View Full Version : Virtumonde: braviax-induced, Kasperski & HJT
rich97702
2008-03-31, 22:38
Thanks so much for taking a look.
It's taken me 6 days to get a windows interface back (even in "safe"-mode!) and the ability to use the web.
As far as I can tell- all traces of braviax and cru629 themselves are gone; the virtumonde has remained elusive.
I've run Spybot S&D and "fixed" the red entries, then Kasperski from web, then HJT. The two reports follow.
Thank you again for your offer to take a look,
Rich
KASPERSKY ONLINE SCANNER REPORT
Monday, March 31, 2008 1:14:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 674513
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 166074
Number of viruses found: 4
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 03:15:31
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\catchme.zip/beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip/beep.sys.1 Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0061_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0062_Mail_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0063_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard Feldman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Sent Items.dbx/[From "Rich Feldman" <rfeldman@bendcable.com>][Date Mon, 4 Dec 2006 23:48:50 -0800]/UNNAMED/setupwavtomp3.exe/WISE0016.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Sent Items.dbx/[From "Rich Feldman" <rfeldman@bendcable.com>][Date Mon, 4 Dec 2006 23:48:50 -0800]/UNNAMED/setupwavtomp3.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Sent Items.dbx/[From "Rich Feldman" <rfeldman@bendcable.com>][Date Mon, 4 Dec 2006 23:48:50 -0800]/UNNAMED Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Sent Items.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Spin.dbx/[From "eBay Member: alwaysonthelevel" <member@ebay.com>][Date Thu, 5 May 2005 10:46:25 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Spin.dbx/[From "eBay Member: alwaysonthelevel" <member@ebay.com>][Date Wed, 18 May 2005 10:15:37 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Spin.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Identities\{DC40B654-6026-4B52-AAF7-9998CE175EAF}\Microsoft\Outlook Express\Spin.bak/[From "eBay Member: alwaysonthelevel" <member@ebay.com>][Date Thu, 5 May 2005 10:46:25 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Identities\{DC40B654-6026-4B52-AAF7-9998CE175EAF}\Microsoft\Outlook Express\Spin.bak/[From "eBay Member: alwaysonthelevel" <member@ebay.com>][Date Wed, 18 May 2005 10:15:37 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Identities\{DC40B654-6026-4B52-AAF7-9998CE175EAF}\Microsoft\Outlook Express\Spin.bak Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\History\History.IE5\MSHist012008033120080401\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\ntuser.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\ntuser.dat.LOG Object is locked skipped
C:\SDFix\backups_old4\backups.zip/backups/beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\SDFix\backups_old4\backups.zip/backups/winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\SDFix\backups_old4\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP294\A0029527.exe/WISE0016.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP294\A0029527.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP337\A0038205.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP339\A0038318.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP342\A0041326.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP343\A0042329.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP343\A0042332.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP343\A0042340.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP343\A0042346.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP346\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\twain_32\tzraqlo.dll Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
---------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:20 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richard Feldman\My Documents\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file
missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program
Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) -
http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) -
http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) -
https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) -
http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) -
http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) -
https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) -
https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft
Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} -
C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007
\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus
7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program
Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-
Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) -
http://images.metacafe.com/image215_149_10/90/81866/362986/funny_cats_2.jpg
--
End of file - 5307 bytes
Hello Rich
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You need to move HJT to its own folder and set it up this way, its hard to read your log the way you posted it, you need to uncheck wordwrap. You can delete HJT where you currently have it and download and install it properly.
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
Then you need to run these scans in the order I have them posted and when your done, post all the logs including a new HJT log
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <------
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
This is what I need.
1. Vundofix log
2. Malwarebytes log
3. Combofix log
4. New HJT log run from the proper folder and wordwrap unchecked.
Ken :)
rich97702
2008-04-01, 17:35
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:47 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_149_10/90/81866/362986/funny_cats_2.jpg
--
End of file - 5348 bytes
----------------------------------------------------
VundoFix V7.0.3
Scan started at 7:41:03 AM 4/1/2008
Listing files found while scanning....
No infected files were found.
----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:19 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_149_10/90/81866/362986/funny_cats_2.jpg
--
End of file - 5381 bytes
------------------------------------------------------
Malwarebytes' Anti-Malware 1.09
Database version: 578
Scan type: Quick Scan
Objects scanned: 30962
Time elapsed: 6 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Richard Feldman\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
-------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:05 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_149_10/90/81866/362986/funny_cats_2.jpg
--
End of file - 5289 bytes
------------------------------------------------
COMBOFIX AND HJT IN NEXT REPLY
rich97702
2008-04-01, 19:15
ComboFix 08-03-30.5 - Richard Feldman 2008-04-01 8:40:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.72 [GMT -7:00]
Running from: C:\Documents and Settings\Richard Feldman\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Richard Feldman\Application Data\inst.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\klnmp.ini
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini2
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.
2008-04-01 08:00 . 2008-04-01 08:00 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\Malwarebytes
2008-04-01 08:00 . 2008-04-01 08:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-01 07:59 . 2008-04-01 08:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 07:27 . 2008-04-01 07:27 <DIR> d-------- C:\VundoFix Backups
2008-03-31 06:24 . 2004-08-04 06:00 135,680 --a------ C:\WINDOWS\system32\taskmgr.exe
2008-03-31 06:24 . 2004-08-04 06:00 135,680 --a------ C:\WINDOWS\system32\dllcache\taskmgr.exe
2008-03-30 17:52 . 2008-03-30 17:52 0 --a------ C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2008-03-30 11:51 . 2008-03-30 11:51 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-30 11:51 . 2008-03-30 11:51 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-30 11:50 . 2008-04-01 08:50 9,424,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-30 11:50 . 2008-04-01 08:50 130,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-30 11:50 . 2008-04-01 08:51 15,392 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-30 11:50 . 2008-04-01 08:50 2,468 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-30 11:49 . 2008-03-30 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-30 00:45 . 2008-03-30 00:45 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-29 22:26 . 2008-03-29 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-29 22:26 . 2008-03-30 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 10:12 . 2008-03-29 10:12 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\Grisoft
2008-03-28 19:27 . 2007-01-18 05:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-28 19:05 . 2008-03-28 19:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-28 19:04 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-28 16:11 . 2008-03-28 18:03 <DIR> d-------- C:\kav
2008-03-28 12:41 . 2008-03-28 12:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 12:26 . 2008-03-28 12:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-28 12:26 . 2008-04-01 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-28 01:39 . 2008-03-28 01:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-28 01:03 . 2008-03-28 01:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VersionTracker Pro
2008-03-28 00:46 . 2008-03-29 08:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-28 00:33 . 2008-03-28 00:38 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\AVG7
2008-03-28 00:33 . 2008-03-28 00:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-28 00:32 . 2008-03-30 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-28 00:13 . 2008-03-28 00:13 <DIR> d-------- C:\Program Files\CCleaner
2008-03-27 22:43 . 2008-03-30 08:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-27 22:30 . 2008-03-27 22:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-27 22:09 . 2008-03-30 10:54 <DIR> d-------- C:\SDFix
2008-03-27 21:50 . 2008-03-27 21:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-03-26 23:07 . 2008-03-26 23:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-26 23:05 . 2008-03-26 23:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 10:33 . 2008-03-26 18:19 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\VersionTracker Pro
2008-03-26 10:32 . 2008-03-26 10:32 <DIR> d-------- C:\Program Files\TechTracker
2008-03-24 13:05 . 2008-03-26 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-24 07:34 . 2008-03-24 07:34 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\IObit
2008-03-21 18:16 . 2008-03-21 18:16 <DIR> d-------- C:\Program Files\IObit
2008-03-21 18:15 . 2008-03-21 18:15 <DIR> d-------- C:\Program Files\Auslogics
2008-03-21 18:15 . 2008-03-21 18:15 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\Auslogics
2008-03-20 09:02 . 2004-08-04 06:00 5,632 --a------ C:\WINDOWS\system32\write.exe
2008-03-20 09:02 . 2004-08-04 06:00 5,632 --a------ C:\WINDOWS\system32\dllcache\write.exe
2008-03-20 09:01 . 2004-08-04 06:00 214,528 --a------ C:\WINDOWS\system32\dllcache\wordpad.exe
2008-03-19 10:05 . 2008-03-19 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-03-18 00:52 . 2008-03-18 00:52 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\PCF-VLC
2008-03-17 21:35 . 2008-03-17 21:35 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\Participatory Culture Foundation
2008-03-17 21:34 . 2008-03-17 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2008-03-17 21:33 . 2008-03-17 21:33 <DIR> d-------- C:\Program Files\Participatory Culture Foundation
2008-03-14 17:17 . 2008-03-14 17:22 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-03-14 08:21 . 2008-03-14 08:21 <DIR> d-------- C:\Program Files\Uniblue
2008-03-13 22:03 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-03-13 21:01 . 2008-03-13 21:01 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-13 20:54 . 2008-03-13 20:54 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-03-13 20:53 . 2008-03-14 16:58 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-13 20:50 . 2008-03-15 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-13 20:48 . 2008-03-13 20:48 <DIR> dr-h----- C:\MSOCache
2008-03-13 19:00 . 2008-03-13 19:00 <DIR> d-------- C:\Program Files\MagicISO
2008-03-10 21:26 . 2008-03-10 21:26 <DIR> d-------- C:\Program Files\ProXoft
2008-03-10 17:59 . 2008-03-10 17:59 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-03-10 17:59 . 2008-03-10 17:59 12,896 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-03-10 17:54 . 2008-03-10 17:54 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\AccurateRip
2008-03-09 00:57 . 2008-03-09 00:57 107,928 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-09 00:36 . 1999-10-10 11:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-03-08 13:32 . 2008-03-09 01:03 <DIR> d-------- C:\Program Files\Picasa2
2008-03-05 13:01 . 2008-03-05 13:00 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2008-03-05 13:01 . 2008-03-05 13:01 3,625 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2008-03-04 10:29 . 2008-03-04 10:28 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.bmp
2008-03-04 10:29 . 2008-03-04 10:29 3,400 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2008-03-02 23:04 . 2008-03-02 23:04 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\dBpoweramp
2008-03-02 21:12 . 2008-03-02 21:12 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Wave64 Codec.bmp
2008-03-02 21:12 . 2008-03-02 21:12 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.bmp
2008-03-02 21:12 . 2008-03-02 21:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.bmp
2008-03-02 21:12 . 2008-03-02 21:12 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.bmp
2008-03-02 21:12 . 2008-03-02 21:12 11,473 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.dat
2008-03-02 21:12 . 2008-03-02 21:12 2,228 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
2008-03-02 21:12 . 2008-03-02 21:12 1,844 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.dat
2008-03-02 21:12 . 2008-03-02 21:12 1,224 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Wave64 Codec.dat
2008-03-02 21:11 . 2008-03-02 21:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp WavPack Codec.bmp
2008-03-02 21:11 . 2008-03-02 21:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.bmp
2008-03-02 21:11 . 2008-03-02 21:10 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.bmp
2008-03-02 21:11 . 2008-03-02 21:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Dalet Codec.bmp
2008-03-02 21:11 . 2008-03-02 21:11 3,153 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2008-03-02 21:11 . 2008-03-02 21:11 3,061 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2008-03-02 21:11 . 2008-03-02 21:11 3,008 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp WavPack Codec.dat
2008-03-02 21:11 . 2008-03-02 21:11 1,206 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Dalet Codec.dat
2008-03-02 21:10 . 2008-03-02 21:10 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.bmp
2008-03-02 21:10 . 2008-03-02 21:10 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-03-02 21:10 . 2008-03-02 21:10 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.bmp
2008-03-02 21:10 . 2008-03-02 21:10 3,107 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2008-03-02 21:10 . 2008-03-02 21:10 2,987 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-03-02 21:10 . 2008-03-02 21:10 2,843 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
2008-03-02 21:00 . 2008-03-02 20:59 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp DSP Effects.bmp
2008-03-02 21:00 . 2008-03-02 21:00 8,457 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2008-03-02 20:59 . 2008-03-04 10:24 4,230,520 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-03-02 20:58 . 2008-03-02 20:58 <DIR> d-------- C:\Program Files\Illustrate
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 20:24 360 ----a-w C:\drmHeader.bin
2008-03-27 04:41 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\uTorrent
2008-03-27 00:16 --------- d-----w C:\Program Files\LimeWire
2008-03-26 17:33 43,162 ----a-w C:\Documents and Settings\Richard Feldman\Application Data\wklnhst.dat
2008-03-26 17:26 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\LimeWire
2008-03-25 20:08 --------- d-----w C:\Program Files\Replay Media Catcher
2008-03-25 17:29 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\U3
2008-03-22 03:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 15:45 --------- d-----w C:\Program Files\Creative
2008-03-20 15:38 --------- d-----w C:\Program Files\Google
2008-03-18 23:52 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\OpenOffice.org2
2008-03-17 03:00 --------- d-----w C:\Program Files\IrfanView
2008-03-15 03:41 --------- d-----w C:\Program Files\uTorrent
2008-03-14 16:12 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\MailWasherPro
2008-03-14 04:28 --------- d-----w C:\Program Files\Microsoft Works
2008-03-14 04:23 --------- d-----w C:\Program Files\MSBuild
2008-03-12 00:26 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\Lavasoft
2008-03-11 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-11 15:20 --------- d-----w C:\Program Files\Java
2008-03-10 04:53 --------- d--h--w C:\Program Files\Creative Installation Information
2008-03-10 04:39 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\albumart
2008-03-07 17:20 --------- d-----w C:\Program Files\Auctiontamer atx files
2008-03-05 15:34 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\Vso
2008-03-01 01:19 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\Creative
2008-02-29 21:24 --------- d-----w C:\Program Files\Common Files\Creative
2008-02-25 19:54 105,088 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2008-02-25 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-24 04:55 34,622 ----a-w C:\Program Files\INSTALL.LOG
2008-02-15 15:22 --------- d-----w C:\Program Files\CONEXANT
2008-02-12 18:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-09 01:35 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-02-01 22:21 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-28 14:37 47,360 ----a-w C:\Documents and Settings\Richard Feldman\Application Data\pcouffin.sys
2008-01-22 15:22 3,993,600 ----a-w C:\Program Files\atamer.exe
2007-10-22 01:06 1,861 ----a-w C:\Program Files\atamer.log
2007-10-21 00:29 2,272 ----a-w C:\Program Files\atamer1.log
2007-10-19 19:23 459 ----a-w C:\Program Files\atamer2.log
2007-10-19 14:46 1,108 ----a-w C:\Program Files\atamer3.log
2007-10-19 03:25 4,390 ----a-w C:\Program Files\atamer4.log
2007-10-19 03:24 3,039,846 ----a-w C:\Program Files\auctamerprobuy.exe
2007-10-17 15:24 607 ----a-w C:\Program Files\atamer5.log
2007-10-01 15:21 6,457 ----a-w C:\Program Files\atlist.htm
2007-01-19 17:22 906,248 ----a-w C:\Program Files\atbuy20070102.exe
2006-11-25 06:30 1,062 ----a-w C:\Program Files\uninstal.log
2006-11-06 16:59 904,662 ----a-w C:\Program Files\atbuy20061030.exe
2006-10-27 14:50 904,608 ----a-w C:\Program Files\atbuy20061024.exe
2006-04-14 01:33 20,992 ----a-w C:\Program Files\atsmtpdll.dll
2006-03-26 01:13 70,116 ----a-w C:\Program Files\itemfinder.wav
2006-03-17 16:24 689 ----a-w C:\Program Files\atamer.exe.manifest
2004-06-10 16:26 68,592 ----a-w C:\Program Files\won.wav
2001-01-22 18:05 435,136 ----a-w C:\Program Files\Vsflex7d.ocx
2001-01-10 18:23 162,304 ----a-w C:\Program Files\UNWISE.EXE
2000-03-23 06:08 40,766 ----a-w C:\Program Files\hammer.wav
2000-03-05 03:38 35,140 ----a-w C:\Program Files\paid.wav
1998-05-02 00:01 13,292 ----a-w C:\Program Files\5Min.wav
1997-07-11 16:37 1,758 ----a-w C:\Program Files\add.wav
1996-09-05 01:03 64,556 ----a-w C:\Program Files\coin.wav
1996-09-05 01:03 64,556 ----a-w C:\Program Files\ching.wav
<<<<< CONTINUED >>>>>
rich97702
2008-04-01, 19:21
<<<<< COMBOFIX LOG CONTINUED >>>>> (followed by HJT log)
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B05BAFD-9A65-4DCB-87D1-58BDD8B65628}]
C:\WINDOWS\system32\awtqq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8810E13-F0A9-4ED5-8299-C29100A6EF4A}]
C:\WINDOWS\system32\pmnlk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E438A7F5-82E1-4786-9E44-B064135451AB}]
C:\WINDOWS\system32\mljjh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E97B3691-C10E-40CD-9597-81151D366D45}]
C:\WINDOWS\system32\awtqr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturopo]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=C:\WINDOWS\pss\Google Calendar Sync.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
[HKLM\~\startupfolder\C:^Documents and Settings^Richard Feldman^Start Menu^Programs^Startup^MailWasherPro.lnk]
backup=C:\WINDOWS\pss\MailWasherPro.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-04-11 10:00 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 19:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-08-14 13:18 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
--a------ 2002-11-22 12:48 348160 C:\WINDOWS\system32\hphmon04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcq]
--------- 2005-09-14 15:40 229466 C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 16:33 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tinySpell]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue ProcessQuickLink 2]
--a------ 2007-11-02 17:46 655640 C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vsc32cnf.exe]
--a------ 2000-02-07 04:02 36864 C:\Program Files\Roland\VSC32\vsc32cnf.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vscvol.exe]
--a------ 2000-02-09 00:19 36864 C:\Program Files\Roland\VSC32\vscvol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Iomega App Services"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"MaxBackServiceInt"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:*:Disabled:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:*:Disabled:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2005-07-01 10:15]
R2 RVIEG01;VSC Engine;C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys [2001-04-13 19:16]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 16:06]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 10:16]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
S3 portio;portio;C:\Program Files\Zinf\portio.sys []
S3 RDID1027;EDIROL PCR;C:\WINDOWS\system32\Drivers\rdwm1027.sys [2003-10-31 03:59]
S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);C:\WINDOWS\system32\Drivers\XLoader.sys [2004-01-21 20:55]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 12:59:07 C:\WINDOWS\Tasks\HP Update.job"
- C:\PROGRA~1\Hp\HPSOFT~1\HPWUCli.exe
"2008-04-01 08:54:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 08:55:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-01 9:05:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 16:05:05
Pre-Run: 22,078,111,744 bytes free
Post-Run: 21,942,677,504 bytes free
.
2008-03-14 15:10:55 --- E O F ---
----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:41 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_149_10/90/81866/362986/funny_cats_2.jpg
--
End of file - 4984 bytes
Hello,
Your doing great :bigthumb:
Do you have any software on your system related to an Auction??
Open Notepad ( this will only work in Notepad )and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\awtqr.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B05BAFD-9A65-4DCB-87D1-58BDD8B65628}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8810E13-F0A9-4ED5-8299-C29100A6EF4A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E438A7F5-82E1-4786-9E44-B064135451AB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E97B3691-C10E-40CD-9597-81151D366D45}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturopo]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
rich97702
2008-04-01, 21:15
Ken,
ComboFix Hang. Reads:
------------------------------------------
Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double
ComboFix has changed your clock settings.
Do not change it back. It shall be restored later
Completed Stage_1
Completed Stage_2
----------------------------------------
(cusor still blinking where next entry would start)
Carefully saved script as directed in notepad as "CFScipt" (not as "CFScript.txt"), dragged, dropped on ComboFix, it started and got as far as you see above. I may not have gotten Kaspersky paused in time, if that could cause this.
Please advise. I have not closed the CF window at this point.
Thanks,
Rich
Close down both Combofix and Kaspersky and do it this way, those files are most likely gone, it was just an double check to make sure.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\awtqr.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Post the OTMoveIt log and a New HJT log please
rich97702
2008-04-02, 00:13
File/Folder C:\WINDOWS\system32\awtqq.dll not found.
File/Folder C:\WINDOWS\system32\pmnlk.dll not found.
File/Folder C:\WINDOWS\system32\mljjh.dll not found.
File/Folder C:\WINDOWS\system32\awtqr.dll not found.
OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04012008_150926
----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12, on 2008-04-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\nircmd.cfexe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_149_10/90/81866/362986/funny_cats_2.jpg
--
End of file - 4271 bytes
rich97702
2008-04-02, 00:18
Word wrap is now off again. Sorry.
rich97702
2008-04-02, 00:39
RE: Do you have any software on your system related to an Auction??
Yes- AuctionTamer (many auctions). I back up these files as they are important.
Ok, thats fine, I saw some files that Combofix found ( but did not delete ) related to an Auction, so if you say there safe then we will leave them be.
Your log looks fine :bigthumb: How is your system behaving now??
rich97702
2008-04-02, 04:16
Ken- KUDOS!
All is well to this point. I'll run Kaspersky AV (trial) tonight and will respond tomorrow if I have any questions, if that's OK.
I do wonder about:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Sounds ominous! (?)
I would like to make a donation, here, as well as to others that you feel would be appropriate in my case- I'm pretty green as far as... that is to say, I would benefit from a little etiquette coaching, if you don't mind.
I had no idea this level of Professional help was at Everyone's disposal, and it was simple luck that I found the site.
You've been awesome and I can't thank you enough Ken.
All the best to you and yours,
Rich
Bend, OR
Rich,
This forum as with most of the other Malware Removal Forums are staffed by volunteers, we do this because we like people like your self and really despise the dirt bags that write this garbage, so any donation big or small just goes to keep us online.
You should have a Recovery Console installed, most new computers come with this. What it is , if you should trash your computer and it won't boot into windows, you can boot to the RC and do a windows repair, this is a good feature that you should have.
After you post the above logs please go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
http://img.photobucket.com/albums/v666/sUBs/KB310994.gif
Download the file & save it as its originally named, next to ComboFix.exe.
http://img.photobucket.com/albums/v666/sUBs/rc1.gif
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Please do not reboot your machine until we have reviewed the log.
rich97702
2008-04-02, 09:50
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
-----------------------------------------------------
"TELL HIM WHAT HE'S WON, JAY"!
Looks good.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.13 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Glad we could help
Safe Surfn
Ken
rich97702
2008-04-02, 18:52
Ken,
No problems encountered in various scans- all working well. I'm more than impressed!
:bow:
From the wealth of information via your last post I can see it's time for me to join the '90's- although I can say this: :FF: I had to blow the dust off of IE to run the Kaspersky Web Scan.
Today I'll rejoin the workforce but tonight I'll get a chance to start implementing recommendations.
Thanks so much, again,
Rich
PS Donation was a pleasure to make! :beerbeerb:
Glad all is well Rich,:bigthumb:
Take care,
Ken :)
rich97702
2008-04-03, 03:31
Ken,
Little question you are the person to ask:
My back-up Utility is elderly and unsupported (IOmega Backup Pro). Do you have a favorite(s) to recommend, or a site for me to investigate?
Rich
Hello Rich,
I think the days of backing up to a CD is getting old, what I use and find real reliable is a External Hard drive. I have been using my Maxtor One Touch for years. It comes with backup software that you can schedule backups or also press the button on the front of the unit anytime you want to back up and there she goes. I don't know what your budget is and also the capacity that you need but Costco usually has some good prices on them.
http://www.maxtorsolutions.com/en/catalog/OTIII_USB/index.html
http://www.amazon.com/Maxtor-OneTouch-160GB-Portable-Drive/dp/B000M2TAKM
http://www.costco.com/Common/Category.aspx?ec=BC-EC10626-Cat31022&pos=1&whse=BC&topnav=&cat=31023&eCat=BC|84|31022|31023&lang=en-US
Another option is a flash or thumb drive, I use the SanDisk Mini Cruzer. With this and also the external drive you can copy and paste any files, pics, movies , songs , whatever you like on to them with no problems. I have a lot of the tools I use to clean infections like Malwarebytes, Vundofix and a bunch more saved to my San Disk and I take it with me when I do jobs on the side in case the computer i am working on is borked and doesn't have any internet access. Check Costco before you buy, they seem to have the best prices.
http://www.costco.com/Browse/Product.aspx?Prodid=11123986&whse=BC&topnav=&browse=&lang=en-US
Hope this helps,
Ken
rich97702
2008-04-03, 17:16
Eerie-
Purchased both the Maxtor One-Touch (320G) and the SanDisk Cruiser (2G) recently. "Great minds...".
Off topic and at risk of overstaying my welcome...
The software for the One-Touch seemed to have a rather large footprint for my laptop (1.79GHz 384 MB RAM) so I was using the IOmega software I already had. I will say I didn't give it much of a chance... any tips come to mind?
R
Hello Rich,
In these forums there is no such thing as overstaying your welcome. 384 mb of ram is really borderline, for XP to run nice you need at least 512 or more, you can go to this site, its where all the big boys buy there memory, you can download a free scanner that will scan your system and tell you what you have installed and what you can install to upgrade.
http://crucial.com/
My Maxtor came with Restrospect software that would let me do a backup on selected files and it also had the option to do a Duplicate backup. The duplicate basically mirrors what ever folders you want to duplicate. My self, I have never done a full system backup, I just backup the files and photos I don't want to lose , I have always had the thinking that if my system got corrupted and crashed that I would rather format and do a clean install to have everything like new again and then transfer my files from my backup to the computer, but you can do a full system backup and restore your computer to before it crashed, so whatever works for you.
rich97702
2008-04-04, 05:21
Thank you for the link Ken. I'm afraid my rookie is really showing now... I wasn't even aware that this could be done with a laptop- 1st one I've owned.
2G of memory on the way. That's likely overkill, today,- just enough come tomorrow.
Off TO THE '90s
Thanks,
Rich
Rich,
Installing memory in a laptop is a no brainer but its very delicate, post back when it arrives and I can help guide you through it. With Windows XP, 1 GB would have been fine but 2 is even better, just make sure your system supports that much or you could have issues.
Ken
rich97702
2008-04-04, 06:24
The board is maxed out with 2G installed- XP Pro will recognize about 3-3.5G apparently.
What a great site for information.
I have two of these machines so likely will split the two modules eventually, which they say I can do (256MB in one slot, 1G in the other, both being PC2700). We'll see. From the site:
Currently installed memory:
256MB
DDR PC2700
(2 each)
Each memory slot can hold DDR PC2700 with a maximum of 1GB per slot.
1GB, 200-pin SODIMM, DDR PC2700 memory module
* Module Size: 1GB
* Package: 200-pin SODIMM
* Feature: DDR PC2700
* Specs: DDR PC2700 • CL=2.5 • Unbuffered • NON-ECC • DDR333 • 2.5V • 128Meg x 64
Thanks much for the offer of (more) help- I'll give a shout when they get here.
Will this thread still exist to reply to, or should I send a private message from this site?
Rich
Rich,
You will most likely be ok with just the 1gb in the slot, you can keep the 256 if you wish, but that needs to be removed and moved back to the second slot, the larger amount of memory always goes in the first slot .
This thread can stay open for a week or so, if its closed before you get your memory just PM me. Crucial is fast, I ordered a mem upgrade for a gal I work with on a Thursday night and it arrived in my office Monday morning.
Ken
rich97702
2008-04-09, 17:50
Hi Ken,
I'm all set here for the memory installation...
(From 2 slots/256Mb each <to> slot 1- 1Gb / slot 2- 256Mb)
Crucial has a pretty thorough guide that I've read HERE (http://www.crucial.com/install/sodimm.aspx#trouble) and I've looked through the manual as well.
It seems very straight forward, finer points being-
Remove battery, drain residual power w/ power button,
stay grounded to frame (and no feet shuffling),
1Gb module in 1st slot,
Delicate touch- use fingers only, no fingers on connections,
press all the way home, firmly.
Anything else?
Thank,
Rich
Looking good Rich, keep a few things in mind, the snaps on the slot holding the memory in is made out of plastic, use only your fingers, don't force anything, its very fragile. Look at the bottom of the module, there is a slot, make sure it lines up with the slot on the motherboard. After you have it lined up correctly, just pressing the module into the slot will close the snaps. Try not to touch the surface or the gold coating on the bottom.
Forgot to add.... after you get it installed and restart your computer, right click on My Computer and then click on Properties and down towards the bottom you should see the new amount of memory installed.
Let me know how it went.
Ken
rich97702
2008-04-10, 01:30
Just as smooth as it sounded.
It says 1.79 GHz and 1.12 GB of RAM. That looks right to me.
First thing I noticed, on reboot, were that tasks are snapping (technical term) right along- no discernible transitions (which were significant previously) from one to the next as it rebooted. Haven't done much else at this point but wanted to let you know there were no problems, and to thank you once again for the education.
I suspect I'll write with a question if it presents itself- you've been most generous!
Rich
PS
FWIW- My expertise lies in the repair and restoration of wind instruments (any and all). This is my 31st year in a field in which I have maintained a continued education and a particular passion for, so...
if I can return a favor, and I would love to, please don't hesitate to take advantage of an open-ended offer to do so- if you should ever have a need.
Thank You Rich,
I am so glad things worked out for you. :bigthumb: Adding memory to a system is the fastest and cheapest upgrade you can do. When you get into trying to upgrade a processor, it opens a whole different can of worms.
I am not to musically inclined, but thanks for your offer.
Take Care,
Ken