura\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Laura\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Laura\Local Settings\Temp\~DF6733.tmp Object is locked skipped
C:\Documents and Settings\Laura\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Laura\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Laura\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\L0000001.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Dustin\Data\storydb.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\L0000001.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Laura\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\change.log Object is locked skipped
C:\System Volume Information\_restore{75078986-9C8B-4797-AC7F-13372725DF6D}\RP9\A0001217.exe Infected: Trojan-Downloader.Win32.Agent.gat skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddvgwfqy.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\dwgfofvq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\owrbgajf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ysupwlra.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5c8.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_60c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\unp153222305.tmp Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
D:\Documents and Settings\Dustin\Desktop\dustin desktop\vtp7\Vista Transformation Pack 7.0.exe/WISE0030.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped
D:\Documents and Settings\Dustin\Desktop\dustin desktop\vtp7\Vista Transformation Pack 7.0.exe WiseSFX: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\A0004501.exe/stream/data0006 Infected: Trojan.Win32.DNSChanger.aho skipped
D:\System Volume Information\_restore{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\A0004501.exe/stream Infected: Trojan.Win32.DNSChanger.aho skipped
D:\System Volume Information\_restore{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\A0004501.exe NSIS: infected - 2 skipped
D:\System Volume Information\_restore{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\A0004504.exe Infected: not-a-virus:RiskTool.Win32.Deleter.a skipped
D:\System Volume Information\_restore{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\A0004505.exe Infected: not-a-virus:RiskTool.Win32.Deleter.a skipped
D:\System Volume Information\_restore{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\change.log Object is locked skipped
Scan process completed.
Hello,
Those scans removed quite a bit :bigthumb:, still a little more to do.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Let me see the SAS log and I still need to see a new HJT log renamed please.
tangerineftw
2007-12-18, 07:13
Okay, here is the SAS log file:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 12/17/2007 at 08:53 PM
Application Version : 3.9.1008
Core Rules Database Version : 3363
Trace Rules Database Version: 1362
Scan type : Complete Scan
Total Scan Time : 00:51:28
Memory items scanned : 490
Memory threats detected : 0
Registry items scanned : 5847
Registry threats detected : 5
File items scanned : 66434
File threats detected : 21
Trojan.WinFixer
HKLM\Software\Classes\CLSID\{E15409C1-337E-4AAD-AF8D-1E18AFD0CF29}
HKCR\CLSID\{E15409C1-337E-4AAD-AF8D-1E18AFD0CF29}
HKCR\CLSID\{E15409C1-337E-4AAD-AF8D-1E18AFD0CF29}\InprocServer32
HKCR\CLSID\{E15409C1-337E-4AAD-AF8D-1E18AFD0CF29}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDAYY.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15409C1-337E-4AAD-AF8D-1E18AFD0CF29}
Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WAPIIT32.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP20\A0004651.EXE
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP16\A0002198.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004610.DLL
Trojan.Downloader-Gen/DDC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\A0004476.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP18\A0004495.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004523.EXE
Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004611.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004612.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004616.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004617.DLL
Adware.Vundo-Variant/Small
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004613.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004614.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP19\A0004635.DLL
Trojan.Downloader-Gen/MROFIN
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP9\A0001217.EXE
Adware.ClickSpring-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{75078986-9C8B-4797-AC7F-13372725DF6D}\RP9\A0001218.EXE
Adware.Tracking Cookie
D:\Documents and Settings\Dustin\Cookies\dustin@atdmt[1].txt
D:\Documents and Settings\Dustin\Cookies\dustin@doubleclick[1].txt
D:\Documents and Settings\Dustin\Cookies\dustin@statcounter[1].txt
D:\Documents and Settings\Dustin\Cookies\dustin@windowsmedia[1].txt
and here is the HJT log renamed to hiscan.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:38 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Dustin\Desktop\HiJackThis\hiscan.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {268DCB02-F64C-4C5C-84F6-0FD7F2090061} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {db83ccc3-3b1e-56d8-3004-cbb45ed2f087} - {780f2de5-4bbc-4003-8d65-e1b33ccc38bd} - C:\WINDOWS\system32\ysupwlra.dll (file missing)
O2 - BHO: (no name) - {B52FD2F7-0369-4BE8-AA4F-A188B62A5F58} - (no file)
O2 - BHO: (no name) - {EA665CFD-E2D0-4936-A5EE-9D011D6E9A63} - (no file)
O2 - BHO: (no name) - {FAE37C62-485C-4A24-AE1F-FCEBB028983D} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [782c97f0] rundll32.exe "C:\WINDOWS\system32\dwgfofvq.dll",b
O4 - HKCU\..\Run: [Ieri] "C:\WINDOWS\ECURIT~1\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197583692139
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197583767012
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 8354 bytes
Good Morning,
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\dwgfofvq.dll
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{268DCB02-F64C-4C5C-84F6-0FD7F2090061}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{780f2de5-4bbc-4003-8d65-e1b33ccc38bd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B52FD2F7-0369-4BE8-AA4F-A188B62A5F58}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E15409C1-337E-4AAD-AF8D-1E18AFD0CF29}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA665CFD-E2D0-4936-A5EE-9D011D6E9A63}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAE37C62-485C-4A24-AE1F-FCEBB028983D}]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
Most of these will be gone, but double check them
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {db83ccc3-3b1e-56d8-3004-cbb45ed2f087} - {780f2de5-4bbc-4003-8d65-e1b33ccc38bd} - C:\WINDOWS\system32\ysupwlra.dll (file missing)
O2 - BHO: (no name) - {B52FD2F7-0369-4BE8-AA4F-A188B62A5F58} - (no file)
O2 - BHO: (no name) - {EA665CFD-E2D0-4936-A5EE-9D011D6E9A63} - (no file)
O2 - BHO: (no name) - {FAE37C62-485C-4A24-AE1F-FCEBB028983D} - (no file)
O4 - HKLM\..\Run: [782c97f0] rundll32.exe "C:\WINDOWS\system32\dwgfofvq.dll",b
Post the New Combofix log and a New HJT log please
tangerineftw
2007-12-19, 00:54
Here is the new Combofix log
ComboFix 07-12-17.1 - Dustin 2007-12-18 14:42:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.845 [GMT -8:00]
Running from: C:\Documents and Settings\Dustin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dustin\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\dwgfofvq.dll
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\ddayy.dll.bad
C:\VundoFix Backups\ddvgwfqy.dll.bad
C:\VundoFix Backups\dwgfofvq.dll.bad
C:\VundoFix Backups\efcyyax.dll.bad
C:\VundoFix Backups\fccyaww.dll.bad
C:\VundoFix Backups\fjagbrwo.ini.bad
C:\VundoFix Backups\ljjgfcd.dll.bad
C:\VundoFix Backups\owrbgajf.dll.bad
C:\VundoFix Backups\qvfofgwd.ini.bad
C:\VundoFix Backups\ysupwlra.dll.bad
C:\VundoFix Backups\yyadd.ini.bad
C:\VundoFix Backups\yyadd.ini2.bad
C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.
2007-12-17 21:30 . 2007-12-17 21:30 <DIR> d-------- C:\Program Files\WiFiConnector
2007-12-17 21:27 . 2004-05-12 13:49 1 --a------ C:\WINDOWS\system32\drivers\RT25USBAP.CAT
2007-12-17 19:59 . 2007-12-17 21:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-17 19:59 . 2007-12-17 19:59 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\SUPERAntiSpyware.com
2007-12-17 19:59 . 2007-12-17 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-16 21:47 . 2007-12-16 22:13 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-16 11:42 . 2007-12-16 11:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-16 11:42 . 2007-12-16 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-16 11:09 . 2007-12-16 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-16 09:10 . 2007-12-17 18:24 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Launchy
2007-12-16 03:51 . 2007-12-16 03:52 <DIR> d-------- C:\WINDOWS\system32\PolarClock3 dir
2007-12-16 03:51 . 2007-12-16 03:51 201,728 --a------ C:\WINDOWS\system32\PolarClock3.scr
2007-12-16 01:28 . 2007-12-16 21:47 <DIR> d-------- C:\Program Files\Weather Watcher
2007-12-16 01:28 . 2004-05-27 02:32 102,400 --a------ C:\WINDOWS\system32\unzip32.dll
2007-12-16 00:54 . 2007-12-16 00:54 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-16 00:46 . 2007-12-16 00:46 <DIR> d-------- C:\Program Files\Launchy
2007-12-16 00:46 . 2007-12-18 14:25 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Launchy
2007-12-16 00:10 . 2007-12-16 00:10 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-12-16 00:01 . 2007-12-16 03:31 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\DivX
2007-12-16 00:00 . 2007-12-16 00:00 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\skypePM
2007-12-16 00:00 . 2007-12-16 00:00 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-15 23:59 . 2007-12-16 00:00 <DIR> d-------- C:\Program Files\DivX
2007-12-15 23:59 . 2007-12-16 00:01 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Skype
2007-12-15 23:56 . 2007-12-15 23:56 <DIR> d-------- C:\Program Files\Skype
2007-12-15 23:56 . 2007-12-15 23:56 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-15 23:56 . 2007-12-15 23:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-12-15 19:42 . 2007-12-15 19:42 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Talkback
2007-12-15 19:42 . 2007-12-15 19:42 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Comodo
2007-12-15 06:33 . 2007-12-15 06:33 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Talkback
2007-12-15 06:32 . 2007-12-15 06:32 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Comodo
2007-12-14 22:20 . 2007-12-14 22:20 25 --a------ C:\WINDOWS\cdplayer.ini
2007-12-14 22:17 . 2007-12-14 22:17 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-14 22:15 . 2007-12-14 22:17 <DIR> d-------- C:\Program Files\Real
2007-12-14 22:15 . 2007-12-14 22:17 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-14 21:06 . 2007-12-14 21:06 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-14 21:04 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-14 21:04 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-14 20:54 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-12-14 20:54 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-12-14 20:54 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-12-14 20:54 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-12-14 20:54 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-12-14 20:54 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-12-14 20:53 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-12-14 20:51 . 2007-12-14 20:54 <DIR> d-------- C:\Program Files\HP
2007-12-14 20:48 . 2007-12-14 21:08 68,268 --a------ C:\WINDOWS\hpoins05.dat
2007-12-14 20:48 . 2005-07-15 07:17 19,696 --------- C:\WINDOWS\hpomdl05.dat
2007-12-14 20:29 . 2007-12-14 20:29 <DIR> d-------- C:\temp\HP_WebRelease
2007-12-14 20:29 . 2007-12-16 00:10 <DIR> d-------- C:\temp
2007-12-14 17:21 . 2007-12-14 17:30 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-14 11:59 . 2007-12-14 11:59 <DIR> d-------- C:\Program Files\uTorrent
2007-12-14 11:59 . 2007-12-14 17:24 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\uTorrent
2007-12-14 11:49 . 2007-12-14 11:52 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-12-14 11:49 . 2007-12-14 11:49 <DIR> d-------- C:\Program Files\Innovative Solutions
2007-12-14 04:03 . 2007-12-14 04:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-13 23:02 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-13 23:02 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-13 22:08 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-12-13 21:43 . 2007-12-13 21:43 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-13 21:42 . 2007-12-13 21:42 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-12-13 21:33 . 2007-12-13 21:33 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-13 21:28 . 2007-12-13 21:28 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Participatory Culture Foundation
2007-12-13 21:27 . 2007-12-13 21:27 <DIR> d-------- C:\Program Files\Participatory Culture Foundation
2007-12-13 21:23 . 2004-08-04 04:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-13 21:22 . 2007-12-13 21:22 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-12-13 21:18 . 2007-12-13 21:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-12-13 21:16 . 2007-12-13 21:16 <DIR> dr-h----- C:\MSOCache
2007-12-13 19:18 . 2007-12-16 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-13 19:05 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2007-12-13 18:45 . 2007-12-13 22:20 <DIR> d-------- C:\Program Files\Logitech
2007-12-13 18:45 . 2007-12-13 22:20 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-12-13 18:23 . 2007-12-13 19:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-13 18:23 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-12-13 18:23 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-13 18:22 . 2007-12-15 22:27 99 --a------ C:\WINDOWS\(null)toolkit.ini
2007-12-13 18:20 . 2007-12-13 18:20 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Trillian
2007-12-13 18:19 . 2007-12-13 18:19 <DIR> d-------- C:\Program Files\Support Tools
2007-12-13 18:19 . 2007-12-13 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 18:16 . 2007-12-16 22:00 <DIR> d-------- C:\Program Files\trillian
2007-12-13 18:10 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-13 18:09 . 2007-12-13 18:10 <DIR> d-------- C:\Program Files\Java
2007-12-13 18:09 . 2007-12-13 18:09 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-13 18:03 . 2007-12-13 18:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-13 18:03 . 2007-12-17 19:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-13 18:03 . 2007-12-13 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-13 18:01 . 2006-06-14 01:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-12-13 18:01 . 2006-06-14 01:00 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-12-13 18:01 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-12-13 18:01 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2007-12-13 18:01 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-12-13 18:01 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2007-12-13 18:01 . 2006-06-14 00:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-12-13 18:01 . 2006-06-14 00:47 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-12-13 18:00 . 2007-12-13 18:00 <DIR> d-------- C:\Program Files\Analog Devices
2007-12-13 17:59 . 1999-05-07 13:24 645,616 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2007-12-13 17:59 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2007-12-13 17:59 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT332.OCX
2007-12-13 17:59 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2007-12-13 17:59 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2007-12-13 17:59 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 18:38 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 18:38 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 18:38 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-04 18:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 18:38 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-04 18:38 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 18:36 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-04 18:36 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 18:36 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-04 18:36 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-04 18:36 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-04 18:36 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-04 18:36 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-04 18:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 11:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 11:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-12 23:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 23:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-02 17:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
.
((((((((((((((((((((((((((((( snapshot@2007-12-17_19.12.07.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-18 03:59:15 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-18 03:59:15 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-18 03:59:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2006-04-10 21:02:18 162,816 ----a-w C:\WINDOWS\system32\drivers\rt25usbap.sys
+ 2006-04-10 22:02:00 162,816 ----a-w C:\WINDOWS\system32\drivers\RT25USBAP.SYS
+ 2007-12-18 13:00:24 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_568.dat
+ 2007-12-18 05:23:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ieri"="C:\WINDOWS\ECURIT~1\wowexec.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-12-13 14:24]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-14 22:15]
"782c97f0"="C:\WINDOWS\system32\dwgfofvq.dll" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-12-16 00:46:30]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-13 18:52:48]
Run Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-12-17 21:30:13]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
S3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys [2004-12-01 18:35]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d2d2c6f-a9c7-11dc-9221-b30633f48a10}]
\Shell\AutoRun\command - F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 14:43:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-18 14:44:02
C:\ComboFix2.txt ... 2007-12-17 19:12
.
2007-12-14 12:03:35 --- E O F ---
tangerineftw
2007-12-19, 00:55
and here is the new HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:08 PM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Participatory Culture Foundation\Miro\xulrunner\Miro.exe
C:\Program Files\Participatory Culture Foundation\Miro\Miro_Downloader.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dustin\Desktop\HiJackThis\hiscan.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Ieri] "C:\WINDOWS\ECURIT~1\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197583692139
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197583767012
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 7847 bytes
Hello,
Remove these with HJT.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [Ieri] "C:\WINDOWS\ECURIT~1\wowexec.exe" -vt yazb
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Post a new HJT log and let me know how your system is running now??
tangerineftw
2007-12-19, 02:15
Here is the new HJT,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:23 PM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Participatory Culture Foundation\Miro\xulrunner\Miro.exe
C:\Program Files\Participatory Culture Foundation\Miro\Miro_Downloader.exe
C:\Documents and Settings\Dustin\Desktop\HiJackThis\hiscan.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197583692139
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197583767012
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
--
End of file - 7746 bytes
and.. it seems to be running great!
no more pop-ups or warnings or other weirdities :)
thank you so much :D:
Thats great :bigthumb: Log looks good :bigthumb:
Be sure to follow the instructions on this list for System Restore as there where bad entires in that program and you don't want to take the chance of reinfecting yourself.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken