View Full Version : Virtumonde infection
Michael P
2008-03-18, 13:57
Hi people, I have an infection of virtumonde can you please help. Here is the HJT result.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:01 PM, on 18/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Documents and Settings\Mike\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\update\update.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B52C7EC-D1A3-4054-923C-DD12567F28B1} - C:\WINDOWS\system32\rqrrppm.dll (file missing)
O2 - BHO: (no name) - {0c47c69a-650c-4978-b769-335e06853bd5} - (no file)
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\crwcxrnl.dll
O2 - BHO: (no name) - {351DC055-67EA-4F2D-A35D-A072506C1CB6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63EE96DF-0D42-4534-9549-98D3B2A0FBB7} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {804ff250-2c79-d759-c624-d9e606b2532a} - {a2352b60-6e9d-426c-957d-97c2052ff408} - C:\WINDOWS\system32\dpykchbg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\HT1ID1BA\install_sbd_en[1].exe
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com
O4 - HKLM\..\Run: [e4b87e3b] rundll32.exe "C:\WINDOWS\system32\htvshqon.dll",b
O4 - HKLM\..\Run: [BMe78b4da7] Rundll32.exe "C:\WINDOWS\system32\sydqgnwg.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - ?p=ZR
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204177099953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177833494906
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeNewReleaseInstall.cab
O20 - Winlogon Notify: rqrrppm - rqrrppm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
--
End of file - 6577 bytes
And the KOS results
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 18, 2008 8:05:19 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/03/2008
Kaspersky Anti-Virus database records: 636812
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 83526
Number of viruses found: 5
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 00:38:04
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\MSHist012008031820080319\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\~DF6C8A.tmp Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\~DF6C95.tmp Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Log.txt Object is locked skipped
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.f skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D6627312-B7CD-44A6-9E11-702A279B1ABC}\RP2\A0000033.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D6627312-B7CD-44A6-9E11-702A279B1ABC}\RP2\A0000034.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D6627312-B7CD-44A6-9E11-702A279B1ABC}\RP4\A0000067.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D6627312-B7CD-44A6-9E11-702A279B1ABC}\RP4\A0000068.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D6627312-B7CD-44A6-9E11-702A279B1ABC}\RP4\A0000070.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{D6627312-B7CD-44A6-9E11-702A279B1ABC}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Fonts\a.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\WINDOWS\Fonts\a.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9C92B3E9-9FD5-46A0-B7C7-CCF333E9BDDF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dpykchbg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\dtmjqanl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\efccbyx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\fbsefejp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gvuddjvh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gwehrwtp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hewaqxgl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\htvshqon.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\kogmlsue.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\mljgf.dll.bak Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\njbtimwv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\nqoiqtft.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pawqujrd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\rfqsnmbg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\rqrrppm.dll.bak Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\setfecmy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\svyupdjh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\sydqgnwg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\txwnppdu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wobdeesr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wtpghidw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\yellabbk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\yimoqtyy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\winlogon.exe Infected: not-a-virus:PSWTool.Win32.PassView.ac skipped
Scan process completed.
Hoping to hear from you soon
Hello Michael
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You are infected with Vundo :red:
Before we do anything, you need to disable the TeaTimer in Spybot Search and Destroy or it will interfere with the fix.
Download Reset Tea Timer (http://downloads.subratam.org/ResetTeaTimer.bat) to your desktop, you need to use Internet Explorer, double click it to run, just takes a sec.
REBOOT YOUR COMPUTER
Then create a folder on your C:\ drive and Cut and Paste HJT into it, HJT needs to be in its own folder for backup purposes.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
These are what got you into trouble
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...aseInstall
Now run each of these programs in the order I have them posted, each will produce a log, after you run the last program, post all the logs including a new HJT log. They most likely will not fit all in one reply so take as many replies as you need to post them all.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Michael P
2008-03-19, 11:39
Vundofix (V6.5.10) found no files to fix.
The HJT log follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:46 PM, on 19/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Highjack This\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B52C7EC-D1A3-4054-923C-DD12567F28B1} - C:\WINDOWS\system32\rqrrppm.dll (file missing)
O2 - BHO: (no name) - {0c47c69a-650c-4978-b769-335e06853bd5} - (no file)
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\crwcxrnl.dll
O2 - BHO: (no name) - {351DC055-67EA-4F2D-A35D-A072506C1CB6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63EE96DF-0D42-4534-9549-98D3B2A0FBB7} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {804ff250-2c79-d759-c624-d9e606b2532a} - {a2352b60-6e9d-426c-957d-97c2052ff408} - C:\WINDOWS\system32\dpykchbg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\HT1ID1BA\install_sbd_en[1].exe
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com
O4 - HKLM\..\Run: [e4b87e3b] rundll32.exe "C:\WINDOWS\system32\htvshqon.dll",b
O4 - HKLM\..\Run: [BMe78b4da7] Rundll32.exe "C:\WINDOWS\system32\sydqgnwg.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - ?p=ZR
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204177099953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177833494906
O20 - Winlogon Notify: rqrrppm - rqrrppm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
--
End of file - 6153 bytes
Michael P
2008-03-19, 11:41
Malwarebytes' Anti-Malware 1.08
Database version: 503
Scan type: Quick Scan
Objects scanned: 32318
Time elapsed: 3 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 31
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 119
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\htvshqon.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\crwcxrnl.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2b0b59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b0b59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Evidence Eliminator Safe Recycle (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Eeshellx.ShellExt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ugac (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Host Process (Worm.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\compname (Rogue.SpyGuardPro) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Help (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iDlo18 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Start Menu\Programs\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
Michael P
2008-03-19, 11:42
Files Infected:
C:\WINDOWS\system32\gwehrwtp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ptwrhewg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\htvshqon.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\noqhsvth.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crwcxrnl.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Evidence Eliminator\Ee.exe (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\INSTALL.LOG (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\License.txt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\ReadMe.txt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\UNWISE.EXE (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\UNWISE.INI (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Config.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Drives.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Files.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\FilesContents.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Folders.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\FolderScans.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\IECookiesKeep.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\IEDownloadedKeep.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\NSN4CookiesKeep.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\OE5ChoiceList.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\PlugInSelections.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\ScanMasks.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\AbsoluteFTP.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\ACDSEE Photo Viewer v3.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Adaptec Easy CD Creator v4.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Adobe Acrobat Reader v3.0.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Adobe Acrobat Reader v3.1.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Adobe Acrobat Reader v4.0.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Adobe Photoshop v5.0 LE.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Adobe Photoshop v5.5.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Adobe Photoshop v5.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Adobe Photoshop v6.0.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\ASPack.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Cabinet Manager.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Copernic 2000 Pro.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Copernic 2000.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Cute FTP v3.0.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Cute FTP v4.0.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Delphi v3.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Delphi v4.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Delphi v5.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\DiskKeeper v5.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Download Accelerator.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Eudora Mail.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\FTP Explorer.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\GetRight ExplorerBar.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\GetRight v4.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\GoZilla.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Helios TextPad v3.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Helios TextPad v4.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\HelpWriter.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Icon Extractor.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\ICQ 2000a.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\InstallShield Express.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\JASC Paintshop Pro v5.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\JASC Paintshop Pro v6.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\JASC Paintshop Pro v7.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Jet PhotoShell v1.2.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Macromedia Flash v4.0.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\MasterSplitter v2.1.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\McAfee Virus Scan v4.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microangelo 98.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Micrografx Picture Publisher v7.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Micrografx Picture Publisher v8.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft FrontPage Express.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft FrontPage.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft Help Workshop.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft HTML Help.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft Office.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft Publisher 2000.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft Send-To Extensions.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft Windows Paint.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Microsoft Windows WordPad.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Napster Music Community.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\NEATO Labels.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\NeoPlanet v5.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Norton AntiVirus 2000 (v6).eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Norton File Manager.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Norton Utilities 2000.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\NoteTab Pro.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Opera Browser v4.02 Final.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Opera Browser.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\PackageForTheWeb.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Personal Ancestral File.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Real Audio Player v6 v7 v8.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Real Download v4.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\SureThing CD Labeler.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Telnet.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Ulead Gif Animator v4.0.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Ulead Photo Explorer v4.2.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Ulead Photo Viewer v4.0.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Ulead PhotoImpact v5.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Ulead PhotoImpact Viewer v4.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\UltraEdit v4.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\UltraEdit v7.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Web Ferret v3.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\WinOnCD.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\WinRar v2.6.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\WinRar v2.70.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\WinZip v7.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\WinZip v8.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Wise Installer.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Yahoo Player.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\ZipMagic 2000.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\Plug-Ins\Zone Alarm.eep (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Help\ee.chm (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Start Menu\Programs\Evidence Eliminator\Evidence Eliminator Help.lnk (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Start Menu\Programs\Evidence Eliminator\Evidence Eliminator License Agreement.lnk (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Start Menu\Programs\Evidence Eliminator\Evidence Eliminator Read Me.lnk (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Start Menu\Programs\Evidence Eliminator\Evidence Eliminator.lnk (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\a.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\n.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\z.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\17PHolmes1188.PIF (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efccbyx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\winlogon.exe (Heuristic.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Michael P
2008-03-19, 11:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:46 PM, on 19/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Highjack This\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B52C7EC-D1A3-4054-923C-DD12567F28B1} - C:\WINDOWS\system32\rqrrppm.dll (file missing)
O2 - BHO: (no name) - {0c47c69a-650c-4978-b769-335e06853bd5} - (no file)
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\crwcxrnl.dll
O2 - BHO: (no name) - {351DC055-67EA-4F2D-A35D-A072506C1CB6} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63EE96DF-0D42-4534-9549-98D3B2A0FBB7} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {804ff250-2c79-d759-c624-d9e606b2532a} - {a2352b60-6e9d-426c-957d-97c2052ff408} - C:\WINDOWS\system32\dpykchbg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\HT1ID1BA\install_sbd_en[1].exe
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com
O4 - HKLM\..\Run: [e4b87e3b] rundll32.exe "C:\WINDOWS\system32\htvshqon.dll",b
O4 - HKLM\..\Run: [BMe78b4da7] Rundll32.exe "C:\WINDOWS\system32\sydqgnwg.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - ?p=ZR
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204177099953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177833494906
O20 - Winlogon Notify: rqrrppm - rqrrppm.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
--
End of file - 6153 bytes
Hello,
Your TeaTimer is still running.:sad:
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.
The slimeballs that write the Vundo trojan are constantly changing the files so not to worry about Vundofix not finding any, Malwarebytes found a ton of them and removed them.
Disable the TeaTimer and then run Combofix.
Michael P
2008-03-19, 14:43
I assumed your reference to downloading and running RESET TEA TIMER was turning it off. My mistake.
Attached is the combofix log. As an aside I get the following message on bootup:
"error loading C:\windows\system32\htvshqon.dll
The specified module could not be found"
Also I have windows update which for some reason cannot install.
Combo log follows:
ComboFix 08-03-18.1 - Mike 2008-03-19 21:25:59.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1643 [GMT 8:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.
2008-03-19 21:23 . 2008-03-19 21:23 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-19 17:18 . 2008-03-19 17:29 <DIR> d-------- C:\Highjack This
2008-03-18 17:11 . 2008-03-18 17:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-18 17:11 . 2008-03-18 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-16 20:19 . 2008-03-16 20:19 <DIR> d-------- C:\VundoFix Backups
2008-03-16 17:00 . 2005-04-05 15:57 <DIR> d-------- C:\Documents and Settings\Administrator.DESKTOP\WINDOWS
2008-03-16 17:00 . 2005-04-05 16:41 <DIR> d---s---- C:\Documents and Settings\Administrator.DESKTOP\UserData
2008-03-16 16:56 . 2008-03-16 19:28 1,309,576 --ahs---- C:\WINDOWS\system32\hecqotsn.ini
2008-03-16 15:52 . 2008-03-16 16:30 1,309,396 --ahs---- C:\WINDOWS\system32\xpfnjxxk.ini
2008-03-09 17:20 . 2008-03-16 15:43 1,309,276 --ahs---- C:\WINDOWS\system32\pmlmbsoy.ini
2008-03-08 08:38 . 2008-03-09 17:13 1,309,036 --ahs---- C:\WINDOWS\system32\mddwyjtf.ini
2008-03-06 21:54 . 2008-03-08 08:35 1,307,447 --ahs---- C:\WINDOWS\system32\agxvhwig.ini
2008-03-06 19:21 . 2008-03-06 21:42 354 --ahs---- C:\WINDOWS\system32\tdlvyiwg.ini
2008-03-04 17:31 . 2008-03-04 17:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-04 17:31 . 2008-03-04 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-04 07:22 . 2008-03-04 07:22 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-03 19:59 . 2008-03-03 19:59 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-03 19:59 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-03-03 06:57 . 2008-03-05 18:26 1,304,476 --ahs---- C:\WINDOWS\system32\mmuhgbmm.ini
2008-03-02 18:48 . 2008-03-02 18:48 291,328 --a------ C:\WINDOWS\system32\mljgf.dll.bak
2008-03-02 18:46 . 2008-03-02 18:46 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-02 18:43 . 2008-03-02 18:43 35,328 --a------ C:\WINDOWS\system32\rqrrppm.dll.bak
2008-03-02 18:39 . 2008-03-02 18:44 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Uniblue
2008-02-28 16:48 . 2008-02-28 16:48 <DIR> d-------- C:\WINDOWS\system32\Res09
2008-02-28 16:48 . 2008-02-28 16:48 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-02-28 13:40 . 2004-08-04 20:00 2,804,224 --a------ C:\WINDOWS\system32\msi.dll
2008-02-28 13:40 . 2004-08-04 20:00 2,804,224 --a------ C:\WINDOWS\system32\dllcache\msi.dll
2008-02-28 13:40 . 2004-08-04 20:00 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2008-02-28 13:40 . 2004-08-04 20:00 884,736 --a------ C:\WINDOWS\system32\dllcache\msimsg.dll
2008-02-28 13:40 . 2004-08-04 20:00 331,264 --a------ C:\WINDOWS\system32\msihnd.dll
2008-02-28 13:40 . 2004-08-04 20:00 331,264 --a------ C:\WINDOWS\system32\dllcache\msihnd.dll
2008-02-28 13:40 . 2004-08-04 20:00 77,312 --a------ C:\WINDOWS\system32\msiexec.exe
2008-02-28 13:40 . 2004-08-04 20:00 77,312 --a------ C:\WINDOWS\system32\dllcache\msiexec.exe
2008-02-28 13:40 . 2004-08-04 20:00 44,032 --a------ C:\WINDOWS\system32\msisip.dll
2008-02-28 13:40 . 2004-08-04 20:00 44,032 --a------ C:\WINDOWS\system32\dllcache\msisip.dll
2008-02-28 13:10 . 2007-08-24 11:00 172,032 -ra------ C:\WINDOWS\system32\igfxres.dll
2008-02-28 13:01 . 2004-08-04 20:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-02-28 12:59 . 2008-02-28 12:59 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-28 12:59 . 2008-02-28 12:59 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-28 12:59 . 2008-02-28 12:59 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-28 12:59 . 2008-02-28 12:59 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-28 12:59 . 2008-02-28 12:59 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-28 12:49 . 2004-08-04 20:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-02-28 12:49 . 2004-08-04 20:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-02-28 12:49 . 2004-08-04 20:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-02-28 12:49 . 2004-08-04 20:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-02-28 11:00 . 2005-04-05 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-28 11:00 . 2005-04-05 16:41 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-02-28 09:46 . 2008-02-28 11:05 90,015 --a------ C:\WINDOWS\setupapi.old
2008-02-27 16:49 . 2008-03-19 21:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-02-23 14:55 . 2008-02-23 14:55 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-02-23 13:54 . 2008-02-23 13:54 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-02-23 13:54 . 2008-02-23 13:54 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\InstallShield
2008-02-23 13:54 . 2007-09-19 21:44 101,504 -ra------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-02-23 13:50 . 2008-02-23 13:50 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-02-23 13:50 . 2007-09-19 18:14 16,844,800 -ra------ C:\WINDOWS\RTHDCPL.exe
2008-02-23 13:50 . 2007-03-23 19:19 9,715,200 -ra------ C:\WINDOWS\RTLCPL.exe
2008-02-23 13:50 . 2007-09-19 17:16 4,617,728 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-02-23 13:50 . 2007-08-03 13:22 1,826,816 -ra------ C:\WINDOWS\SkyTel.exe
2008-02-23 13:50 . 2007-07-26 18:06 1,191,936 -ra------ C:\WINDOWS\RtlUpd.exe
2008-02-23 13:50 . 2006-08-18 06:58 282,624 -ra------ C:\WINDOWS\system32\RTSndMgr.cpl
2008-02-23 13:50 . 2006-08-01 15:02 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2008-02-23 13:49 . 2008-02-23 13:54 <DIR> d-------- C:\Program Files\Realtek
2008-02-23 13:39 . 2004-08-04 00:56 7,168 --a------ C:\WINDOWS\system32\SET808.tmp
2008-02-23 13:35 . 2008-02-23 13:35 0 --a------ C:\WINDOWS\system32\SET671.tmp
2008-02-23 13:34 . 2008-02-23 13:34 0 --a------ C:\WINDOWS\system32\SET5C2.tmp
2008-02-23 13:31 . 2004-08-04 00:56 7,168 --a------ C:\WINDOWS\system32\SET460.tmp
2008-02-23 13:31 . 2004-08-04 00:56 7,168 --a------ C:\WINDOWS\system32\SET45E.tmp
2008-02-23 13:30 . 2008-02-23 13:30 0 --a------ C:\WINDOWS\system32\drivers\SET3F3.tmp
2008-02-23 13:21 . 2008-02-23 13:49 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-23 13:21 . 2008-02-23 13:21 <DIR> d-------- C:\Program Files\Intel
2008-02-23 13:21 . 2008-02-23 13:21 <DIR> d-------- C:\Intel
2008-02-23 13:21 . 2007-07-26 16:15 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2008-02-23 13:20 . 2008-02-23 13:54 16,376 --a------ C:\WINDOWS\gdrv.sys
2008-02-23 13:10 . 2004-08-04 20:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-02-23 13:01 . 2006-02-28 20:00 1,086,058 -ra------ C:\WINDOWS\SETE3.tmp
2008-02-23 13:01 . 2006-02-28 20:00 1,042,903 -ra------ C:\WINDOWS\SETE0.tmp
2008-02-23 13:01 . 2006-02-28 20:00 14,573 -ra------ C:\WINDOWS\SET122.tmp
2008-02-23 13:01 . 2006-02-28 20:00 13,753 -ra------ C:\WINDOWS\SETEF.tmp
2008-02-23 13:00 . 2008-02-23 13:49 1,659,516 --a------ C:\WINDOWS\setupapi.log.0.old
2008-02-23 13:00 . 2008-02-28 09:45 1,052,357 --a------ C:\WINDOWS\setupapi.log.1.old
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 13:21 --------- d-----w C:\Program Files\SPAMfighter
2008-03-09 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-09 11:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-04 09:31 --------- d-----w C:\Program Files\Lavasoft
2008-03-04 09:31 --------- d-----w C:\Documents and Settings\Mike\Application Data\Lavasoft
2008-03-02 13:55 --------- d-----w C:\Program Files\LimeWire
2008-03-02 10:09 --------- d-----w C:\Documents and Settings\Mike\Application Data\SmartDraw
2008-03-02 09:40 --------- d-----w C:\Program Files\SmartDraw 7
2008-02-28 08:48 --------- d-----w C:\Program Files\Network Associates
2008-02-25 13:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\OPEN Networks
2008-02-23 05:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 05:49 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-23 12:10 --------- d-----w C:\Program Files\IrfanView
2007-05-27 09:42 74,328 ----a-w C:\Documents and Settings\Mike\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-03-19_17.52.37.67 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63EE96DF-0D42-4534-9549-98D3B2A0FBB7}]
C:\WINDOWS\system32\mljgf.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-29 16:50 4620288]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 12:31 29696 C:\WINDOWS\KHALMNPR.Exe]
"SBI"="C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\HT1ID1BA\install_sbd_en[1].exe" [ ]
"bm(1)"="C:\Program Files\Common Files\TrustedAntivirus\bm.exe" [ ]
"e4b87e3b"="C:\WINDOWS\system32\htvshqon.dll" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrppm]
rqrrppm.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Centre.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Centre.lnk
backup=C:\WINDOWS\pss\Service Centre.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-ra------ 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 20:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
C:\Program Files\Evidence Eliminator\ee.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FusionRemote]
--a------ 2004-11-19 19:17 1277440 C:\Program Files\DVICO\FusionRemote\FusionRc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FusionTrayAgent]
--a------ 2004-11-18 21:13 1635840 C:\Program Files\DVICO\FusionHDTV\FusionHdtvTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2007-09-05 17:13 166424 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2007-09-05 17:13 141848 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2004-08-04 20:00 44032 C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 20:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2004-06-08 12:31 29696 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-10-11 18:25 1961984 C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-29 16:50 921600 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
-ra------ 2007-09-05 17:13 137752 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopularScreensaversWallpaper]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-08 11:04 77824 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2001-07-25 14:04 57344 C:\Program Files\REGSHAVE\REGSHAVE.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-ra------ 2007-09-19 18:14 16844800 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-07-21 16:14 86016 C:\WINDOWS\SoundMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPAMfighter Agent]
--a------ 2007-10-25 14:29 308880 C:\Program Files\SPAMfighter\SFAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-08 19:00 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\StreamCast\\Morpheus\\morpheus.exe"=
"C:\\Program Files\\StreamCast\\Morpheus\\mldonkey\\mlnet.exe"=
"C:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys [2001-04-30 04:51]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 11:22]
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" [2001-04-30 04:51]
R2 BT848;FusionHDTV, WDM Video Capture;C:\WINDOWS\system32\drivers\ZuluVcap.sys [2004-08-27 21:10]
R2 BT878;FusionHDTV, WDM MPEG-2 TS Capture (ATSC-A);C:\WINDOWS\system32\drivers\ZuluTcap.sys [2004-08-27 21:10]
R2 SPAMfighter Update Service;SPAMfighter Update Service;"C:\Program Files\SPAMfighter\sfus.exe" [2007-10-25 14:29]
R2 ZuluTune;FusionHDTV, Thomson7579+MT352 WDM TvTuner;C:\WINDOWS\system32\drivers\ZuluTune.sys [2004-08-27 21:10]
R2 zuluxbar;FusionHDTV, WDM Crossbar (Tuner only);C:\WINDOWS\system32\drivers\zuluxbar.sys [2004-08-27 21:10]
R3 ZuluBda;FusionHDTV, BDA Tuner/Demod;C:\WINDOWS\system32\drivers\ZuluBda.sys [2004-08-27 21:10]
S2 cx88xbar;FusionHDTV 88x, Crossbar;C:\WINDOWS\system32\drivers\zl88xbar.sys [2004-08-27 21:10]
S2 Zulu88Ts;FusionHDTV 88x, Transport Stream Capture (ATSC-A);C:\WINDOWS\system32\drivers\zl88tcap.sys [2004-08-10 14:01]
S2 Zulu88Tune;FusionHDTV 88x, TEMIC4042+LG3302 WDM TvTuner;C:\WINDOWS\system32\drivers\zl88tune.sys [2004-08-27 21:10]
S2 Zulu88Vid;FusionHDTV 88x, Video Capture;C:\WINDOWS\system32\drivers\zl88vcap.sys [2004-08-27 21:10]
S3 CXAVSAUD;FusionHDTV 880, Audio Capture;C:\WINDOWS\system32\drivers\zl88aud.sys [2004-08-27 21:10]
S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\Mike\LOCALS~1\Temp\DMSKSSRh.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-02-23 13:54]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-06-22 13:44]
S3 qcusbser;ZTE USB Device for Legacy Serial Communication;C:\WINDOWS\system32\DRIVERS\ZTEusbser.sys [2007-05-29 16:52]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a51bdc2a-a6f9-11dc-901c-0011d8608c94}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 12:02:00 C:\WINDOWS\Tasks\CCleaner.job"
- C:\PROGRA~1\CCleaner\ccleaner.exe
"2008-03-02 10:39:36 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-02 10:39:35 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 21:28:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
.
**************************************************************************
.
Completion time: 2008-03-19 21:31:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-19 13:31:28
ComboFix2.txt 2008-03-19 13:25:08
ComboFix3.txt 2008-03-19 09:52:56
.
2008-03-19 12:45:42 --- E O F ---
Hello Michael,
The TeaTimer has to be turned off or some of these entries may not be removed.
SPAMfighter <-- This program is under review at this time so don't know what to tell you about it, if you don't use it then uninstall it via the Add Remove Programs in the Control Panel.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {0B52C7EC-D1A3-4054-923C-DD12567F28B1} - C:\WINDOWS\system32\rqrrppm.dll (file missing) G
O2 - BHO: (no name) - {0c47c69a-650c-4978-b769-335e06853bd5} - (no file)
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\crwcxrnl.dll G
O2 - BHO: (no name) - {351DC055-67EA-4F2D-A35D-A072506C1CB6} - (no file)
O2 - BHO: (no name) - {63EE96DF-0D42-4534-9549-98D3B2A0FBB7} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: {804ff250-2c79-d759-c624-d9e606b2532a} - {a2352b60-6e9d-426c-957d-97c2052ff408} - C:\WINDOWS\system32\dpykchbg.dll
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\HT1ID1BA\install_sbd_en[1].exe G
O4 - HKLM\..\Run: "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com G
O4 - HKLM\..\Run: [e4b87e3b] rundll32.exe "C:\WINDOWS\system32\htvshqon.dll",b G
O4 - HKLM\..\Run: [BMe78b4da7] Rundll32.exe "C:\WINDOWS\system32\sydqgnwg.dll",s
O20 - Winlogon Notify: rqrrppm - rqrrppm.dll (file missing)
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your [b]desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\htvshqon.dll
C:\WINDOWS\system32\hecqotsn.ini
C:\WINDOWS\system32\xpfnjxxk.ini
C:\WINDOWS\system32\pmlmbsoy.ini
C:\WINDOWS\system32\mddwyjtf.ini
C:\WINDOWS\system32\agxvhwig.ini
C:\WINDOWS\system32\tdlvyiwg.ini
C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\system32\mmuhgbmm.ini
C:\WINDOWS\system32\mljgf.dll.bak
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\rqrrppm.dll.bak
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\crwcxrnl.dll
C:\WINDOWS\system32\dpykchbg.dll
C:\WINDOWS\system32\sydqgnwg.dll
C:\WINDOWS\Fonts\svchost.exe
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Program Files\Common Files\TrustedAntivirus
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Post the OTMoveIt log and a New HJT log please
Michael P
2008-03-20, 01:30
The OTMoveIt link is dead.
Will run HJT tonight and await your reply on OTMoveIt before I run ATF Cleaner or post results.
My bad, it was just updated.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Michael P
2008-03-20, 11:00
Have decided to do nothing until I hear from you re the OTMoveIt link. Don't know if you are taking a break over easter, if yes then I will hear from you next week. Have a good break.
Michael P
2008-03-20, 11:03
Have just got your updated post, please ignore my last. Please bear with me my download has been shaped due to excess download
Hello,
I graduated in 1956 so I am not at Spring Break at the moment :)
OTMoveIt was upgraded to a new version and I provided the link in my last reply so continue on with all my instructions.
Ken
Michael P
2008-03-20, 11:24
Firstly the OTMoveIt log:
File/Folder C:\WINDOWS\system32\htvshqon.dll not found.
C:\WINDOWS\system32\hecqotsn.ini moved successfully.
C:\WINDOWS\system32\xpfnjxxk.ini moved successfully.
C:\WINDOWS\system32\pmlmbsoy.ini moved successfully.
C:\WINDOWS\system32\mddwyjtf.ini moved successfully.
C:\WINDOWS\system32\agxvhwig.ini moved successfully.
C:\WINDOWS\system32\tdlvyiwg.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\system32\mfc71.dll NOT unregistered.
C:\WINDOWS\system32\mfc71.dll moved successfully.
C:\WINDOWS\system32\mmuhgbmm.ini moved successfully.
C:\WINDOWS\system32\mljgf.dll.bak moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vbzip10.dll NOT unregistered.
C:\WINDOWS\system32\vbzip10.dll moved successfully.
C:\WINDOWS\system32\rqrrppm.dll.bak moved successfully.
File/Folder C:\WINDOWS\system32\mljgf.dll not found.
File/Folder C:\WINDOWS\system32\crwcxrnl.dll not found.
File/Folder C:\WINDOWS\system32\dpykchbg.dll not found.
File/Folder C:\WINDOWS\system32\sydqgnwg.dll not found.
File/Folder C:\WINDOWS\Fonts\svchost.exe not found.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data moved successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon moved successfully.
File/Folder C:\Program Files\Common Files\TrustedAntivirus not found.
Then the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:46 PM, on 20/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Highjack This\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - ?p=ZR
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204177099953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177833494906
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
--
End of file - 4692 bytes
Michael
Clean log :bigthumb: How are things running now??
Michael P
2008-03-20, 13:27
:laugh:
Looks ok this end, system seems stable. Still cannot install Microsoft Windows Installer 3.1 and cannot uninstall spamfighter also due to Windows installer. Where do you think I should go for help on this one. Many thanks for your work on my problems. As one oldie to another thanks heaps.
Michael,
Glad things are running better for you :bigthumb:
Here are some great links.
Windows Tech Support Forums
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
It's Not Always Malware
Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)
Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)
Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)
Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.12 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs
Glad we could help
Safe Surfn
Ken
Michael P
2008-03-20, 13:58
:):):):):):):)
Again many thanks, your comments are duly noted.
Have a good easter.
Mike
Thank You Mike,
You too, enjoy the holiday.
Ken