View Full Version : Is there anything wrong still
travisfromlargo
2008-03-06, 22:16
I ran spybot before I made this log. Spybot said I was infected with virtumonde. I fixed the selected problems and just wanna know if theres anything wrong in my log still.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:07:07 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask .exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmnnn.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66DF0EFB-F97F-45E8-ADF9-997CF049C627} - C:\WINDOWS\system32\pmnnn.dll (file missing)
O2 - BHO: {0a3323fc-2cc3-89a9-f4e4-19a59dcc2229} - {9222ccd9-5a91-4e4f-9a98-3cc2cf3233a0} - C:\WINDOWS\system32\aeprecoe.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [b4f48258] rundll32.exe "C:\WINDOWS\system32\qffwsria.dll",b
O4 - HKLM\..\Run: [BMb7c7b1c4] Rundll32.exe "C:\WINDOWS\system32\jfpkqyhk.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3676] command /c del "C:\WINDOWS\system32\pmnnn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6867] cmd /c del "C:\WINDOWS\system32\pmnnn.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6543] command /c del "C:\WINDOWS\system32\pmnnn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3289] cmd /c del "C:\WINDOWS\system32\pmnnn.dll_old"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 3927 bytes
Hello travisfromlargo
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Yep, your still infected with the Vundo Trojan, :sad:I need you to run these programs in the order that I am posting them, save the reports because I need to see them and also a new HJT log when your done.
Do this first
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer. <-- Important
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Please post the Vundofix log, the Malwarebytes log, the Combofix log and a new HJT log please
travisfromlargo
2008-03-08, 07:27
Hey thanks for replying so fast. I had already downloaded combofix though. I actually just ran it and restarted my computer. I'm just gonna post a new hijack log and the log from combofix since I already ran it without following the other instructions. Just tell me what to do if theres still something to wrong and I'll wait and follow the directions completely.
ComboFix 08-03-07.4 - Travis 2008-03-07 23:30:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.536 [GMT -8:00]
Running from: C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\lsass .exe
C:\Program Files\Common Files\wnsxs~1\lsass.exe
C:\Program Files\Common Files\wnsxs~1\W?nSxS\
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\outlook
C:\Program Files\outlook\p.zip
C:\Program Files\QdrDrive
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\winupdates
C:\Program Files\winupdates\a.zip
C:\WINDOWS\BMb7c7b1c4.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aeprecoe.dll
C:\WINDOWS\system32\ahcubyvs.dll
C:\WINDOWS\system32\cnhqwrnw.dll
C:\WINDOWS\system32\jfpkqyhk.dll
C:\WINDOWS\system32\jviatrba.dll
C:\WINDOWS\system32\lkudmout.ini
C:\WINDOWS\system32\lxveooow.dll
C:\WINDOWS\system32\nnjsovoa.dll
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\pmnnn.exe
C:\WINDOWS\system32\qkvyackl.dll
C:\WINDOWS\system32\sltkjirp.dll
C:\WINDOWS\system32\svybucha.ini
C:\WINDOWS\system32\tuomdukl.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.
2008-03-07 22:07 . 2008-03-07 22:07 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-06 17:12 . 2007-12-06 18:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-06 17:12 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-06 17:12 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-06 17:12 . 2007-12-06 18:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-06 17:12 . 2007-12-06 18:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-06 17:12 . 2007-12-06 18:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-06 17:12 . 2007-12-06 18:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-06 17:12 . 2007-12-06 18:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-06 17:12 . 2007-12-06 03:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-06 15:46 . 2008-03-06 15:47 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-03-06 15:30 . 2005-04-06 00:43 1,024,000 --a------ C:\WINDOWS\system\3ivx.dll
2008-03-06 15:03 . 2008-03-07 21:50 255 --a------ C:\WINDOWS\wininit.ini
2008-03-06 14:04 . 2008-03-06 14:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-06 03:00 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-05 23:09 . 2008-03-06 16:59 1,307,734 --ahs---- C:\WINDOWS\system32\airswffq.ini
2008-03-05 21:06 . 2008-03-07 21:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 21:06 . 2008-03-05 21:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 21:06 . 2008-03-07 18:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-05 21:04 . 2008-03-06 13:46 <DIR> d-------- C:\Documents and Settings\Travis.TRAVIS-36FDF295\Application Data\Apple Computer
2008-03-05 21:00 . 2008-03-05 21:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-05 20:59 . 2008-03-05 20:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-05 20:59 . 2008-03-05 20:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-05 20:59 . 2008-03-05 20:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-05 15:11 . 2008-03-05 15:11 <DIR> d-------- C:\Program Files\Common Files\BitCtrl
2008-03-05 14:44 . 2008-03-05 14:55 <DIR> d-------- C:\Program Files\Elecard
2008-03-05 14:32 . 2008-03-05 14:32 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-04 23:53 . 2008-03-04 23:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-04 23:44 . 2008-03-04 23:44 345,088 --a------ C:\WINDOWS\system32\RCX7.tmp
2008-03-04 23:14 . 2008-03-04 23:51 474 --ahs---- C:\WINDOWS\system32\pxulvfej.ini
2008-03-04 22:13 . 2003-11-03 18:15 1,902 --a------ C:\WINDOWS\system32\SetupBD.din
2008-03-04 22:12 . 2008-03-04 22:12 <DIR> d-------- C:\Documents and Settings\TRAVIS~1~TRA\LOCALS~1
2008-03-04 22:11 . 2006-06-14 00:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-03-04 22:06 . 2008-03-04 22:07 28,352 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-03-04 22:03 . 1999-06-25 10:55 149,504 --a------ C:\WINDOWS\UNWISE.EXE
2008-03-04 22:00 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-03-04 22:00 . 1998-06-17 23:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-03-04 22:00 . 2001-08-22 08:42 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
2008-03-04 22:00 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-03-04 20:02 . 2008-03-05 15:05 <DIR> d-------- C:\Program Files\GemMaster
2008-03-04 20:02 . 2008-03-04 20:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\DIGStream
2008-03-04 19:54 . 2008-03-04 19:54 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-03-04 19:52 . 2004-08-10 04:13 73,728 --a--c--- C:\WINDOWS\system32\dllcache\ehresja.dll
2008-03-04 19:52 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresko.dll
2008-03-04 19:52 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresfr.dll
2008-03-04 19:52 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresde.dll
2008-03-04 19:52 . 2004-08-10 04:13 61,440 --a--c--- C:\WINDOWS\system32\dllcache\ehreschs.dll
2008-03-04 19:50 . 2004-08-10 03:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-04 19:49 . 2004-08-10 03:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-03-04 19:48 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-04 19:47 . 2008-03-04 19:47 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-03-04 19:47 . 2008-03-04 19:47 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-04 19:47 . 2008-03-04 19:47 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-04 19:47 . 2008-03-04 19:47 2,577 --a------ C:\WINDOWS\system32\CONFIG.NT
2008-03-04 19:47 . 2008-03-04 19:47 0 --a------ C:\WINDOWS\control.ini
2008-03-04 19:45 . 2008-03-05 15:03 <DIR> d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2008-03-04 19:45 . 2008-03-04 19:45 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-04 19:45 . 2008-03-04 19:45 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-04 19:45 . 2008-03-04 19:45 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-04 19:45 . 2008-03-04 19:45 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-04 19:45 . 2008-03-04 19:45 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-04 19:45 . 2008-03-04 19:45 749 -rah----- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-03-04 19:45 . 2008-03-04 19:45 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-03-04 19:45 . 2008-03-04 19:45 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-04 19:42 . 2008-03-04 19:42 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-04 19:42 . 2008-03-04 19:42 37 --a------ C:\WINDOWS\vbaddin.ini
2008-03-04 19:42 . 2008-03-04 19:42 36 --a------ C:\WINDOWS\vb.ini
2008-03-04 19:41 . 2004-08-10 03:43 7,093,760 --a------ C:\WINDOWS\system32\space.scr
2008-03-04 19:41 . 2004-08-10 03:43 5,068,800 --a------ C:\WINDOWS\system32\davinci.scr
2008-03-04 19:41 . 2004-08-10 03:43 4,396,544 --a------ C:\WINDOWS\system32\wpgldfsh.scr
2008-03-04 19:41 . 2004-08-10 03:43 3,343,360 --a------ C:\WINDOWS\system32\nature.scr
2008-03-04 19:41 . 2004-08-10 03:43 1,742,336 --a------ C:\WINDOWS\system32\mypixdx.scr
2008-03-04 19:41 . 2004-08-10 04:11 85,504 --a------ C:\WINDOWS\system32\mhn.dll
2008-03-04 19:41 . 2004-08-10 03:39 19,840 --a------ C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-03-04 19:41 . 2004-04-22 02:07 11,452 --a------ C:\WINDOWS\system32\mypixdx.chm
2008-03-04 19:41 . 2004-08-10 03:45 11,008 --a------ C:\WINDOWS\system32\drivers\mhndrv.sys
2008-03-04 19:41 . 2004-08-10 04:11 8,704 --a------ C:\WINDOWS\system32\igdetect.dll
2008-03-04 19:39 . 2004-08-10 03:00 1,352,192 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-03-04 15:49 . 2008-03-04 15:49 426 --a------ C:\Shortcut to StubInstaller.lnk
2008-03-04 15:46 . 2008-03-04 15:46 <DIR> d-------- C:\New Folder
2008-03-04 13:47 . 2008-03-04 13:47 <DIR> d-------- C:\Program Files\Modem Helper
2008-03-04 13:45 . 2008-03-04 11:01 <DIR> d-------- C:\WINDOWS\system32\vmm32
2008-03-04 11:35 . 2004-08-03 16:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-04 11:35 . 2001-08-17 05:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-03-04 11:34 . 2004-08-03 14:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-04 11:33 . 2004-08-03 16:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-04 11:33 . 2004-08-03 14:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2008-03-04 11:29 . 2008-03-04 19:55 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2008-03-04 11:29 . 2004-08-10 03:00 176,157 --a--c--- C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-03-04 11:28 . 2004-08-10 03:00 2,008,817 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-03-04 11:25 . 2008-03-04 19:52 560 --a------ C:\WINDOWS\system32\$winnt$.inf
2008-03-04 00:15 . 2008-03-04 20:07 <DIR> d-------- C:\Program Files\RGB
2008-03-04 00:10 . 2008-03-04 20:02 <DIR> d-------- C:\Program Files\ESPNMotion
2008-03-04 00:10 . 2008-03-04 00:10 <DIR> d-------- C:\Program Files\EnglishOtto
2008-03-04 00:10 . 2008-03-04 20:02 <DIR> d-------- C:\Program Files\DIGStream
2008-02-23 16:57 . 2008-02-23 16:57 <DIR> d-------- C:\Documents and Settings\Troy\Application Data\Skype
2008-02-08 21:22 . 2008-02-23 00:12 <DIR> d-------- C:\Program Files\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 07:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-08 07:50 --------- d-----w C:\Program Files\QuickTime
2008-03-08 07:50 --------- d-----w C:\Program Files\iTunes
2008-03-06 05:02 --------- d-----w C:\Program Files\Bonjour
2008-03-06 05:00 --------- d-----w C:\Program Files\Apple Software Update
2008-03-05 06:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 23:49 419 ----a-w C:\Program Files\Shortcut to a8a5ff21a835984487.lnk
2008-03-04 23:49 409 ----a-w C:\Program Files\Shortcut to Application Data.lnk
2008-03-04 23:49 379 ----a-w C:\Program Files\Shortcut to New Folder.lnk
2008-03-04 23:49 378 ----a-w C:\Program Files\Shortcut to WINDOWS.lnk
2008-03-04 23:49 374 ----a-w C:\Program Files\Shortcut to Downloads.lnk
2008-03-04 23:49 369 ----a-w C:\Program Files\Shortcut to mstalkit.lnk
2008-03-04 23:49 345 ----a-w C:\Program Files\Shortcut to DELL.lnk
2008-02-23 08:15 --------- d-----w C:\Documents and Settings\Others\Application Data\CyberLink
2008-02-23 08:10 --------- d-----w C:\Program Files\Opera
2008-02-02 07:15 --------- d-----w C:\Program Files\LimeWire
2008-01-13 22:27 --------- d-----w C:\Documents and Settings\Troy\Application Data\Aim
2008-01-13 19:16 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-13 19:10 --------- d-----w C:\Program Files\FlashGet
2008-01-13 19:07 --------- d-----w C:\Program Files\AIV Reminder
2008-01-12 19:47 --------- d-----w C:\Program Files\Virtual Personality
2008-01-12 19:41 --------- d-----w C:\Program Files\Google
2008-01-12 14:47 10 -c--a-w C:\Program Files\.autoreg
2008-01-12 09:59 --------- d-----w C:\Program Files\Incomplete
2008-01-12 09:59 --------- d-----w C:\Documents and Settings\Troy\Application Data\LimeWire
2007-09-08 19:35 229 -c--a-w C:\Program Files\player.nfo
2007-06-03 15:39 281 -c--a-w C:\Program Files\player.nfx
2000-08-08 18:44 340 -c--a-w C:\Program Files\setup.bat
2000-08-08 18:43 4,395,575 -c--a-w C:\Program Files\myth.pak
2000-08-08 18:39 45,056 ----a-w C:\Program Files\SETUPREG.EXE
2000-08-08 18:18 34 -c--a-w C:\Program Files\fonts.bat
2000-08-08 18:17 0 -c--a-w C:\Program Files\STPENUX.DLL
2000-08-08 18:17 0 -c--a-w C:\Program Files\EBUSetup.sem
2000-08-08 04:13 2,695,213 ----a-w C:\Program Files\age2_x1.exe
2000-08-07 04:11 20,992 ----a-w C:\Program Files\mythxpak.exe
2000-06-28 04:00 44,452 -c--a-w C:\Program Files\Readmex.rtf
2000-06-21 13:52 32,768 ----a-w C:\Program Files\replwavs.exe
2000-06-13 04:09 339,968 -c--a-w C:\Program Files\language_x1.dll
2000-06-13 03:59 53,299 -c--a-w C:\Program Files\ebueulax.dll
2000-05-27 04:58 39,647 -c--a-w C:\Program Files\EULAx.RTF
2000-04-01 01:47 301,568 -c--a-w C:\Program Files\myth.acm
1999-11-17 16:00 32,768 -c--a-w C:\Program Files\SETUPENU.DLL
1999-09-22 06:32 57,363 -c--a-w C:\Program Files\Readme.rtf
1999-09-22 06:32 53,304 -c--a-w C:\Program Files\EBUEula.dll
1999-09-22 06:32 499,712 -c--a-w C:\Program Files\language.dll
1999-09-22 06:32 40,507 -c--a-w C:\Program Files\EULA.RTF
1999-09-22 06:32 365,568 -c--a-w C:\Program Files\HA312W32.DLL
1999-09-22 06:32 158,902 -c--a-w C:\Program Files\scenariobkg.bmp
1999-09-22 06:32 112,688 ----a-w C:\Program Files\SHW32.DLL
1999-09-21 21:46 2,560,000 ----a-w C:\Program Files\empires2.exe
1997-04-01 04:00 83,456 -c--a-w C:\Program Files\README.DOC
1997-04-01 04:00 662,016 ----a-w C:\Program Files\WWINT32V.DLL
1997-04-01 04:00 5,238 -c--a-w C:\Program Files\INSTALL.TXT
1997-04-01 04:00 5,044 -c--a-w C:\Program Files\LICENSE.TXT
1997-04-01 04:00 3,567,104 ----a-w C:\Program Files\WORDVIEW.EXE
.
<pre>
----a-w 1,383,936 2008-03-04 07:07:51 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 1,961,984 2008-03-04 06:30:25 C:\Program Files\Ahead\Nero BackItUp\NBJ .exe
-c--a-w 12,980,224 2008-01-13 19:02:31 C:\Program Files\AIV Reminder\aivreminder .exe
----a-w 32,768 2008-03-04 06:30:17 C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w 290,816 2008-03-04 06:30:18 C:\Program Files\Dell\Media Experience\PCMService .exe
----a-w 171,448 2008-03-03 05:04:15 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w 267,048 2008-03-08 05:50:22 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 49,263 2008-03-04 07:07:46 C:\Program Files\Java\jre1.5.0_10\bin\jusched .exe
----a-w 1,694,208 2008-03-04 06:30:21 C:\Program Files\Messenger\msmsgs .exe
----a-w 53,248 2008-03-08 05:50:22 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe
----a-w 131,072 2008-03-05 06:22:34 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
----a-w 5,181,440 2008-02-24 02:32:05 C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w 757,248 2008-03-07 00:59:40 C:\Program Files\QuickTime\QTTask .exe
----a-w 20,036,648 2008-02-24 02:32:14 C:\Program Files\Skype\Phone\Skype .exe
----a-w 2,097,488 2008-03-08 05:50:26 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 4,670,968 2008-02-24 06:20:56 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 59,392 2008-03-06 21:25:44 C:\WINDOWS\ehome\ehtray .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 05:00:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 00:11:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-03-08 0:12:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 08:11:52
.
2008-03-07 11:02:44 --- E O F ---
travisfromlargo
2008-03-08, 07:28
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:26:42 AM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\SPYWARE\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF15650.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 3589 bytes
Good Morning,
Don't get ahead of me now, you posted for help and if you take off on your own and run programs without our instructions, if you bork your system than your on your own.
Your infected with the latest variant of the Vundo Trojan that includes a File Infecter, if you look at your Combofix log, all the files and programs in the Blue Code box have been infected by this nasty trojan.
Open Notepad ( This will only work with Notepad ) Go to Start> All Programs> Assessories> Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Killall::
Killall::
RenV::
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Ahead\Nero BackItUp\NBJ .exe
C:\Program Files\AIV Reminder\aivreminder .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\Dell\Media Experience\PCMService .exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
C:\Program Files\MySpace\IM\MySpaceIM .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Skype\Phone\Skype .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Yahoo!\Messenge
File::
C:\WINDOWS\system32\pxulvfej.ini
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Then run Malwarebytes, I need to see the new Combofix log, the Malwarebytes log and a New HJT log
travisfromlargo
2008-03-11, 04:56
Heres are the new logs
ComboFix 08-03-07.4 - Travis 2008-03-10 22:24:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.760 [GMT -7:00]
Running from: C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\pxulvfej.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\pxulvfej.ini
C:\WINDOWS\system32\RCX7.tmp
.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.
2008-03-10 15:14 . 2008-03-10 15:14 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-08 05:42 . 2008-03-08 05:42 <DIR> d-------- C:\Program Files\MSBuild
2008-03-08 05:38 . 2008-03-08 05:38 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-08 05:37 . 2008-03-08 05:37 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-08 05:36 . 2006-06-29 14:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-08 05:30 . 2008-03-08 05:30 <DIR> d-------- C:\Documents and Settings\Travis.TRAVIS-36FDF295\Application Data\Sony Setup
2008-03-07 23:07 . 2008-03-07 23:07 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-06 18:12 . 2007-12-06 19:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-06 18:12 . 2007-06-30 20:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-06 18:12 . 2007-06-30 20:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-06 18:12 . 2007-12-06 19:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-06 18:12 . 2007-12-06 19:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-06 18:12 . 2007-12-06 19:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-06 18:12 . 2007-12-06 19:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-06 18:12 . 2007-12-06 19:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-06 18:12 . 2007-12-06 04:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-06 16:46 . 2008-03-06 16:47 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-03-06 16:30 . 2005-04-06 01:43 1,024,000 --a------ C:\WINDOWS\system\3ivx.dll
2008-03-06 16:03 . 2008-03-07 22:50 255 --a------ C:\WINDOWS\wininit.ini
2008-03-06 15:04 . 2008-03-06 15:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-06 04:00 . 2006-10-16 17:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-06 00:09 . 2008-03-06 17:59 1,307,734 --ahs---- C:\WINDOWS\system32\airswffq.ini
2008-03-05 22:06 . 2008-03-10 22:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 22:06 . 2008-03-05 22:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 22:06 . 2008-03-09 01:44 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-05 22:04 . 2008-03-06 14:46 <DIR> d-------- C:\Documents and Settings\Travis.TRAVIS-36FDF295\Application Data\Apple Computer
2008-03-05 22:00 . 2008-03-05 22:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-05 21:59 . 2008-03-05 21:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-05 21:59 . 2008-03-05 21:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-05 21:59 . 2008-03-05 21:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-05 16:11 . 2008-03-05 16:11 <DIR> d-------- C:\Program Files\Common Files\BitCtrl
2008-03-05 15:44 . 2008-03-05 15:55 <DIR> d-------- C:\Program Files\Elecard
2008-03-05 15:32 . 2008-03-05 15:32 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-05 00:53 . 2008-03-05 00:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-04 23:13 . 2003-11-03 19:15 1,902 --a------ C:\WINDOWS\system32\SetupBD.din
2008-03-04 23:12 . 2008-03-04 23:12 <DIR> d-------- C:\Documents and Settings\TRAVIS~1~TRA\LOCALS~1
2008-03-04 23:11 . 2006-06-14 01:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-03-04 23:06 . 2008-03-04 23:07 28,352 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-03-04 23:03 . 1999-06-25 11:55 149,504 --a------ C:\WINDOWS\UNWISE.EXE
2008-03-04 23:00 . 1998-09-24 13:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-03-04 23:00 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-03-04 23:00 . 2001-08-22 09:42 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
2008-03-04 23:00 . 1998-09-24 13:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-03-04 21:02 . 2008-03-05 16:05 <DIR> d-------- C:\Program Files\GemMaster
2008-03-04 21:02 . 2008-03-04 21:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\DIGStream
2008-03-04 20:54 . 2008-03-04 20:54 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-03-04 20:52 . 2004-08-10 05:13 73,728 --a--c--- C:\WINDOWS\system32\dllcache\ehresja.dll
2008-03-04 20:52 . 2004-08-10 05:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresko.dll
2008-03-04 20:52 . 2004-08-10 05:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresfr.dll
2008-03-04 20:52 . 2004-08-10 05:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresde.dll
2008-03-04 20:52 . 2004-08-10 05:13 61,440 --a--c--- C:\WINDOWS\system32\dllcache\ehreschs.dll
2008-03-04 20:50 . 2004-08-10 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-04 20:49 . 2004-08-10 04:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-03-04 20:48 . 2004-05-13 01:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-04 20:47 . 2008-03-04 20:47 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-03-04 20:47 . 2008-03-04 20:47 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-04 20:47 . 2008-03-04 20:47 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-04 20:47 . 2008-03-04 20:47 2,577 --a------ C:\WINDOWS\system32\CONFIG.NT
2008-03-04 20:47 . 2008-03-04 20:47 0 --a------ C:\WINDOWS\control.ini
2008-03-04 20:45 . 2008-03-05 16:03 <DIR> d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2008-03-04 20:45 . 2008-03-04 20:45 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-04 20:45 . 2008-03-04 20:45 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-04 20:45 . 2008-03-04 20:45 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-04 20:45 . 2008-03-04 20:45 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-04 20:45 . 2008-03-04 20:45 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-04 20:45 . 2008-03-04 20:45 749 -rah----- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-03-04 20:45 . 2008-03-04 20:45 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-03-04 20:45 . 2008-03-04 20:45 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-04 20:42 . 2008-03-04 20:42 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-04 20:42 . 2008-03-04 20:42 37 --a------ C:\WINDOWS\vbaddin.ini
2008-03-04 20:42 . 2008-03-04 20:42 36 --a------ C:\WINDOWS\vb.ini
2008-03-04 20:41 . 2004-08-10 04:43 7,093,760 --a------ C:\WINDOWS\system32\space.scr
2008-03-04 20:41 . 2004-08-10 04:43 5,068,800 --a------ C:\WINDOWS\system32\davinci.scr
2008-03-04 20:41 . 2004-08-10 04:43 4,396,544 --a------ C:\WINDOWS\system32\wpgldfsh.scr
2008-03-04 20:41 . 2004-08-10 04:43 3,343,360 --a------ C:\WINDOWS\system32\nature.scr
2008-03-04 20:41 . 2004-08-10 04:43 1,742,336 --a------ C:\WINDOWS\system32\mypixdx.scr
2008-03-04 20:41 . 2004-08-10 05:11 85,504 --a------ C:\WINDOWS\system32\mhn.dll
2008-03-04 20:41 . 2004-08-10 04:39 19,840 --a------ C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-03-04 20:41 . 2004-04-22 03:07 11,452 --a------ C:\WINDOWS\system32\mypixdx.chm
2008-03-04 20:41 . 2004-08-10 04:45 11,008 --a------ C:\WINDOWS\system32\drivers\mhndrv.sys
2008-03-04 20:41 . 2004-08-10 05:11 8,704 --a------ C:\WINDOWS\system32\igdetect.dll
2008-03-04 20:39 . 2004-08-10 04:00 1,352,192 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-03-04 16:49 . 2008-03-04 16:49 426 --a------ C:\Shortcut to StubInstaller.lnk
2008-03-04 16:46 . 2008-03-04 16:46 <DIR> d-------- C:\New Folder
2008-03-04 14:47 . 2008-03-04 14:47 <DIR> d-------- C:\Program Files\Modem Helper
2008-03-04 14:45 . 2008-03-04 12:01 <DIR> d-------- C:\WINDOWS\system32\vmm32
2008-03-04 12:35 . 2004-08-03 17:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-04 12:35 . 2001-08-17 06:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-03-04 12:34 . 2004-08-03 15:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-04 12:33 . 2004-08-03 17:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-04 12:33 . 2004-08-03 15:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2008-03-04 12:29 . 2008-03-04 20:55 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2008-03-04 12:29 . 2004-08-10 04:00 176,157 --a--c--- C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-03-04 12:28 . 2004-08-10 04:00 2,008,817 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-03-04 12:25 . 2008-03-04 20:52 560 --a------ C:\WINDOWS\system32\$winnt$.inf
2008-03-04 01:15 . 2008-03-04 21:07 <DIR> d-------- C:\Program Files\RGB
2008-03-04 01:10 . 2008-03-04 21:02 <DIR> d-------- C:\Program Files\ESPNMotion
2008-03-04 01:10 . 2008-03-04 01:10 <DIR> d-------- C:\Program Files\EnglishOtto
2008-03-04 01:10 . 2008-03-04 21:02 <DIR> d-------- C:\Program Files\DIGStream
2008-02-23 17:57 . 2008-02-23 17:57 <DIR> d-------- C:\Documents and Settings\Troy\Application Data\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 05:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 05:24 --------- d-----w C:\Program Files\QuickTime
2008-03-11 05:24 --------- d-----w C:\Program Files\iTunes
2008-03-11 05:24 --------- d-----w C:\Program Files\AIV Reminder
2008-03-08 12:30 --------- d-----w C:\Program Files\Sony Setup
2008-03-06 05:02 --------- d-----w C:\Program Files\Bonjour
2008-03-06 05:00 --------- d-----w C:\Program Files\Apple Software Update
2008-03-05 06:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 23:49 419 ----a-w C:\Program Files\Shortcut to a8a5ff21a835984487.lnk
2008-03-04 23:49 409 ----a-w C:\Program Files\Shortcut to Application Data.lnk
2008-03-04 23:49 379 ----a-w C:\Program Files\Shortcut to New Folder.lnk
2008-03-04 23:49 378 ----a-w C:\Program Files\Shortcut to WINDOWS.lnk
2008-03-04 23:49 374 ----a-w C:\Program Files\Shortcut to Downloads.lnk
2008-03-04 23:49 369 ----a-w C:\Program Files\Shortcut to mstalkit.lnk
2008-03-04 23:49 345 ----a-w C:\Program Files\Shortcut to DELL.lnk
2008-02-23 08:15 --------- d-----w C:\Documents and Settings\Others\Application Data\CyberLink
2008-02-23 08:12 --------- d-----w C:\Program Files\DivX
2008-02-23 08:10 --------- d-----w C:\Program Files\Opera
2008-02-02 07:15 --------- d-----w C:\Program Files\LimeWire
2008-01-13 22:27 --------- d-----w C:\Documents and Settings\Troy\Application Data\Aim
2008-01-13 19:16 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-13 19:10 --------- d-----w C:\Program Files\FlashGet
2008-01-12 19:47 --------- d-----w C:\Program Files\Virtual Personality
2008-01-12 19:41 --------- d-----w C:\Program Files\Google
2008-01-12 14:47 10 -c--a-w C:\Program Files\.autoreg
2008-01-12 09:59 --------- d-----w C:\Program Files\Incomplete
2008-01-12 09:59 --------- d-----w C:\Documents and Settings\Troy\Application Data\LimeWire
2007-09-08 19:35 229 -c--a-w C:\Program Files\player.nfo
2007-06-03 15:39 281 -c--a-w C:\Program Files\player.nfx
2000-08-08 18:44 340 -c--a-w C:\Program Files\setup.bat
2000-08-08 18:43 4,395,575 -c--a-w C:\Program Files\myth.pak
2000-08-08 18:39 45,056 ----a-w C:\Program Files\SETUPREG.EXE
2000-08-08 18:18 34 -c--a-w C:\Program Files\fonts.bat
2000-08-08 18:17 0 -c--a-w C:\Program Files\STPENUX.DLL
2000-08-08 18:17 0 -c--a-w C:\Program Files\EBUSetup.sem
2000-08-08 04:13 2,695,213 ----a-w C:\Program Files\age2_x1.exe
2000-08-07 04:11 20,992 ----a-w C:\Program Files\mythxpak.exe
2000-06-28 04:00 44,452 -c--a-w C:\Program Files\Readmex.rtf
2000-06-21 13:52 32,768 ----a-w C:\Program Files\replwavs.exe
2000-06-13 04:09 339,968 -c--a-w C:\Program Files\language_x1.dll
2000-06-13 03:59 53,299 -c--a-w C:\Program Files\ebueulax.dll
2000-05-27 04:58 39,647 -c--a-w C:\Program Files\EULAx.RTF
2000-04-01 01:47 301,568 -c--a-w C:\Program Files\myth.acm
1999-11-17 16:00 32,768 -c--a-w C:\Program Files\SETUPENU.DLL
1999-09-22 06:32 57,363 -c--a-w C:\Program Files\Readme.rtf
1999-09-22 06:32 53,304 -c--a-w C:\Program Files\EBUEula.dll
1999-09-22 06:32 499,712 -c--a-w C:\Program Files\language.dll
1999-09-22 06:32 40,507 -c--a-w C:\Program Files\EULA.RTF
1999-09-22 06:32 365,568 -c--a-w C:\Program Files\HA312W32.DLL
1999-09-22 06:32 158,902 -c--a-w C:\Program Files\scenariobkg.bmp
1999-09-22 06:32 112,688 ----a-w C:\Program Files\SHW32.DLL
1999-09-21 21:46 2,560,000 ----a-w C:\Program Files\empires2.exe
1997-04-01 04:00 83,456 -c--a-w C:\Program Files\README.DOC
1997-04-01 04:00 662,016 ----a-w C:\Program Files\WWINT32V.DLL
1997-04-01 04:00 5,238 -c--a-w C:\Program Files\INSTALL.TXT
1997-04-01 04:00 5,044 -c--a-w C:\Program Files\LICENSE.TXT
1997-04-01 04:00 3,567,104 ----a-w C:\Program Files\WORDVIEW.EXE
.
<pre>
----a-w 4,670,968 2008-02-24 06:20:56 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 59,392 2008-03-06 21:25:44 C:\WINDOWS\ehome\ehtray .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB612661-6A10-4BEF-86F4-D3A94FEAD47D}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-03-07 22:50 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04 59392]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-03-07 22:50 53248]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-07 22:50 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 05:00:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 22:29:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2008-03-10 22:32:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-11 05:31:57
ComboFix2.txt 2008-03-08 08:12:01
.
2008-03-10 22:14:49 --- E O F ---
Malwarebytes' Anti-Malware 1.08
Database version: 476
Scan type: Quick Scan
Objects scanned: 49893
Time elapsed: 6 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
travisfromlargo
2008-03-11, 04:58
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:51:45 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\SPYWARE\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {EB612661-6A10-4BEF-86F4-D3A94FEAD47D} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 3677 bytes
Good Morning,
Your log looks fine but lets run these through Combofix, remember to disable the Teatimer, you have not done that.
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.
Drag Combofix to the trash and grab a new copy.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Open Notepad ( this will only work in Notepad )and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::
RenV::
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\WINDOWS\ehome\ehtray .exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
travisfromlargo
2008-03-13, 04:50
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:47:34 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\SPYWARE\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {EB612661-6A10-4BEF-86F4-D3A94FEAD47D} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 3436 bytes
travisfromlargo
2008-03-13, 04:51
ComboFix 08-03-10.1 - Travis 2008-03-12 22:35:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT -4:00]
Running from: C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Travis.TRAVIS-36FDF295\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-13 to 2008-03-13 )))))))))))))))))))))))))))))))
.
2008-03-12 06:01 . 2008-03-12 06:01 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-11 01:37 . 2008-03-11 01:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-11 01:37 . 2008-03-11 01:37 <DIR> d-------- C:\Documents and Settings\Travis.TRAVIS-36FDF295\Application Data\Malwarebytes
2008-03-11 01:37 . 2008-03-11 01:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-03-10 18:14 . 2008-03-10 18:14 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-08 08:42 . 2008-03-08 08:42 <DIR> d-------- C:\Program Files\MSBuild
2008-03-08 08:38 . 2008-03-08 08:38 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-08 08:37 . 2008-03-08 08:37 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-08 08:36 . 2006-06-29 17:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-08 08:30 . 2008-03-08 08:30 <DIR> d-------- C:\Documents and Settings\Travis.TRAVIS-36FDF295\Application Data\Sony Setup
2008-03-08 02:07 . 2008-03-08 02:07 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-06 21:12 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-06 21:12 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-06 21:12 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-06 21:12 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-06 21:12 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-06 21:12 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-06 21:12 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-06 21:12 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-06 21:12 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-06 19:46 . 2008-03-06 19:47 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-03-06 19:30 . 2005-04-06 04:43 1,024,000 --a------ C:\WINDOWS\system\3ivx.dll
2008-03-06 19:03 . 2008-03-08 01:50 255 --a------ C:\WINDOWS\wininit.ini
2008-03-06 18:04 . 2008-03-06 18:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-06 07:00 . 2006-10-16 20:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-06 03:09 . 2008-03-06 20:59 1,307,734 --ahs---- C:\WINDOWS\system32\airswffq.ini
2008-03-06 01:06 . 2008-03-12 22:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-06 01:06 . 2008-03-06 01:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-06 01:06 . 2008-03-12 13:32 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-06 01:04 . 2008-03-06 17:46 <DIR> d-------- C:\Documents and Settings\Travis.TRAVIS-36FDF295\Application Data\Apple Computer
2008-03-06 01:00 . 2008-03-06 01:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-06 00:59 . 2008-03-06 00:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-06 00:59 . 2008-03-06 00:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-06 00:59 . 2008-03-06 00:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-05 19:11 . 2008-03-05 19:11 <DIR> d-------- C:\Program Files\Common Files\BitCtrl
2008-03-05 18:44 . 2008-03-05 18:55 <DIR> d-------- C:\Program Files\Elecard
2008-03-05 18:32 . 2008-03-05 18:32 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-05 03:53 . 2008-03-05 03:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-05 02:13 . 2003-11-03 22:15 1,902 --a------ C:\WINDOWS\system32\SetupBD.din
2008-03-05 02:12 . 2008-03-05 02:12 <DIR> d-------- C:\Documents and Settings\TRAVIS~1~TRA\LOCALS~1
2008-03-05 02:11 . 2006-06-14 04:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-03-05 02:06 . 2008-03-05 02:07 28,352 --a------ C:\WINDOWS\system32\drivers\MxlW2k.sys
2008-03-05 02:03 . 1999-06-25 14:55 149,504 --a------ C:\WINDOWS\UNWISE.EXE
2008-03-05 02:00 . 1998-09-24 16:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-03-05 02:00 . 1998-06-18 03:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-03-05 02:00 . 2001-08-22 12:42 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
2008-03-05 02:00 . 1998-09-24 16:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-03-05 00:02 . 2008-03-05 19:05 <DIR> d-------- C:\Program Files\GemMaster
2008-03-05 00:02 . 2008-03-05 00:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\DIGStream
2008-03-04 23:54 . 2008-03-04 23:54 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-03-04 23:52 . 2004-08-10 08:13 73,728 --a--c--- C:\WINDOWS\system32\dllcache\ehresja.dll
2008-03-04 23:52 . 2004-08-10 08:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresko.dll
2008-03-04 23:52 . 2004-08-10 08:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresfr.dll
2008-03-04 23:52 . 2004-08-10 08:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresde.dll
2008-03-04 23:52 . 2004-08-10 08:13 61,440 --a--c--- C:\WINDOWS\system32\dllcache\ehreschs.dll
2008-03-04 23:50 . 2004-08-10 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-04 23:49 . 2004-08-10 07:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-03-04 23:48 . 2004-05-13 04:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-04 23:47 . 2008-03-04 23:47 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-03-04 23:47 . 2008-03-04 23:47 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-04 23:47 . 2008-03-04 23:47 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-04 23:47 . 2008-03-04 23:47 2,577 --a------ C:\WINDOWS\system32\CONFIG.NT
2008-03-04 23:47 . 2008-03-04 23:47 0 --a------ C:\WINDOWS\control.ini
2008-03-04 23:45 . 2008-03-05 19:03 <DIR> d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2008-03-04 23:45 . 2008-03-04 23:45 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-04 23:45 . 2008-03-04 23:45 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-04 23:45 . 2008-03-04 23:45 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-04 23:45 . 2008-03-04 23:45 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-04 23:45 . 2008-03-04 23:45 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-04 23:45 . 2008-03-04 23:45 749 -rah----- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-03-04 23:45 . 2008-03-04 23:45 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-03-04 23:45 . 2008-03-04 23:45 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-04 23:42 . 2008-03-04 23:42 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-04 23:42 . 2008-03-04 23:42 37 --a------ C:\WINDOWS\vbaddin.ini
2008-03-04 23:42 . 2008-03-04 23:42 36 --a------ C:\WINDOWS\vb.ini
2008-03-04 23:41 . 2004-08-10 07:43 7,093,760 --a------ C:\WINDOWS\system32\space.scr
2008-03-04 23:41 . 2004-08-10 07:43 5,068,800 --a------ C:\WINDOWS\system32\davinci.scr
2008-03-04 23:41 . 2004-08-10 07:43 4,396,544 --a------ C:\WINDOWS\system32\wpgldfsh.scr
2008-03-04 23:41 . 2004-08-10 07:43 3,343,360 --a------ C:\WINDOWS\system32\nature.scr
2008-03-04 23:41 . 2004-08-10 07:43 1,742,336 --a------ C:\WINDOWS\system32\mypixdx.scr
2008-03-04 23:41 . 2004-08-10 08:11 85,504 --a------ C:\WINDOWS\system32\mhn.dll
2008-03-04 23:41 . 2004-08-10 07:39 19,840 --a------ C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-03-04 23:41 . 2004-04-22 06:07 11,452 --a------ C:\WINDOWS\system32\mypixdx.chm
2008-03-04 23:41 . 2004-08-10 07:45 11,008 --a------ C:\WINDOWS\system32\drivers\mhndrv.sys
2008-03-04 23:41 . 2004-08-10 08:11 8,704 --a------ C:\WINDOWS\system32\igdetect.dll
2008-03-04 23:39 . 2004-08-10 07:00 1,352,192 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-03-04 19:49 . 2008-03-04 19:49 426 --a------ C:\Shortcut to StubInstaller.lnk
2008-03-04 19:46 . 2008-03-04 19:46 <DIR> d-------- C:\New Folder
2008-03-04 17:47 . 2008-03-04 17:47 <DIR> d-------- C:\Program Files\Modem Helper
2008-03-04 17:45 . 2008-03-04 15:01 <DIR> d-------- C:\WINDOWS\system32\vmm32
2008-03-04 15:35 . 2004-08-03 20:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-04 15:35 . 2001-08-17 09:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-03-04 15:34 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-04 15:33 . 2004-08-03 20:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-04 15:33 . 2004-08-03 18:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2008-03-04 15:29 . 2008-03-04 23:55 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2008-03-04 15:29 . 2004-08-10 07:00 176,157 --a--c--- C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-03-04 15:28 . 2004-08-10 07:00 2,008,817 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-03-04 15:25 . 2008-03-04 23:52 560 --a------ C:\WINDOWS\system32\$winnt$.inf
2008-03-04 04:15 . 2008-03-05 00:07 <DIR> d-------- C:\Program Files\RGB
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 05:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 05:24 --------- d-----w C:\Program Files\QuickTime
2008-03-11 05:24 --------- d-----w C:\Program Files\iTunes
2008-03-11 05:24 --------- d-----w C:\Program Files\AIV Reminder
2008-03-08 12:30 --------- d-----w C:\Program Files\Sony Setup
2008-03-06 05:02 --------- d-----w C:\Program Files\Bonjour
2008-03-06 05:00 --------- d-----w C:\Program Files\Apple Software Update
2008-03-05 06:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-04 23:49 419 ----a-w C:\Program Files\Shortcut to a8a5ff21a835984487.lnk
2008-03-04 23:49 409 ----a-w C:\Program Files\Shortcut to Application Data.lnk
2008-03-04 23:49 379 ----a-w C:\Program Files\Shortcut to New Folder.lnk
2008-03-04 23:49 378 ----a-w C:\Program Files\Shortcut to WINDOWS.lnk
2008-03-04 23:49 374 ----a-w C:\Program Files\Shortcut to Downloads.lnk
2008-03-04 23:49 369 ----a-w C:\Program Files\Shortcut to mstalkit.lnk
2008-03-04 23:49 345 ----a-w C:\Program Files\Shortcut to DELL.lnk
2008-02-23 08:15 --------- d-----w C:\Documents and Settings\Others\Application Data\CyberLink
2008-02-23 08:12 --------- d-----w C:\Program Files\DivX
2008-02-23 08:10 --------- d-----w C:\Program Files\Opera
2008-02-02 07:15 --------- d-----w C:\Program Files\LimeWire
2008-01-13 22:27 --------- d-----w C:\Documents and Settings\Troy\Application Data\Aim
2008-01-13 19:16 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-13 19:10 --------- d-----w C:\Program Files\FlashGet
2008-01-12 14:47 10 -c--a-w C:\Program Files\.autoreg
2007-09-08 19:35 229 -c--a-w C:\Program Files\player.nfo
2007-06-03 15:39 281 -c--a-w C:\Program Files\player.nfx
2000-08-08 18:44 340 -c--a-w C:\Program Files\setup.bat
2000-08-08 18:43 4,395,575 -c--a-w C:\Program Files\myth.pak
2000-08-08 18:39 45,056 ----a-w C:\Program Files\SETUPREG.EXE
2000-08-08 18:18 34 -c--a-w C:\Program Files\fonts.bat
2000-08-08 18:17 0 -c--a-w C:\Program Files\STPENUX.DLL
2000-08-08 18:17 0 -c--a-w C:\Program Files\EBUSetup.sem
2000-08-08 04:13 2,695,213 ----a-w C:\Program Files\age2_x1.exe
2000-08-07 04:11 20,992 ----a-w C:\Program Files\mythxpak.exe
2000-06-28 04:00 44,452 -c--a-w C:\Program Files\Readmex.rtf
2000-06-21 13:52 32,768 ----a-w C:\Program Files\replwavs.exe
2000-06-13 04:09 339,968 -c--a-w C:\Program Files\language_x1.dll
2000-06-13 03:59 53,299 -c--a-w C:\Program Files\ebueulax.dll
2000-05-27 04:58 39,647 -c--a-w C:\Program Files\EULAx.RTF
2000-04-01 01:47 301,568 -c--a-w C:\Program Files\myth.acm
1999-11-17 16:00 32,768 -c--a-w C:\Program Files\SETUPENU.DLL
1999-09-22 06:32 57,363 -c--a-w C:\Program Files\Readme.rtf
1999-09-22 06:32 53,304 -c--a-w C:\Program Files\EBUEula.dll
1999-09-22 06:32 499,712 -c--a-w C:\Program Files\language.dll
1999-09-22 06:32 40,507 -c--a-w C:\Program Files\EULA.RTF
1999-09-22 06:32 365,568 -c--a-w C:\Program Files\HA312W32.DLL
1999-09-22 06:32 158,902 -c--a-w C:\Program Files\scenariobkg.bmp
1999-09-22 06:32 112,688 ----a-w C:\Program Files\SHW32.DLL
1999-09-21 21:46 2,560,000 ----a-w C:\Program Files\empires2.exe
1997-04-01 04:00 83,456 -c--a-w C:\Program Files\README.DOC
1997-04-01 04:00 662,016 ----a-w C:\Program Files\WWINT32V.DLL
1997-04-01 04:00 5,238 -c--a-w C:\Program Files\INSTALL.TXT
1997-04-01 04:00 5,044 -c--a-w C:\Program Files\LICENSE.TXT
1997-04-01 04:00 3,567,104 ----a-w C:\Program Files\WORDVIEW.EXE
2004-08-10 11:00 28,672 ----a-w C:\Program Files\opera\program\plugins\custsat.dll
2004-08-10 11:00 356,352 ----a-w C:\Program Files\opera\program\plugins\mpvis.dll
2004-08-10 11:00 77,824 ----a-w C:\Program Files\opera\program\plugins\wmpband.dll
.
((((((((((((((((((((((((((((( snapshot@2008-03-10_22.31.48.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 15:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2008-02-04 23:09:48 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
- 2000-08-31 15:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB612661-6A10-4BEF-86F4-D3A94FEAD47D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 08:04 59392]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-03-08 01:50 53248]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-08 01:50 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 05:00:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 22:40:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2008-03-12 22:43:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-13 02:43:47
ComboFix2.txt 2008-03-11 05:32:00
ComboFix3.txt 2008-03-08 08:12:01
.
2008-03-12 20:46:25 --- E O F ---
Looks good :bigthumb: How are things running now ??
travisfromlargo
2008-03-14, 03:37
Everything is running a lot better. But one weird thing is when I turn tea timer back on. It keeps asking me to add a system startup user entry. The new data says C:\WINDOWS\system32\ctfmon.exe and theres no old data. I just hit deny because I dont know what it is. Lots of things in tea timer like that happen. Is there a extensive tutorial on tea timer?
Hi,
This is what ctfmon.exe is and it does not need to run at startup.
http://www.bleepingcomputer.com/startups/ctfmon.exe-1121.html
What I would do although Spybot is a great program is not to enable the TeaTimer and in the list of recommended free programs I would like you to install , Spyware Guard and Spyware Blaster basically do the same thing and will conflict with Spybots TeaTimer.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.12 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Glad we could help
Safe Surfn
Ken