View Full Version : Virtumonde...again and again.
Alzarial
2008-01-26, 09:54
Hello. I've read numerous posts...attempted a couple of the requested answers for other people and i have not got anywhere...about 2 hours later i finally gave up and posted here. Here is the information i've accumulated.
Error's
When i attempt to open ComboFix i get 2 different error messages.
16 Bit MS-Dos Subsystem
C:\DOCUME~1\Alzarial\Desktop\Combofix.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0533 IP:0225 OP:64 65 63 32 30 Choose 'Close' to terminate this application
Close Ignore.
If i hit close, obviously it closes, if i hit ignore i get the exact same msg. 2 Attempts to ignore and the box and window closes. There are small variations in each ignore though.
The rest of the message is the same.
IP:0226 OP:65 63 32 30 30
IP:0227 OP:63 32 30 30 33
Also, i cannot delete Combofix. I get an error message stating its in use.
Cannot delete ComboFix: It is being used by another person or program. Close any other programs that might be using the file and try again.
I've also downloaded vundo and followed the steps, Scan - remove - reboot - remove - rescan until it finally says "Clear" but it cannot remove this file after about 20 Reboot/Scan/Remove attempts.
C:\\WINDOWS\system32\yayyvsq.dll
When i restart the computer i get an error message when i log in.
RUNDLL
Error loading C:\WINDOWS\System32\pmbefcpx.dll
The specified module could not be found.
I also noticed that they want a HJT Log From the other posts i downloaded it and here is the log After i did as much as i could with Vundo (I also did a research with S&D and Virtumonde generic still comes up)
Log: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:13 AM, on 1/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvder.dll,startup
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\System32\drvjak.dll,startup
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\Documents and Settings\Alzarial\Desktop\install_en.exe"
O4 - HKLM\..\Run: [fc7832f6] rundll32.exe "C:\WINDOWS\System32\pmbefcpx.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194475117546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194475283062
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://66.184.224.178:84/plugin/h263ctrl.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 4308 bytes
To Sum up: ComboFix Wont work for me. Cant delete it, Multiple Error Messages, Vundo wont remove a file.
PLEASE help..Thank you so much for any info you can help me with.. I'll Be off work tomorrow (Saturday at 5 30 PM My time) Thank you very much to whomever helps me out. I'll try just about anything.
Also this is probably something completely different...but sometimes my computer will pull me out of a window / Game. IE: Full Screen Game gets minimized - Typing in this box and suddenly cant type because it de-selected this window. Stuff like that. Thanks guys
I managed to delete the incorrect ComboFix Downloads and i got the new version. I ran that and now have a log (with a million deletes). Still waiting for initial reply just letting whoever looks next know i got it going.
Current Programs:
Spybot Search and Destroy
VundoFix
ComboFix
If anything else is needed just let me know. Looking forward to an answer. =)
Hello Alzarial
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You have some issues going on that we need to take care of, lets clean out some of the garbage first to get rid of that error message and so we can run some tools.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvder.dll,startup
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\System32\drvjak.dll,startup
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\Documents and Settings\Alzarial\Desktop\install_en.exe"
O4 - HKLM\..\Run: [fc7832f6] rundll32.exe "C:\WINDOWS\System32\pmbefcpx.dll",b
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\System32\drvder.dll
C:\WINDOWS\System32\drvjak.dll
C:\WINDOWS\System32\pmbefcpx.dll
C:\Documents and Settings\Alzarial\Desktop\install_en.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.
Post the Combofix log and a new HJT log please
Alzarial
2008-01-27, 22:06
ok my keyboard stopped working
not wireless no special installs
using char map
computer schemes set to classic cant change back
using admin user
other user freezes now
here are the logs you requested seems like it is in safe mode with background no safe mode in corners iŽll try getting my keyboard to work again
ComboFix 08-01-23.1C - Alzarial 2008-01-27 13:23:23.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.843 [GMT -6:00]
Running from: C:\Documents and Settings\Alzarial\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-27 13:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 01:35 . 2008-01-26 01:35 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-26 01:16 . 2008-01-26 01:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 23:16 . 2008-01-25 23:16 263 --a------ C:\WINDOWS\wininit.ini
2008-01-24 22:39 . 2008-01-24 22:39 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-01-24 22:39 . 2008-01-24 22:46 35,387 --a------ C:\WINDOWS\DIIUnin.dat
2008-01-24 22:39 . 2008-01-24 22:39 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-01-24 22:36 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-01-24 22:36 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-24 22:36 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-24 22:36 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-24 22:36 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-24 21:01 . 2008-01-24 22:45 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2008-01-24 21:01 . 2008-01-24 22:45 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2008-01-24 21:01 . 2008-01-24 22:45 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2008-01-24 20:47 . 2008-01-26 23:05 <DIR> d-------- C:\Program Files\Diablo II
2008-01-23 19:02 . 2008-01-27 13:21 <DIR> d-------- C:\Program Files\Steam
2008-01-23 18:32 . 2008-01-24 21:39 <DIR> d-------- C:\Program Files\Diablo II Shareware
2008-01-21 02:40 . 2003-07-20 12:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-01-21 02:40 . 2005-01-04 03:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-21 02:20 . 2008-01-21 02:20 <DIR> d-------- C:\Nexon
2008-01-17 23:59 . 2008-01-19 20:32 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-13 14:16 . 2008-01-13 14:16 66,936 --ahs---- C:\WINDOWS\dlinfo_0.drv
2008-01-13 14:15 . 2008-01-13 14:15 61,440 --a------ C:\WINDOWS\diabunin.exe
2008-01-12 19:33 . 2008-01-12 19:33 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-12 19:33 . 2008-01-12 19:33 <DIR> d-------- C:\Program Files\Ahead
2008-01-12 19:33 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-01-12 19:33 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-01-12 19:33 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-01-12 19:33 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-01-12 19:33 . 2004-07-20 17:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-01-12 19:33 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-12 19:33 . 2004-03-03 21:30 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-12 19:33 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-12 19:33 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-01-12 19:33 . 2004-03-03 21:30 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-12 19:07 . 2008-01-13 14:15 86,528 --a------ C:\WINDOWS\bnetunin.exe
2008-01-12 19:07 . 2008-01-12 19:07 61,440 --a------ C:\WINDOWS\diabswun.exe
2008-01-09 20:56 . 2008-01-09 20:56 <DIR> d-------- C:\Program Files\Audacity
2008-01-01 13:52 . 2004-03-22 18:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-01 13:52 . 2008-01-01 13:52 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-01 13:51 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-01 13:51 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-01 13:50 . 2008-01-01 13:51 <DIR> d-------- C:\WINDOWS\SHELLNEW
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 05:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-21 02:12 --------- d-----w C:\Program Files\World of Warcraft
2007-12-05 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-05 06:05 --------- d-----w C:\Program Files\GameTap
2007-11-27 01:00 --------- d-----w C:\Program Files\Ares
2007-11-11 09:08 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-11-06 03:28 4,692,992 ----a-w C:\Program Files\NETGEAR WG311v2 802.11g Wireless PCI Adapter.msi
2007-11-06 03:28 4,107 ----a-w C:\Program Files\0x0409.ini
2004-07-02 18:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
2004-06-18 05:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 19:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 19:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2004-02-04 18:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
2004-02-04 18:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-27_13.11.30.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 18:52:26 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-27 19:20:44 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-27 18:52:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-27 19:20:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-27 18:52:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-27 19:20:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63EB56F2-2F51-46CE-A523-3E59E80F058B}]
C:\WINDOWS\System32\gebyy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955a7ae5-0405-41ed-8386-f175fd7efdb6}]
C:\WINDOWS\System32\dvyykndf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE4F65E3-65B2-49D9-A040-9D9C16C96DF6}]
C:\WINDOWS\System32\jkhff.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFDD2703-A8B3-4CB6-A4F9-11816B463C37}]
C:\WINDOWS\System32\ddayw.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-11-06 19:51 3810544]
"RemoteControl"="" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18 1670144]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-11-23 10:18 962560]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-23 19:17 1266936]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 01:29 7561216]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 01:29 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RemoteCenter"="" []
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 12:32:18 450560]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sjctpmik]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM3.sys [2007-11-05 21:28]
S2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-10-31 05:14]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys [2004-05-02 02:47]
S3 mdxgthkn;mdxgthkn;C:\DOCUME~1\Alzarial\LOCALS~1\Temp\mdxgthkn.sys []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 13:24:56
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-27 13:25:13
ComboFix-quarantined-files.txt 2008-01-27 19:25:05
.
2007-11-14 21:08:43 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:44 PM, on 1/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63EB56F2-2F51-46CE-A523-3E59E80F058B} - C:\WINDOWS\System32\gebyy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {6bdfe7df-571f-6838-de14-50405ea7a559} - {955a7ae5-0405-41ed-8386-f175fd7efdb6} - C:\WINDOWS\System32\dvyykndf.dll (file missing)
O2 - BHO: (no name) - {CE4F65E3-65B2-49D9-A040-9D9C16C96DF6} - C:\WINDOWS\System32\jkhff.dll (file missing)
O2 - BHO: (no name) - {EFDD2703-A8B3-4CB6-A4F9-11816B463C37} - C:\WINDOWS\System32\ddayw.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194475117546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194475283062
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://66.184.224.178:84/plugin/h263ctrl.cab
O20 - Winlogon Notify: sjctpmik - C:\WINDOWS\
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 4302 bytes
File/Folder not found.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\drvder.dll
C:\WINDOWS\System32\drvder.dll NOT unregistered.
C:\WINDOWS\System32\drvder.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\drvjak.dll
C:\WINDOWS\System32\drvjak.dll NOT unregistered.
C:\WINDOWS\System32\drvjak.dll moved successfully.
File/Folder C:\WINDOWS\System32\pmbefcpx.dll not found.
File/Folder C:\Documents and Settings\Alzarial\Desktop\install_en.exe not found.
Created on 01/27/2008 13:01:51
Alzarial
2008-01-27, 22:19
Aright well i got my keyboard working again...I'll try to re-explain. All my windows/Start bar is set in Classic Scheme now, Everything else now seems to work. No errors upon start up. ..Well seems like the browser here is the only thing that isnt frozen now. My "Windows" securities are gone. Just giving you an update.
Alzarial
2008-01-27, 23:29
Ran Kapersky, Found 2 infected files - The OTMoveit was listed for both. Sometimes freezes up now in User:Alzarial (Not admin)
Hello,
Nothing real bad on the scans, just some leftovers. Keep in mind that you seem pretty heavy into gaming and sometimes the programs you download bring other garbage with it.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\DOCUME~1\Alzarial\LOCALS~1\Temp\mdxgthkn.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63EB56F2-2F51-46CE-A523-3E59E80F058B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955a7ae5-0405-41ed-8386-f175fd7efdb6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE4F65E3-65B2-49D9-A040-9D9C16C96DF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFDD2703-A8B3-4CB6-A4F9-11816B463C37}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sjctpmik]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Alzarial
2008-01-28, 00:44
Heh, you are right, im into gaming. I know exactly how i got this too >.< History in a nutshell: Girl reformatted when i was gone - SP2 wasnt dl'd - I was downloading somthing and got redirected when i wasnt looking. Here's the new files and thanks a lot for all this =) I need to get SP 2 after were done with this. If you have any links, or will auto updates work again.
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:41 PM, on 1/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194475117546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194475283062
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://66.184.224.178:84/plugin/h263ctrl.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 4277 bytes
Combo
ComboFix 08-01-23.1C - Alzarial 2008-01-27 16:39:37.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.789 [GMT -6:00]
Running from: C:\Documents and Settings\Alzarial\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alzarial\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\DOCUME~1\Alzarial\LOCALS~1\Temp\mdxgthkn.sys
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-27 14:26 . 2008-01-27 14:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-27 13:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 01:35 . 2008-01-26 01:35 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-26 01:16 . 2008-01-26 01:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 23:16 . 2008-01-25 23:16 263 --a------ C:\WINDOWS\wininit.ini
2008-01-24 22:39 . 2008-01-24 22:39 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-01-24 22:39 . 2008-01-24 22:46 35,387 --a------ C:\WINDOWS\DIIUnin.dat
2008-01-24 22:39 . 2008-01-24 22:39 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-01-24 22:36 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-01-24 22:36 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-24 22:36 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-24 22:36 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-24 22:36 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-24 21:01 . 2008-01-24 22:45 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2008-01-24 21:01 . 2008-01-24 22:45 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2008-01-24 21:01 . 2008-01-24 22:45 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2008-01-24 20:47 . 2008-01-26 23:05 <DIR> d-------- C:\Program Files\Diablo II
2008-01-23 19:02 . 2008-01-27 16:38 <DIR> d-------- C:\Program Files\Steam
2008-01-23 18:32 . 2008-01-24 21:39 <DIR> d-------- C:\Program Files\Diablo II Shareware
2008-01-21 02:40 . 2003-07-20 12:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-01-21 02:40 . 2005-01-04 03:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-21 02:20 . 2008-01-21 02:20 <DIR> d-------- C:\Nexon
2008-01-17 23:59 . 2008-01-19 20:32 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-13 14:16 . 2008-01-13 14:16 66,936 --ahs---- C:\WINDOWS\dlinfo_0.drv
2008-01-13 14:15 . 2008-01-13 14:15 61,440 --a------ C:\WINDOWS\diabunin.exe
2008-01-12 19:33 . 2008-01-12 19:33 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-12 19:33 . 2008-01-12 19:33 <DIR> d-------- C:\Program Files\Ahead
2008-01-12 19:33 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-01-12 19:33 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-01-12 19:33 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-01-12 19:33 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-01-12 19:33 . 2004-07-20 17:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-01-12 19:33 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-12 19:33 . 2004-03-03 21:30 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-12 19:33 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-12 19:33 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-01-12 19:33 . 2004-03-03 21:30 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-12 19:07 . 2008-01-13 14:15 86,528 --a------ C:\WINDOWS\bnetunin.exe
2008-01-12 19:07 . 2008-01-12 19:07 61,440 --a------ C:\WINDOWS\diabswun.exe
2008-01-09 20:56 . 2008-01-09 20:56 <DIR> d-------- C:\Program Files\Audacity
2008-01-01 13:52 . 2004-03-22 18:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-01 13:52 . 2008-01-01 13:52 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-01 13:51 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-01 13:51 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-01 13:50 . 2008-01-01 13:51 <DIR> d-------- C:\WINDOWS\SHELLNEW
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 05:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-21 02:12 --------- d-----w C:\Program Files\World of Warcraft
2007-12-05 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-05 06:05 --------- d-----w C:\Program Files\GameTap
2007-11-27 01:00 --------- d-----w C:\Program Files\Ares
2007-11-11 09:08 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-11-06 03:28 4,692,992 ----a-w C:\Program Files\NETGEAR WG311v2 802.11g Wireless PCI Adapter.msi
2007-11-06 03:28 4,107 ----a-w C:\Program Files\0x0409.ini
2004-07-02 18:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
2004-06-18 05:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 19:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 19:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2004-02-04 18:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
2004-02-04 18:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-27_13.11.30.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-27 22:39:34 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 22:39:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 22:39:34 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 22:39:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 22:39:34 3,620,864 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 22:39:34 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-27 18:52:26 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-27 19:20:44 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-27 18:52:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-27 19:20:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-27 18:52:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-27 19:20:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-11-11 09:07:58 11,842 ----a-w C:\WINDOWS\system32\Lang\Arabic.bin
+ 2008-01-27 21:18:22 11,842 ----a-w C:\WINDOWS\system32\Lang\Arabic.bin
- 2007-11-11 09:07:58 13,831 ----a-w C:\WINDOWS\system32\Lang\Danish.bin
+ 2008-01-27 21:18:22 13,831 ----a-w C:\WINDOWS\system32\Lang\Danish.bin
- 2007-11-11 09:07:58 14,470 ----a-w C:\WINDOWS\system32\Lang\Dutch.bin
+ 2008-01-27 21:18:22 14,470 ----a-w C:\WINDOWS\system32\Lang\Dutch.bin
- 2007-11-11 09:07:58 12,032 ----a-w C:\WINDOWS\system32\Lang\English.bin
+ 2008-01-27 21:18:22 12,032 ----a-w C:\WINDOWS\system32\Lang\English.bin
- 2007-11-11 09:07:58 15,325 ----a-w C:\WINDOWS\system32\Lang\French.bin
+ 2008-01-27 21:18:22 15,325 ----a-w C:\WINDOWS\system32\Lang\French.bin
- 2007-11-11 09:07:58 14,873 ----a-w C:\WINDOWS\system32\Lang\German.bin
+ 2008-01-27 21:18:22 14,873 ----a-w C:\WINDOWS\system32\Lang\German.bin
- 2007-11-11 09:07:58 13,966 ----a-w C:\WINDOWS\system32\Lang\Greek.bin
+ 2008-01-27 21:18:22 13,966 ----a-w C:\WINDOWS\system32\Lang\Greek.bin
- 2007-11-11 09:07:58 15,718 ----a-w C:\WINDOWS\system32\Lang\Italian.bin
+ 2008-01-27 21:18:22 15,718 ----a-w C:\WINDOWS\system32\Lang\Italian.bin
- 2007-11-11 09:07:58 13,345 ----a-w C:\WINDOWS\system32\Lang\Japanese.bin
+ 2008-01-27 21:18:22 13,345 ----a-w C:\WINDOWS\system32\Lang\Japanese.bin
- 2007-11-11 09:07:58 11,498 ----a-w C:\WINDOWS\system32\Lang\Korean.bin
+ 2008-01-27 21:18:22 11,498 ----a-w C:\WINDOWS\system32\Lang\Korean.bin
- 2007-11-11 09:07:58 13,431 ----a-w C:\WINDOWS\system32\Lang\Polish.bin
+ 2008-01-27 21:18:22 13,431 ----a-w C:\WINDOWS\system32\Lang\Polish.bin
- 2007-11-11 09:07:58 13,746 ----a-w C:\WINDOWS\system32\Lang\Portuguese_Brazilian.bin
+ 2008-01-27 21:18:22 13,746 ----a-w C:\WINDOWS\system32\Lang\Portuguese_Brazilian.bin
- 2007-11-11 09:07:58 14,634 ----a-w C:\WINDOWS\system32\Lang\Portuguese_Default.bin
+ 2008-01-27 21:18:22 14,634 ----a-w C:\WINDOWS\system32\Lang\Portuguese_Default.bin
- 2007-11-11 09:07:58 15,050 ----a-w C:\WINDOWS\system32\Lang\Russian.bin
+ 2008-01-27 21:18:22 15,050 ----a-w C:\WINDOWS\system32\Lang\Russian.bin
- 2007-11-11 09:07:58 9,484 ----a-w C:\WINDOWS\system32\Lang\SimChin.bin
+ 2008-01-27 21:18:22 9,484 ----a-w C:\WINDOWS\system32\Lang\SimChin.bin
- 2007-11-11 09:07:58 15,409 ----a-w C:\WINDOWS\system32\Lang\Spanish.bin
+ 2008-01-27 21:18:22 15,409 ----a-w C:\WINDOWS\system32\Lang\Spanish.bin
- 2007-11-11 09:07:58 13,560 ----a-w C:\WINDOWS\system32\Lang\SWEDISH.bin
+ 2008-01-27 21:18:22 13,560 ----a-w C:\WINDOWS\system32\Lang\SWEDISH.bin
- 2007-11-11 09:07:58 12,247 ----a-w C:\WINDOWS\system32\Lang\Thai.bin
+ 2008-01-27 21:18:22 12,247 ----a-w C:\WINDOWS\system32\Lang\Thai.bin
- 2007-11-11 09:07:58 10,111 ----a-w C:\WINDOWS\system32\Lang\TradChin.bin
+ 2008-01-27 21:18:22 10,111 ----a-w C:\WINDOWS\system32\Lang\TradChin.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-11-06 19:51 3810544]
"RemoteControl"="" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18 1670144]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-11-23 10:18 962560]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-23 19:17 1266936]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 01:29 7561216]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 01:29 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"RemoteCenter"="" []
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 12:32:18 450560]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM3.sys [2007-11-05 21:28]
S2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-10-31 05:14]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys [2004-05-02 02:47]
S3 mdxgthkn;mdxgthkn;C:\DOCUME~1\Alzarial\LOCALS~1\Temp\mdxgthkn.sys []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 16:40:51
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-27 16:41:09
ComboFix-quarantined-files.txt 2008-01-27 22:41:02
ComboFix2.txt 2008-01-27 19:25:14
.
2007-11-14 21:08:43 --- E O F ---
Hello,
I see no reason for not downloading SP2. You can open IE and go to Tools> Windows Updates or you can go directly to this site and download it, they ever offer free support for installing SP2 if you have issues. You can even order a free CD from Microsoft.
http://www.microsoft.com/windowsxp/sp2/default.mspx
http://support.microsoft.com/default.aspx?pr=windowsxpsp2 <-- Contact a support person
Your log looks fine :bigthumb: So this is as far as I can go as this forum is for Malware Removal Only
Windows Tech Support Forums
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
It's Not Always Malware
Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)
Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)
Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Ken