View Full Version : virtumonde infection - need help
hfd67ron
2008-03-04, 23:15
hello; I need help removing this infection; I have provided the kaspersky and hjt logs.....
kaspersky log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 01, 2008 5:43:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/03/2008
Kaspersky Anti-Virus database records: 592501
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 159166
Number of viruses found: 4
Number of infected objects: 20
Number of suspicious objects: 2
Duration of the scan process: 01:14:33
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temp\A1.tmp Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temp\A2.tmp Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temp\~DF1A94.tmp Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temp\~DF1A9A.tmp Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temp\~DF58E5.tmp Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temp\~DFCE31.tmp Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temp\~DFFC7D.tmp Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temporary Internet Files\Content.IE5\7MVE6UWD\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temporary Internet Files\Content.IE5\HYCDVDV2\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temporary Internet Files\Content.IE5\ODAJPP22\cmp638[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Ron McKechnie\Local Settings\Temporary Internet Files\Content.IE5\QSMOL1QR\tr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Ron McKechnie\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Ron McKechnie\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ron McKechnie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Twins\Local Settings\Temporary Internet Files\Content.IE5\33NNAIGT\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\Documents and Settings\Twins\Local Settings\Temporary Internet Files\Content.IE5\HT7ZR0AE\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\Documents and Settings\Twins\Local Settings\Temporary Internet Files\Content.IE5\IGNMGX6Q\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\vol_toolbar\vol_toolbar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.p skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\bptovawv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jfywakyq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\jixsdqru.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\kuwqhtne.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pjcetsqq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pmkhf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pxycivsa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\sscoahsd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\tttdrcxo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\uxhlvikl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wpeetnro.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\xnqooaxj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5ec.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
hfd67ron
2008-03-04, 23:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:01 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [9857d78e] rundll32.exe "C:\WINDOWS\system32\kepjkjsp.dll",b
O4 - HKLM\..\Run: [BM9b64e412] Rundll32.exe "C:\WINDOWS\system32\gwwjceed.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Alienware Dock.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7938 bytes
pskelley
2008-03-06, 13:51
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Thanks for posting the correct information:)
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\
(wait until you finish to post reports and logs)
3) Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log.
Thanks
hfd67ron
2008-03-08, 20:19
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.645 [GMT -5:00]
Running from: C:\Documents and Settings\Ron McKechnie\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM9b64e412.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bptovawv.dll
C:\WINDOWS\system32\dshaocss.ini
C:\WINDOWS\system32\eenoysil.dll
C:\WINDOWS\system32\fcucglhp.dll
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fvjeliqa.dll
C:\WINDOWS\system32\gwwjceed.dll
C:\WINDOWS\system32\jfywakyq.dll
C:\WINDOWS\system32\jixsdqru.dll
C:\WINDOWS\system32\jxaooqnx.ini
C:\WINDOWS\system32\knpcwayr.dll
C:\WINDOWS\system32\kuwqhtne.dll
C:\WINDOWS\system32\ornteepw.ini
C:\WINDOWS\system32\pjcetsqq.dll
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pxycivsa.dll
C:\WINDOWS\system32\raksqsgr.dll
C:\WINDOWS\system32\ryawcpnk.ini
C:\WINDOWS\system32\sscoahsd.dll
C:\WINDOWS\system32\svgnpwwl.dll
C:\WINDOWS\system32\tttdrcxo.dll
C:\WINDOWS\system32\uwiynalj.dll
C:\WINDOWS\system32\uxhlvikl.dll
C:\WINDOWS\system32\wpeetnro.dll
C:\WINDOWS\system32\xnqooaxj.dll
C:\WINDOWS\system32\xuokoipy.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SFSYNC02
-------\sfsync02
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.
2008-03-08 13:17 . 2008-03-08 13:45 <DIR> d-------- C:\VundoFix Backups
2008-03-05 08:02 . 2008-03-06 17:28 1,014 ---hs---- C:\WINDOWS\system32\gydgajkf.ini
2008-03-04 17:01 . 2008-03-04 17:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-03 07:16 . 2008-03-05 07:56 834 ---hs---- C:\WINDOWS\system32\psjkjpek.ini
2008-03-01 16:07 . 2008-03-01 16:07 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-01 16:07 . 2008-03-01 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-26 17:33 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-26 17:33 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-26 17:33 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-26 17:32 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-26 17:32 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-26 17:32 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-26 17:32 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-26 17:32 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-26 17:32 . 2008-02-28 06:15 714 ---hs---- C:\WINDOWS\system32\wvknrwjt.ini
2008-02-24 14:05 . 2008-02-24 14:05 9 --a------ C:\WINDOWS\system32\9857c500
2008-02-23 16:16 . 2008-02-23 16:16 <DIR> d-------- C:\Program Files\FRISK Software
2008-02-23 16:16 . 2008-02-23 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2008-02-23 05:13 . 2008-02-23 05:13 294 --ahs---- C:\WINDOWS\system32\efrutnpa.ini
2008-02-21 08:50 . 2008-02-21 08:50 294 --ahs---- C:\WINDOWS\system32\wwjgivcl.ini
2008-02-20 07:49 . 2008-02-20 07:49 294 --ahs---- C:\WINDOWS\system32\kytesywo.ini
2008-02-17 16:07 . 2008-02-17 16:07 294 --ahs---- C:\WINDOWS\system32\pmuxuwgd.ini
2008-02-16 09:52 . 2008-02-16 12:49 414 --ahs---- C:\WINDOWS\system32\lvglqosm.ini
2008-02-15 08:55 . 2008-02-15 08:55 294 --ahs---- C:\WINDOWS\system32\dyayyrtu.ini
2008-02-13 20:58 . 2008-02-13 20:58 294 --ahs---- C:\WINDOWS\system32\pevemlss.ini
2008-02-11 06:27 . 2008-02-11 06:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 06:27 . 2008-02-11 06:27 3,460 --a------ C:\WINDOWS\unins000.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 23:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-12 03:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 03:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-02 16:11 --------- d-----w C:\Program Files\iTunes
2008-02-02 16:11 --------- d-----w C:\Program Files\iPod
2008-02-02 16:09 --------- d-----w C:\Program Files\QuickTime
2008-01-31 01:02 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-21 00:34 --------- d-----w C:\Documents and Settings\Twins\Application Data\acccore
2008-01-21 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-21 00:31 --------- d-----w C:\Documents and Settings\Twins\Application Data\VOL_TOOLBAR
2006-05-13 15:19 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50 204800]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Adobe Reader Speed Launch.lnk.disabled [2005-10-17 06:30:55 1757]
Microsoft Office.lnk.disabled [2005-04-06 17:29:47 1725]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpqrr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 01:34 24576 C:\Program Files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=
"MsnMsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"EA Core"=C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcWzrd"=ALCWZRD.EXE
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe
"SoundMan"=SOUNDMAN.EXE
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"<NO NAME>"=
"Alcmtr"=ALCMTR.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"NBInstall"=C:\DOCUME~1\RONMCK~1\LOCALS~1\Temp\MBDownloader_876919.exe
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"BM9b64e412"=Rundll32.exe "C:\WINDOWS\system32\uxhlvikl.dll",s
"9857d78e"=rundll32.exe "C:\WINDOWS\system32\tjwrnkvw.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1284:UDP"= 1284:UDP:Windows Media Format SDK (iexplore.exe)
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 SaiH0109;SaiH0109;C:\WINDOWS\system32\DRIVERS\SaiH0109.sys [2004-07-26 11:54]
S3 SaiU0109;SaiU0109;C:\WINDOWS\system32\DRIVERS\SaiU0109.sys [2004-07-26 11:54]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-25 23:24:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-08 15:36:15 C:\WINDOWS\Tasks\User_Feed_Synchronization-{EA6AA6B7-D7B9-4F08-93A5-881E1EA4D8BE}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 14:13:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-08 14:16:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 19:15:57
.
2008-02-14 02:18:05 --- E O F ---
hfd67ron
2008-03-08, 20:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:48 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Alienware Dock.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O20 - Winlogon Notify: rqrpqrr - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8266 bytes
hfd67ron
2008-03-08, 20:21
VundoFix V7.0.1
Scan started at 1:17:05 PM 3/8/2008
Listing files found while scanning....
C:\WINDOWS\system32\jbpnjiwm.ini
C:\WINDOWS\system32\mwijnpbj.dll
C:\WINDOWS\system32\rqrpqrr.dll
C:\WINDOWS\system32\sarlcryn.dll
C:\WINDOWS\system32\wiyoctcj.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jbpnjiwm.ini
C:\WINDOWS\system32\jbpnjiwm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mwijnpbj.dll
C:\WINDOWS\system32\mwijnpbj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sarlcryn.dll
C:\WINDOWS\system32\sarlcryn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wiyoctcj.dll
C:\WINDOWS\system32\wiyoctcj.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V7.0.1
Scan started at 1:45:44 PM 3/8/2008
Listing files found while scanning....
No infected files were found.
pskelley
2008-03-08, 22:36
Thanks for returning your information and the feedback.
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2\ <<< Java is BADLY out of date and likely why you are infected. Download the newest version and uninstall all old versions in Add Remove programs.
You are running two antivirus programs, Avast4 and Symantec Shared. If you wish to remove the leftovers from Symantec and run Avast 4, you can use these directions: http://basconotw.mvps.org/SymRem.htm
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp
C:\Program Files\Viewpoint\Common\ViewpointService.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
Let continue with the cleanup like this.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.
C:\WINDOWS\system32\gydgajkf.ini
C:\WINDOWS\system32\psjkjpek.ini
C:\WINDOWS\system32\wvknrwjt.ini
C:\WINDOWS\system32\efrutnpa.ini
C:\WINDOWS\system32\wwjgivcl.ini
C:\WINDOWS\system32\kytesywo.ini
C:\WINDOWS\system32\pmuxuwgd.ini
C:\WINDOWS\system32\lvglqosm.ini
C:\WINDOWS\system32\dyayyrtu.ini
C:\WINDOWS\system32\pevemlss.ini
Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions
starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O20 - Winlogon Notify: rqrpqrr - C:\WINDOWS\
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the Vundofix report and a new HJT log. Please tell me how the computer is running now.
Thanks
hfd67ron
2008-03-11, 03:56
Thanks so much for all your help! My computer is back to the way it was when I opened the box; running smooth and fast! Here are the log files you requested.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:36 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 1507 bytes
pskelley
2008-03-11, 11:32
Thanks for the feedback, that is not a complete HJT log. Post a new one please.
hfd67ron
2008-03-11, 14:25
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:23 AM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0unattached&bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F296A03-AE17-4577-9574-11058EDA67E4} - (no file)
O2 - BHO: (no name) - {2AF1F75F-180E-4A64-8F5C-074369BA8593} - (no file)
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: (no name) - {43E37F22-C40D-4A07-B2CD-459B8612FF86} - (no file)
O2 - BHO: (no name) - {4C109CA4-34BA-40A4-9CFF-0B16CEC3BBA1} - (no file)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: (no name) - {512c9d57-9ca7-47b7-adf7-2c2254eb5c56} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E70C3A5-39ED-45A1-A5E9-07CE78E8B975} - (no file)
O2 - BHO: (no name) - {667D734B-90F9-41FB-B741-CFAD106BD336} - (no file)
O2 - BHO: (no name) - {6C2D56B4-DE5E-4DDB-AFEB-1B06B6D506CE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {810A127B-4FB2-4963-9762-48B3A52C384E} - (no file)
O2 - BHO: (no name) - {89217DC9-56A3-48BA-A459-F1BFC58B8CF8} - (no file)
O2 - BHO: (no name) - {93F419A9-24E7-47E0-8A20-7112130FD558} - (no file)
O2 - BHO: (no name) - {98D56F16-0D94-4D06-AA69-E353EF0C39F1} - (no file)
O2 - BHO: (no name) - {98FDC449-8821-4C1F-A52F-0D6036EFD505} - (no file)
O2 - BHO: (no name) - {9A691429-1555-4EF4-880B-4AF85C56DF3E} - (no file)
O2 - BHO: (no name) - {A291DF4F-7532-422E-866A-32DC3B4163A9} - (no file)
O2 - BHO: (no name) - {A741C5CD-4CBB-495F-802F-AE8FF8838031} - (no file)
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: (no name) - {AADB15C1-AE67-4D25-AE8D-F713210B7B8D} - (no file)
O2 - BHO: (no name) - {B271CA4E-53D1-4918-AD11-E11A46700F7C} - (no file)
O2 - BHO: (no name) - {C1716B19-5D7C-4719-AFA7-6EF4B3550782} - (no file)
O2 - BHO: (no name) - {CE596E50-A60C-4394-92C8-AB28FBE23C4C} - (no file)
O2 - BHO: (no name) - {D072867C-34CF-4288-B202-E9CB87027AB6} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [9857d78e] rundll32.exe "C:\WINDOWS\system32\knpcwayr.dll",b
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Alienware Dock.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 9043 bytes
pskelley
2008-03-11, 14:42
My very first instructions was to disable Teatimer and:
(leave TT disabled until we finish)
It is running in the log you just posted?? Please take the time to read and follow the directions.
1) Be positive TeaTimer is disabled.
2) Download ResetTeaTimer.bat.
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\knpcwayr.dll
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(if an item is missing, do not be concerned)
O2 - BHO: (no name) - {0F296A03-AE17-4577-9574-11058EDA67E4} - (no file)
O2 - BHO: (no name) - {2AF1F75F-180E-4A64-8F5C-074369BA8593} - (no file)
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: (no name) - {43E37F22-C40D-4A07-B2CD-459B8612FF86} - (no file)
O2 - BHO: (no name) - {4C109CA4-34BA-40A4-9CFF-0B16CEC3BBA1} - (no file)
O2 - BHO: (no name) - {512c9d57-9ca7-47b7-adf7-2c2254eb5c56} - (no file)
O2 - BHO: (no name) - {5E70C3A5-39ED-45A1-A5E9-07CE78E8B975} - (no file)
O2 - BHO: (no name) - {667D734B-90F9-41FB-B741-CFAD106BD336} - (no file)
O2 - BHO: (no name) - {6C2D56B4-DE5E-4DDB-AFEB-1B06B6D506CE} - (no file)
O2 - BHO: (no name) - {810A127B-4FB2-4963-9762-48B3A52C384E} - (no file)
O2 - BHO: (no name) - {89217DC9-56A3-48BA-A459-F1BFC58B8CF8} - (no file)
O2 - BHO: (no name) - {93F419A9-24E7-47E0-8A20-7112130FD558} - (no file)
O2 - BHO: (no name) - {98D56F16-0D94-4D06-AA69-E353EF0C39F1} - (no file)
O2 - BHO: (no name) - {98FDC449-8821-4C1F-A52F-0D6036EFD505} - (no file)
O2 - BHO: (no name) - {9A691429-1555-4EF4-880B-4AF85C56DF3E} - (no file)
O2 - BHO: (no name) - {A291DF4F-7532-422E-866A-32DC3B4163A9} - (no file)
O2 - BHO: (no name) - {A741C5CD-4CBB-495F-802F-AE8FF8838031} - (no file)
O2 - BHO: (no name) - {AADB15C1-AE67-4D25-AE8D-F713210B7B8D} - (no file)
O2 - BHO: (no name) - {B271CA4E-53D1-4918-AD11-E11A46700F7C} - (no file)
O2 - BHO: (no name) - {C1716B19-5D7C-4719-AFA7-6EF4B3550782} - (no file)
O2 - BHO: (no name) - {CE596E50-A60C-4394-92C8-AB28FBE23C4C} - (no file)
O2 - BHO: (no name) - {D072867C-34CF-4288-B202-E9CB87027AB6} - (no file)
O4 - HKLM\..\Run: [9857d78e] rundll32.exe "C:\WINDOWS\system32\knpcwayr.dll",b
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Restart and post the contents of Combofix.txt with a new HijackThis log.
Let me know of any malware issues.
Thanks
pskelley
2008-03-19, 16:11
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.