View Full Version : virtumonde.dll
I've got something on my computer that Spybot detects, but it can't remove. I've tried Ad-Aware and Symantec too, and neither can get rid of it. I know it's causing pop-ups whenever I use the internet, but I'm worried about what else it's doing that I don't know about.
Here's my HJT log. I have the Kaspersky scan results as well, but they're really long. So, if necessary, I can post that as well. Thanks in advance for any help you can provide.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:46 AM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,0,0/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155180141843
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://esis4.nwpartnership.org:7777/forms/jinitiator/jinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5104/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
--
End of file - 5873 bytes
Hello Jamal
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen
Not looking at any bad entries in your HJT log , not to say something is hiding and not showing up
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Thank You Atribune
Now rerun Kaspersky and post the new Kaspersky log pleasel
Kaspersky
Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from Kaspersky Online Virus Scanner (http://www.kaspersky.com/kos/english/kavwebscan.html)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
I ran the ATF cleaner. Here's the new Kaspersky and HJT scans.
Kaspersky:
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 19, 2008 9:34:01 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/01/2008
Kaspersky Anti-Virus database records: 489551
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 79043
Number of viruses found 11
Number of infected objects 36
Number of suspicious objects 0
Duration of the scan process 01:33:14
Infected Object Name Virus Name Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12062006-115547.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmapp_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmctxth_exe.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Pure Networks\Log\logfile.nmsrvc_exe.txt Object is locked skipped
C:\Documents and Settings\Jed\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jed\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jed\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jed\Local Settings\History\History.IE5\MSHist012008011920080120\index.dat Object is locked skipped
C:\Documents and Settings\Jed\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\Documents and Settings\Jed\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Jed\Local Settings\Temp\temp.fr6221\WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.hcn skipped
C:\Documents and Settings\Jed\Local Settings\Temp\wavesnet.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Documents and Settings\Jed\Local Settings\Temp\yazzsnet.exe/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and Settings\Jed\Local Settings\Temp\yazzsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Jed\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jed\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jed\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jed\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Dot1XCfg\Dot1XCfg.exe Infected: Trojan-Downloader.Win32.Adload.pr skipped
C:\Program Files\Temporary\kernInst.exe Infected: Trojan.Win32.Agent.dwb skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP726\A0077918.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP726\A0077920.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP726\A0077921.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP726\A0077925.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP727\A0077941.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP727\A0077942.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP727\A0077943.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP727\A0077954.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP727\A0077955.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP727\A0077956.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0077983.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0077984.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0077985.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0077998.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0077999.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728\A0078000.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP729\A0078006.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP729\A0078008.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP729\A0078009.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP729\A0078012.exe Infected: not-virus:Hoax.Win32.Renos.mt skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP792\A0086051.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP792\A0086137.exe Infected: Trojan-Downloader.Win32.Agent.hcn skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP792\A0086148.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP794\change.log Object is locked skipped
C:\Temp\bass.exe/data0004 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Temp\bass.exe/data0006 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Temp\bass.exe NSIS: infected - 2 skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\rnkygaqr.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\s2rk.5k Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:49 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rnkygaqr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [7813dbfb] rundll32.exe "C:\WINDOWS\system32\reamhksq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,0,0/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155180141843
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://esis4.nwpartnership.org:7777/forms/jinitiator/jinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5104/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\rnkygaqr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
--
End of file - 5966 bytes
Thanks.
Jamal,
You have picked up some bad entries since your original post, I would strongly urge that outside of checking in at this forum that you stay off the internet until we give you the all clear.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
The ComboFix log:
ComboFix 08-01-18.5 - Jed 2008-01-19 11:58:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.115 [GMT -8:00]
Running from: C:\Documents and Settings\Jed\Local Settings\Temporary Internet Files\Content.IE5\0SVHUDMH\ComboFix[1].exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\Documents and Settings\Jed\Application Data\PPPATC~1
C:\Documents and Settings\Jed\Application Data\PPPATC~1\?ppPatch\
C:\Documents and Settings\Jed\My Documents\DOBE~1
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\bass.exe
C:\Temp\fCOe
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\dpsdgryv.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\etdrvbqd.dll
C:\WINDOWS\system32\eudfofui.dll
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\njwskdde.dll
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qskhmaer.ini
C:\WINDOWS\system32\reamhksq.dll
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rnkygaqr.exe
C:\WINDOWS\system32\ss1
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.bak2
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vyrgdspd.dll
C:\WINDOWS\system32\wqlfuefh.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.
2008-01-19 11:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 11:49 . 2008-01-18 11:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 11:31 . 2008-01-18 11:31 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-18 07:56 . 2008-01-18 07:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-18 07:56 . 2008-01-18 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-16 05:38 . 2008-01-16 05:38 <DIR> d-------- C:\Program Files\Dot1XCfg
2007-12-20 07:44 . 2008-01-18 05:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 07:44 . 2007-12-20 07:44 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-20 07:43 . 2007-12-20 07:44 <DIR> d-------- C:\Program Files\iTunes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 15:43 --------- d-----w C:\Program Files\iPod
2007-12-20 15:41 --------- d-----w C:\Program Files\QuickTime
2007-12-01 21:27 --------- d-----w C:\Program Files\DIFX
2007-12-01 21:26 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2007-12-01 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-08-26 22:14 1,821,700 --sha-w C:\WINDOWS\system32\abadd.bak1
2007-08-17 00:57 1,746,885 --sha-w C:\WINDOWS\system32\accdd.bak1
2007-08-27 12:23 1,976,064 --sha-w C:\WINDOWS\system32\aybeg.bak1
2007-08-28 12:23 1,991,757 --sha-w C:\WINDOWS\system32\aybeg.bak2
2007-08-17 13:18 1,747,880 --sha-w C:\WINDOWS\system32\cccdd.bak1
2007-08-19 04:03 1,821,246 --sha-w C:\WINDOWS\system32\hhkmp.bak1
2007-08-20 12:30 1,821,246 --sha-w C:\WINDOWS\system32\ijjlm.bak1
2007-08-19 17:40 1,821,246 --sha-w C:\WINDOWS\system32\ijkkj.bak1
2007-08-19 06:44 1,821,246 --sha-w C:\WINDOWS\system32\ijkmp.bak1
2007-08-17 06:51 1,746,885 --sha-w C:\WINDOWS\system32\ilkkj.bak1
2007-08-18 05:11 1,821,246 --sha-w C:\WINDOWS\system32\klkkj.bak1
2007-08-16 13:32 1,754,131 --sha-w C:\WINDOWS\system32\mlnmp.bak1
2007-08-18 06:07 1,821,246 --sha-w C:\WINDOWS\system32\mnnmp.bak1
2007-08-19 01:31 1,824,731 --sha-w C:\WINDOWS\system32\mnnmp.ini2
2007-08-29 01:53 1,977,266 --sha-w C:\WINDOWS\system32\rtstv.bak1
2007-08-31 03:13 1,984,027 --sha-w C:\WINDOWS\system32\rtstv.bak2
2007-08-31 21:55 1,982,874 --sha-w C:\WINDOWS\system32\rtstv.ini2
2007-08-19 05:33 1,821,246 --sha-w C:\WINDOWS\system32\srutv.bak1
2007-08-16 13:45 1,754,131 --sha-w C:\WINDOWS\system32\sstwa.bak1
2007-08-21 02:07 1,821,186 --sha-w C:\WINDOWS\system32\uvvwa.bak1
2007-08-17 14:33 1,747,864 --sha-w C:\WINDOWS\system32\wvvwa.bak1
2007-08-23 02:18 1,895,928 --sha-w C:\WINDOWS\system32\wvvwa.bak2
2007-08-23 02:47 1,751,327 --sha-w C:\WINDOWS\system32\wvvwa.ini2
2007-08-23 13:09 1,821,700 --sha-w C:\WINDOWS\system32\xbadd.bak1
2007-08-26 13:18 1,826,000 --sha-w C:\WINDOWS\system32\xbadd.bak2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 20:08 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-10-29 22:04 451896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 18:29 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggecc]
hgggecc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 13:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywxvw]
yaywxvw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 13:33 155648 C:\Program Files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 08:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-05 22:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 05:04 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-02-15 12:02 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 08:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-02-15 12:02 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 02:00 44032 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 02:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 11:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 02:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 02:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 02:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 14:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-27 10:55 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-06 22:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
--a------ 2006-07-20 20:38 230976 C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"WinDefend"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"MSMPSVC"=2 (0x2)
"msfwsvc"=2 (0x2)
"MDM"=2 (0x2)
"LexBceS"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Iap"=2 (0x2)
"EvtEng"=2 (0x2)
"CCALib8"=2 (0x2)
"BAsfIpM"=2 (0x2)
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]
S3 NdUsbMsn;ARESCOM USB Network Adapter;C:\WINDOWS\system32\DRIVERS\NdUsbMsn.sys [2001-12-11 02:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 02:50:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-19 20:11:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 12:08:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-19 12:13:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 20:13:29
.
2008-01-16 13:06:47 --- E O F ---
The HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:09 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O3 - Toolbar: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,0,0/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155180141843
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://esis4.nwpartnership.org:7777/forms/jinitiator/jinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5104/mcfscan.cab
O20 - Winlogon Notify: hgggecc - hgggecc.dll (file missing)
O20 - Winlogon Notify: yaywxvw - yaywxvw.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
--
End of file - 5872 bytes
Hi,
Looks like we got quite a bit of it, a little more to do.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - rsion - (no file)
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\abadd.bak1
C:\WINDOWS\system32\accdd.bak1
C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\aybeg.bak2
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\hgggecc.dll
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.ini2
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\yaywxvw.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggecc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywxvw]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
I fixed the BHO through HijackThis.
Here's the new ComboFix log:
ComboFix 08-01-20.1 - Jed 2008-01-19 13:27:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.183 [GMT -8:00]
Running from: C:\Documents and Settings\Jed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jed\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\system32\abadd.bak1
C:\WINDOWS\system32\accdd.bak1
C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\aybeg.bak2
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\hgggecc.dll
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.ini2
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\xbadd.bak2
C:\WINDOWS\system32\yaywxvw.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\abadd.bak1
C:\WINDOWS\system32\accdd.bak1
C:\WINDOWS\system32\aybeg.bak1
C:\WINDOWS\system32\aybeg.bak2
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ilkkj.bak1
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\rtstv.ini2
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\sstwa.bak1
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak1
C:\WINDOWS\system32\wvvwa.bak2
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\xbadd.bak1
C:\WINDOWS\system32\xbadd.bak2
.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.
2008-01-19 11:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 11:49 . 2008-01-18 11:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 11:31 . 2008-01-18 11:31 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-18 07:56 . 2008-01-18 07:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-18 07:56 . 2008-01-18 07:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-16 05:38 . 2008-01-16 05:38 <DIR> d-------- C:\Program Files\Dot1XCfg
2007-12-20 07:44 . 2008-01-18 05:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 07:44 . 2007-12-20 07:44 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-20 07:43 . 2007-12-20 07:44 <DIR> d-------- C:\Program Files\iTunes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 15:43 --------- d-----w C:\Program Files\iPod
2007-12-20 15:41 --------- d-----w C:\Program Files\QuickTime
2007-12-01 21:27 --------- d-----w C:\Program Files\DIFX
2007-12-01 21:26 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2007-12-01 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2005-05-12 06:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-19_12.13.14.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 19:56:36 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 21:27:17 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 19:56:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 21:27:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 19:56:36 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 21:27:18 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 19:56:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 21:27:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 19:56:36 4,907,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 21:27:18 4,907,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 19:56:37 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 21:27:18 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2007-10-01 20:08 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-10-29 22:04 451896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 18:29 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 13:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 13:33 155648 C:\Program Files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 08:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-05 22:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 05:04 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-02-15 12:02 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 22:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 08:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-02-15 12:02 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 02:00 44032 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 02:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 11:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 02:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 02:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 02:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 14:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-27 10:55 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-06 22:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
--a------ 2006-07-20 20:38 230976 C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"WinDefend"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ose"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"MSMPSVC"=2 (0x2)
"msfwsvc"=2 (0x2)
"MDM"=2 (0x2)
"LexBceS"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Iap"=2 (0x2)
"EvtEng"=2 (0x2)
"CCALib8"=2 (0x2)
"BAsfIpM"=2 (0x2)
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]
S3 NdUsbMsn;ARESCOM USB Network Adapter;C:\WINDOWS\system32\DRIVERS\NdUsbMsn.sys [2001-12-11 02:56]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 02:50:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-19 20:11:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 13:31:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-20 13:33:18
ComboFix-quarantined-files.txt 2008-01-20 21:32:20
ComboFix2.txt 2008-01-19 20:13:33
.
2008-01-16 13:06:47 --- E O F ---
Here's the new HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:16 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar BETA - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,0,0/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155180141843
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://esis4.nwpartnership.org:7777/forms/jinitiator/jinit.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5104/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
--
End of file - 5642 bytes
Your log looks good :bigthumb: FYI You where infected with the Vundo Trojan
I am not looking at any Anti Virus software on your system, in this day and age with all the threats going around this is kind of suicidal. Here are some free AV Programs, install just one, your call, more than one is overkill and will slow your system down.
AVG Free (http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5)
Free Avast 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)
Avira AntiVirŪ Personal Edition Classic (http://www.free-av.com/)
A Firewall should also be installed
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 4 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
How is your system running now??
I installed the programs you suggested, and my computer seems to be running fine now. Thanks a lot!!
Thats great Jamal :bigthumb:
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
If you install Spyware Blaster and Spyware Guard, do not enable the Tea Timer in Spybot Search and Destroy or they will conflict.
Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs,
Glad we could help.
Safe Surfn
Ken