View Full Version : Yet another Virtumundo infection
yup...yet another Virtumundo case. im keeping my online time to a minimum because of it, so sorry if i missed something on the Read First part...but in a rush to get offline as i dont get other viruses on my computer from popups.
using Vundofix i have got rid of most of it, and spybot gets some more...but there is always 1 file that can never be got rid of, even on restart or in safemode. ddcbyyw.dll
i presume this is the file ive read so much about that is randomly named, and i've confirmed that it is at least partially connected to the infection via its creation date/time (same as rest of virtumundo). will run Kaspersky after posting this and see what is found.
regards
s-t-n
right, here;s the kaspersky thingamajig one:- (ps its obviously out of date by a bit (about 20 hours), and im constantly getting/removing viruses, so some on there may now be gone. vitumundo is still here though)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 25, 2008 6:45:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/01/2008
Kaspersky Anti-Virus database records: 532563
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
F:\
Scan Statistics:
Total number of scanned objects: 50655
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 01:02:07
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12312007-070944.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mat\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mat\Incomplete\T-53808853-Google.SketchUp.Pro.v6.4.112.Incl.Keymaker-ACME.rar/Google.SketchUp.Pro.v6.4.112.Incl.Keymaker-ACME/ac-gsk61.exe Infected: Trojan-Dropper.Win32.Delf.xo skipped
C:\Documents and Settings\mat\Incomplete\T-53808853-Google.SketchUp.Pro.v6.4.112.Incl.Keymaker-ACME.rar/Google.SketchUp.Pro.v6.4.112.Incl.Keymaker-ACME/GoogleSketchUpProWEN.exe Infected: Trojan-Dropper.Win32.Delf.xo skipped
C:\Documents and Settings\mat\Incomplete\T-53808853-Google.SketchUp.Pro.v6.4.112.Incl.Keymaker-ACME.rar RAR: infected - 2 skipped
C:\Documents and Settings\mat\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\mat\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\mat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mat\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{FEFCB82B-E39E-43F3-BDFA-5E37B71EA661} Object is locked skipped
C:\Documents and Settings\mat\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mat\Local Settings\History\History.IE5\MSHist012008012520080126\index.dat Object is locked skipped
C:\Documents and Settings\mat\Local Settings\Temp\Free Download Manager\tic7.tmp Object is locked skipped
C:\Documents and Settings\mat\Local Settings\Temp\Setup + Patch.exe Infected: Trojan.Win32.Pakes.bzo skipped
C:\Documents and Settings\mat\Local Settings\Temp\TEMP1.ZIP/Setup + Patch.exe Infected: Trojan.Win32.Pakes.bzo skipped
C:\Documents and Settings\mat\Local Settings\Temp\TEMP1.ZIP CAB: infected - 1 skipped
C:\Documents and Settings\mat\Local Settings\Temp\temp_01.exe Infected: Trojan.Win32.Agent.ecd skipped
C:\Documents and Settings\mat\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mat\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mat\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{617F56E8-8B68-4032-AC75-356BA3A1E449}\RP154\A0006507.exe Infected: Trojan.Win32.Agent.ecd skipped
C:\System Volume Information\_restore{617F56E8-8B68-4032-AC75-356BA3A1E449}\RP157\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\WinPrint.exe Infected: Trojan.Win32.Pakes.bzo skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
the google sketchup is gone for sure, which i think is the source. but obviously the damage is already done. going to run the next scan now (hijack this)
Hijack this now. this has only just finished, so its entirely accurate.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:57:30, on 26/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Live Messenger Khalid Edition v5.1\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [98b2f3cc] rundll32.exe "C:\WINDOWS\system32\pgkccrjd.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198938950596
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 5839 bytes
one thing i should mention is that in a desperate attempt to get some control back with my computer i accidentally discovered what SEEMS to stop the virus for a good 3 hours. i had only just done that when i ran hijack this, so if it doesnt appear there that may be why. i ended the explorer.exe process while vundo was messin wit it. then, to regain my start bar, i started a process called c:\. this for some reason stops it for a while, or at least sends it into the background.
s-t-n
updated hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:48:38, on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA4562] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7072] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2501] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8311] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9843] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5352] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4979] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7630] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6625] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5863] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2307] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3185] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6962] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7425] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9810] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9941] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198938950596
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 7350 bytes
Hi s-t-n
Rename HijackThis.exe to s-t-n.exe and post back a fresh HijackThis log, please :)
heres the logfile. i should let you know that i have adopted my ending explorer.exe and rebooting it as my way of dealing with Vundo, as well as ending processes that i know are harmful. straight after this i got a popup, so the cause of them is there somewhere...but had no vundo probs since ending explorer.exe so dont know if still here (and spybot can no longer find the usual files of vundo)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:54, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\LucasArts\Star Wars Empire at War Forces of Corruption\EAW Terrain Editor.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\s-t-n.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33C96D17-3739-4738-B2B7-62FC6B5AE260} - C:\WINDOWS\system32\pmkjh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6AE3B9C0-1341-41C2-90DC-2FDF1D73F42C} - C:\WINDOWS\system32\geebx.dll (file missing)
O2 - BHO: (no name) - {7315E9A1-ADE1-44E0-90AB-8E7E8653312E} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {831C234B-9EDD-4016-B1FB-5A2C96FBCA19} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {F4982BAB-80E9-4838-A2A0-95D30F348161} - C:\WINDOWS\system32\ddcbyyw.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA6232] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC797] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7158] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8069] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198938950596
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 7130 bytes
Hi
You are still infected.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
ComboFix 08-01-30.6 - mat 2008-01-30 11:16:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503 [GMT 0:00]
Running from: C:\Documents and Settings\mat\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\byxutrq.dll
C:\WINDOWS\system32\ddcbyyw.dll
C:\WINDOWS\system32\elbinrsy.dll
C:\WINDOWS\system32\gebcabb.dll
C:\WINDOWS\system32\hjkmp.ini
C:\WINDOWS\system32\hjkmp.ini2
C:\WINDOWS\system32\jfvmvomg.ini
C:\WINDOWS\system32\ojiqirea.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmnljjg.dll
C:\WINDOWS\system32\pmnnnol.dll
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\wlbnsujx.ini
C:\WINDOWS\system32\xjusnblw.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-30 11:02 . 2008-01-30 11:15 <DIR> d-------- C:\Downloads
2008-01-30 11:02 . 2008-01-30 11:19 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Orbit
2008-01-30 11:01 . 2008-01-30 11:02 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-01-30 00:12 . 2008-01-30 00:12 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Apple Computer
2008-01-29 23:20 . 2008-01-29 23:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-29 23:20 . 2008-01-29 23:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-29 21:03 . 2008-01-30 10:40 22 --a------ C:\WINDOWS\pskt.ini
2008-01-28 17:47 . 2008-01-30 10:45 550 --a------ C:\WINDOWS\wininit.ini
2008-01-26 20:57 . 2008-01-26 20:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 17:06 . 2008-01-25 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-25 17:06 . 2008-01-25 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-25 10:30 . 2008-01-28 07:49 <DIR> d-------- C:\VundoFix Backups
2008-01-25 10:07 . 2008-01-29 21:18 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-24 18:15 . 2008-01-24 18:15 147,520 --a------ C:\WINDOWS\system32\gmovmvfj.dll
2008-01-23 22:01 . 2008-01-23 22:01 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-23 17:34 . 2008-01-23 17:35 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Autodesk
2008-01-23 17:23 . 2008-01-23 17:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-01-23 17:22 . 2008-01-23 17:22 <DIR> d-------- C:\Program Files\Azureus
2008-01-23 17:22 . 2008-01-29 18:55 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Azureus
2008-01-23 10:54 . 2008-01-30 11:28 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-23 10:54 . 2008-01-23 10:54 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-01-23 10:52 . 2008-01-23 10:52 231 --a------ C:\WINDOWS\system32\3dsmax.ini
2008-01-23 10:52 . 2008-01-23 10:52 43 --a------ C:\WINDOWS\system32\InstallSettings.ini
2008-01-23 10:51 . 2008-01-23 10:52 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-01-23 10:50 . 2008-01-23 10:52 <DIR> d-------- C:\Program Files\Autodesk
2008-01-23 10:50 . 2008-01-23 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-23 10:49 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-23 10:49 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-01-23 10:49 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-01-23 10:49 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-23 10:49 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-23 10:13 . 2008-01-23 10:13 <DIR> d-------- C:\Program Files\Free Download Manager
2008-01-23 10:13 . 2008-01-30 11:01 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Free Download Manager
2008-01-23 10:13 . 2008-01-23 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-01-22 19:27 . 2008-01-22 19:27 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Petroglyph
2008-01-22 19:24 . 2008-01-22 19:24 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-20 15:35 . 2008-01-20 15:37 <DIR> d-------- C:\Program Files\ZC Video Converter
2008-01-17 22:16 . 2008-01-17 22:16 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-15 20:24 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-15 20:17 . 2008-01-15 20:17 <DIR> d-------- C:\Documents and Settings\mat\Application Data\InstallShield
2008-01-15 19:25 . 2008-01-15 19:25 <DIR> d---s---- C:\Program Files\Xfire
2008-01-15 19:25 . 2008-01-15 20:21 <DIR> d-------- C:\Program Files\LucasArts
2008-01-15 19:25 . 2008-01-15 19:25 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Xfire
2008-01-12 19:12 . 2008-01-12 19:12 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Leadertech
2008-01-08 08:06 . 2008-01-08 08:07 <DIR> d-------- C:\Documents and Settings\mat\Timestimator
2008-01-05 19:28 . 2008-01-24 19:23 <DIR> d-------- C:\Documents and Settings\mat\limewireShared
2008-01-05 19:24 . 2008-01-25 18:57 <DIR> d-------- C:\Documents and Settings\mat\Incomplete
2008-01-05 19:24 . 2008-01-24 18:09 <DIR> d-------- C:\Documents and Settings\mat\Application Data\LimeWire
2008-01-05 19:03 . 2008-01-05 19:03 <DIR> d-------- C:\Program Files\Java
2008-01-05 19:03 . 2008-01-05 19:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-05 19:03 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-05 19:02 . 2008-01-05 19:04 <DIR> d-------- C:\Program Files\LimeWire
2008-01-05 18:39 . 2008-01-05 18:39 <DIR> d-------- C:\Documents and Settings\mat\Application Data\AdobeAUM
2008-01-03 12:47 . 2008-01-03 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-02 17:46 . 2008-01-02 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-01-02 16:20 . 2008-01-02 16:20 <DIR> d-------- C:\Program Files\ffdshow
2008-01-02 16:20 . 2008-01-01 00:00 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-01-02 16:20 . 2008-01-01 19:12 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-01-02 16:20 . 2008-01-01 00:00 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-01-02 13:49 . 2008-01-02 13:49 <DIR> d-------- C:\Temp
2008-01-02 13:44 . 2008-01-02 13:44 <DIR> d-------- C:\Program Files\QuickTime
2008-01-02 13:44 . 2008-01-02 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-02 13:43 . 2008-01-02 13:43 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-02 13:43 . 2008-01-02 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-02 13:40 . 2008-01-02 13:40 <DIR> d-------- C:\Program Files\MediaTV
2008-01-02 13:39 . 2008-01-02 13:40 <DIR> d-------- C:\Program Files\NimoCodec Pack
2008-01-02 13:39 . 2008-01-02 13:39 <DIR> d-------- C:\Program Files\Ligos
2008-01-02 13:38 . 2008-01-02 13:38 <DIR> d-------- C:\Program Files\The Playa
2008-01-02 13:38 . 2008-01-02 13:39 <DIR> d-------- C:\Program Files\DivXCodec
2008-01-02 13:37 . 2008-01-02 13:37 <DIR> d-------- C:\Documents and Settings\mat\WINDOWS
2008-01-02 13:37 . 1997-08-27 09:53 391,168 --a------ C:\WINDOWS\system32\i263_32.drv
2008-01-02 13:37 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-01-02 13:37 . 2000-06-23 14:05 136,704 --a------ C:\WINDOWS\system32\iacenc.dll
2008-01-02 13:37 . 2000-06-22 13:09 56,320 --a------ C:\WINDOWS\system32\iyvu9_32.dll
2008-01-02 13:37 . 1997-11-06 12:53 27,648 --a------ C:\WINDOWS\system32\ir50_lcs.dll
2008-01-02 13:37 . 2008-01-02 13:38 5,952 --a------ C:\WINDOWS\system32\CDUninst.isu
2008-01-02 09:43 . 2008-01-04 12:40 <DIR> d-------- C:\Documents and Settings\mat\Phone Browser
2008-01-02 09:43 . 2008-01-02 09:43 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Datalayer
2008-01-02 09:42 . 2008-01-02 09:42 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Nokia
2008-01-02 09:41 . 2008-01-07 08:23 <DIR> d-------- C:\Documents and Settings\mat\Application Data\Nokia Multimedia Player
2008-01-02 09:39 . 2008-01-02 09:39 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-02 09:38 . 2008-01-02 09:39 <DIR> d-------- C:\Program Files\Nokia
2008-01-02 09:38 . 2008-01-02 09:38 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-01-02 09:38 . 2008-01-02 09:38 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-01-02 09:38 . 2008-01-02 09:38 <DIR> d-------- C:\Documents and Settings\mat\Application Data\PC Suite
2008-01-02 09:38 . 2008-01-02 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-02 09:38 . 2008-01-02 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-01-02 09:38 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-01-02 09:38 . 2006-05-29 08:26 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-01-02 09:38 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-01-02 09:38 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-01-02 09:38 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-01-02 09:38 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-01-02 09:38 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-01-02 09:32 . 2008-01-30 11:05 <DIR> d-------- C:\Program Files\Media Resizer PRO
2008-01-02 09:32 . 2002-12-25 09:44 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-02 09:26 . 2008-01-02 09:26 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-02 09:26 . 2006-10-04 14:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-02 09:26 . 2006-10-04 14:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-02 09:26 . 2006-10-04 14:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 20:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 09:39 --------- d-----w C:\Program Files\DIFX
2007-12-29 22:32 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-12-29 22:28 --------- d-----w C:\Program Files\Symantec
2007-12-29 22:28 --------- d-----w C:\Program Files\NavNT
2007-12-29 22:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-29 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-29 22:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-29 22:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-29 22:21 14,656 ----a-w C:\WINDOWS\gdrv.sys
2007-12-29 22:17 --------- d-----w C:\Program Files\Realtek
2007-12-29 22:11 --------- d--h--w C:\Program Files\Uninstall Information
2007-12-29 22:08 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AE3B9C0-1341-41C2-90DC-2FDF1D73F42C}]
C:\WINDOWS\system32\geebx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7315E9A1-ADE1-44E0-90AB-8E7E8653312E}]
C:\WINDOWS\system32\vtstu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{831C234B-9EDD-4016-B1FB-5A2C96FBCA19}]
C:\WINDOWS\system32\sstqr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 19:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-09-18 20:25 7630848]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-09-18 20:25 86016]
"SkyTel"="SkyTel.EXE" [2006-05-16 02:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 03:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 15:59 73728]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 03:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 10:45 36040]
C:\Documents and Settings\mat\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2008-01-05 19:28:08 1540]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"= WinPrint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
R2 mi-raysat_3dsMax2008_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit;"C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe" [2007-09-24 17:05]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 08:02]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\DNINDIS5.SYS [2003-07-24 20:10]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-12-29 22:21]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\EAWXLauncher.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{004668e8-b723-11dc-a010-00184dd94ebb}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 11:23:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-30 10:48:40 C:\WINDOWS\Tasks\User_Feed_Synchronization-{F3418FAF-A189-49B5-AC84-64C6B77B4F3E}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 11:28:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
.
**************************************************************************
.
Completion time: 2008-01-30 11:29:42 - machine was rebooted [mat]
ComboFix-quarantined-files.txt 2008-01-30 11:29:33
.
2008-01-30 10:45:19 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:52, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\s-t-n.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6AE3B9C0-1341-41C2-90DC-2FDF1D73F42C} - C:\WINDOWS\system32\geebx.dll (file missing)
O2 - BHO: (no name) - {7315E9A1-ADE1-44E0-90AB-8E7E8653312E} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {831C234B-9EDD-4016-B1FB-5A2C96FBCA19} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinPrint.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198938950596
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 7013 bytes
there they are. ps this is the first time ive not had to deal with norton giving me 20,000 alerts on startup, so somethings different :D
Hi
Looks better :)
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\gmovmvfj.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AE3B9C0-1341-41C2-90DC-2FDF1D73F42C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7315E9A1-ADE1-44E0-90AB-8E7E8653312E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{831C234B-9EDD-4016-B1FB-5A2C96FBCA19}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Windows Printing Driver"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.