View Full Version : after 2 weeks trying to kill with 1 reformat, virtumonde still lives!
..thats why i came here to ask for assistance:
here is hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:11 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Prolink\PlayTV Pro\PIXELFM.EXE
C:\WINDOWS\PS.exe
C:\WINDOWS\system32\wscntfy.exe
D:\TEMP DOWNLOADS\vunfixed\HiJackThis2123.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {771B2F75-7467-497F-BB00-CD38C195A377} - C:\WINDOWS\system32\khfEWoLF.dll (file missing)
O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - C:\WINDOWS\system32\opnmKbYS.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {D359E55E-9F91-4252-88C1-14E4B7E0D085} - C:\WINDOWS\system32\jkkHWPif.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: opnmKbYS - C:\WINDOWS\SYSTEM32\opnmKbYS.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7938 bytes
kaspersky online scan log to follow; it is still scanning and i think its real slow right now.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 12:11:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/04/2008
Kaspersky Anti-Virus database records: 695757
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 262856
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 03:30:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_4ac.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\cert8.db Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\content-prefs.sqlite Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\cookies.sqlite Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\downloads.sqlite Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\formhistory.sqlite Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\key3.db Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\parent.lock Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\permissions.sqlite Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\places.sqlite Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\places.sqlite-journal Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\places.sqlite-stmtjrnl Object is locked skipped
C:\Documents and Settings\Vince\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Vince\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Application Data\Mozilla\Firefox\Profiles\tczr0ydd.default\urlclassifier3.sqlite Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\History\History.IE5\MSHist012008041020080411\index.dat Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Temp\fla1284.tmp Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Temp\fla12C3.tmp Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Temp\fla13D4.tmp Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Temp\nbkauubk.dll Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Vince\Local Settings\Temp\Perflib_Perfdata_d30.dat Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Temp\~DF2732.tmp Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Vince\Local Settings\Temporary Internet Files\Content.IE5\C3W7IJKH\kriv[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Vince\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vince\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Vince\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_12.trc Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Vince.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Vince.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Vince.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9D21ED0C-7DEB-4615-BE6B-E0397E15FBD2}\RP20\A0001460.exe Infected: Trojan.Win32.VB.cng skipped
C:\System Volume Information\_restore{9D21ED0C-7DEB-4615-BE6B-E0397E15FBD2}\RP24\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\grvoikmv.dll Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jkkHWPif.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\ljoqaxdf.dll Object is locked skipped
C:\WINDOWS\system32\opnmKbYS.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{9D21ED0C-7DEB-4615-BE6B-E0397E15FBD2}\RP24\change.log Object is locked skipped
Scan process completed.
ComboFix 08-04-09.9 - Vince 2008-04-11 0:26:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.916 [GMT 8:00]
Running from: D:\TEMP DOWNLOADS\vunfixed\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BMa7f839d5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\fdxaqojl.ini
C:\WINDOWS\system32\fiPWHkkj.ini
C:\WINDOWS\system32\fiPWHkkj.ini2
C:\WINDOWS\system32\FLoWEfhk.ini
C:\WINDOWS\system32\FLoWEfhk.ini2
C:\WINDOWS\system32\grvoikmv.dll
C:\WINDOWS\system32\jkkHWPif.dll
C:\WINDOWS\system32\ljoqaxdf.dll
C:\WINDOWS\system32\opnmKbYS.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.
2008-04-10 20:05 . 2008-04-10 20:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-10 20:05 . 2008-04-10 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-09 23:41 . 2008-04-09 23:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 23:41 . 2008-04-09 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 23:13 . 2008-04-10 00:14 <DIR> d-------- C:\VundoFix Backups
2008-04-09 05:57 . 2008-04-09 05:57 30,760 --a------ C:\WINDOWS\system32\ydruncdi.exe
2008-04-09 05:57 . 2008-04-09 05:57 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 05:29 . 2008-04-09 05:29 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-08 23:35 . 2008-04-08 23:35 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-04-08 23:34 . 2008-04-08 23:34 <DIR> d-------- C:\Program Files\Sophos
2008-04-08 23:34 . 2008-04-08 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-04-08 23:34 . 2007-03-09 09:56 17,920 --a------ C:\WINDOWS\system32\SophosBootTasks.exe
2008-04-08 23:32 . 2007-09-10 11:09 101,120 --a------ C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2008-04-08 23:32 . 2007-09-10 11:08 33,408 --a------ C:\WINDOWS\system32\drivers\savonaccessfilter.sys
2008-04-08 23:31 . 2008-04-08 23:32 <DIR> d-------- C:\savwsa
2008-04-08 20:52 . 2008-04-08 20:52 <DIR> d-------- C:\Documents and Settings\Vince\Application Data\vlc
2008-04-08 20:45 . 2008-04-08 20:45 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-08 20:36 . 2008-04-11 00:31 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-08 17:05 . 2008-04-08 17:05 57,068 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-08 16:59 . 2008-04-08 17:01 <DIR> d-------- C:\Program Files\Safari
2008-04-08 16:47 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-04-08 16:46 . 2008-04-08 16:47 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-08 16:46 . 2007-11-29 23:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-04-08 16:37 . 2008-04-08 16:37 <DIR> d-------- C:\Program Files\iPod
2008-04-08 16:36 . 2008-04-08 16:37 <DIR> d-------- C:\Program Files\iTunes
2008-04-08 16:26 . 2008-04-08 16:29 <DIR> d-------- C:\Program Files\QuickTime
2008-04-08 14:28 . 2008-04-11 00:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-08 14:28 . 2008-04-08 14:28 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 12:40 . 2008-04-08 17:04 <DIR> d-------- C:\Documents and Settings\Vince\Application Data\Apple Computer
2008-04-08 12:36 . 2008-04-08 12:36 <DIR> d-------- C:\Program Files\Bonjour
2008-04-08 12:30 . 2008-04-08 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-08 12:29 . 2008-04-08 12:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-08 12:28 . 2008-04-08 12:28 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-08 12:26 . 2008-04-08 12:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-08 12:26 . 2008-04-08 12:26 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-08 12:26 . 2008-04-08 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-08 12:23 . 2008-04-08 12:26 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-08 12:12 . 2008-04-09 22:17 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-08 12:12 . 2008-04-08 12:12 <DIR> d-------- C:\Documents and Settings\Vince\Application Data\PC Tools
2008-04-08 12:12 . 2008-04-09 22:50 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 12:12 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-08 12:12 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-08 12:12 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-08 12:12 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-08 10:11 . 2006-10-05 10:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-08 10:11 . 2006-10-05 10:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-08 10:10 . 2008-04-08 10:11 <DIR> d-------- C:\Program Files\Picasa2
2008-04-08 10:00 . 2008-04-08 10:00 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-04-08 09:55 . 2008-04-10 08:45 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-04-08 09:45 . 2008-04-08 10:54 <DIR> d-------- C:\Program Files\Google
2008-04-08 09:45 . 2008-04-10 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-08 09:37 . 2008-04-08 09:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-08 09:37 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-08 09:33 . 2008-04-08 09:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-08 09:33 . 2008-04-08 09:35 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-08 08:57 . 2008-04-09 22:22 <DIR> d-------- C:\Documents and Settings\Vince\Application Data\LimeWire
2008-04-08 08:53 . 2008-04-08 08:53 <DIR> dr-h----- C:\Documents and Settings\Vince\Application Data\yahoo!
2008-04-08 08:36 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-08 08:36 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-08 08:35 . 2008-04-08 08:36 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-08 08:30 . 2008-04-08 08:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-08 08:28 . 2008-04-08 08:52 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-08 08:23 . 2008-04-08 08:23 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-08 08:23 . 2008-04-08 08:23 <DIR> d-------- C:\Program Files\Veoh Networks
2008-04-08 08:17 . 2008-04-08 08:17 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-08 07:46 . 2008-04-08 07:46 <DIR> d-------- C:\Program Files\MSDN
2008-04-08 07:33 . 2008-04-08 07:33 172 --a------ C:\WINDOWS\ODBC.INI
2008-04-08 07:32 . 2008-04-08 07:32 <DIR> d-------- C:\WINDOWS\system32\js
2008-04-08 07:32 . 2008-04-08 07:32 <DIR> d-------- C:\WINDOWS\system32\images
2008-04-08 07:32 . 2008-04-08 07:32 <DIR> d-------- C:\WINDOWS\system32\html
2008-04-08 07:32 . 2008-04-08 07:32 <DIR> d-------- C:\WINDOWS\system32\css
2008-04-08 07:32 . 2008-04-08 07:32 <DIR> d-------- C:\Program Files\Business Objects
2008-04-08 07:26 . 2008-04-08 07:31 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-08 07:25 . 2008-04-08 07:25 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-04-08 07:24 . 2008-04-08 07:25 <DIR> d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-04-08 07:23 . 2008-04-08 07:23 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-04-08 07:23 . 2008-04-08 07:23 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-08 07:13 . 2008-04-08 07:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-04-08 07:07 . 2008-04-08 07:07 <DIR> d-------- C:\WINDOWS\symbols
2008-04-08 07:05 . 2008-04-08 07:28 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-08 07:05 . 2008-04-08 07:32 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-04-08 07:05 . 2008-04-08 07:05 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-04-08 07:05 . 2008-04-08 07:08 <DIR> d-------- C:\Program Files\HTML Help Workshop
2008-04-08 07:05 . 2008-04-08 07:13 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-04-08 07:05 . 2008-04-08 07:05 <DIR> d-------- C:\Program Files\CE Remote Tools
2008-04-08 07:04 . 2008-04-08 07:04 <DIR> d-------- C:\Program Files\Microsoft Web Designer Tools
2008-04-08 07:04 . 2008-04-08 07:04 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-08 07:03 . 2008-04-10 20:41 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-08 07:00 . 2008-04-08 07:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-08 07:00 . 2008-04-08 07:00 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-08 06:59 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-04-08 06:55 . 2008-04-08 06:55 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-08 06:49 . 2008-04-09 23:31 <DIR> d-------- C:\Program Files\PowerISO
2008-04-08 06:44 . 2007-10-31 01:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-04-08 06:44 . 2007-10-31 01:20 360,064 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
2008-04-08 06:33 . 2008-04-08 06:33 <DIR> d-------- C:\Program Files\Java
2008-04-08 06:33 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-08 06:30 . 2008-04-08 06:34 <DIR> d-------- C:\Program Files\LimeWire
2008-04-08 06:30 . 2008-04-08 06:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-08 06:15 . 2008-04-08 06:24 <DIR> d-------- C:\Program Files\BitComet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 00:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-07 22:44 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-07 19:40 10,240 ----a-w C:\Documents and Settings\Vince\services.exe
2008-04-07 19:35 --------- d-----w C:\Program Files\VIA
2008-04-07 19:35 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-04-07 19:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-07 19:35 --------- d-----w C:\Program Files\AvRack
2008-04-07 19:34 --------- d-----w C:\Program Files\Realtek AC97
2008-04-07 19:27 --------- d-----w C:\Program Files\microsoft frontpage
2008-02-23 02:38 43,872 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-20 03:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 03:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 03:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
.
------- Sigcheck -------
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
2008-04-08 06:44 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\dllcache\tcpip.sys
2008-04-08 06:44 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{771B2F75-7467-497F-BB00-CD38C195A377}]
C:\WINDOWS\system32\khfEWoLF.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"PowerS"="C:\WINDOWS\PowerS.exe" [2001-08-03 17:56 159800]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-08 09:47 29744]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 12:23 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-08 09:45:42 124400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmKbYS]
opnmKbYS.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remote Controller.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Remote Controller.lnk
backup=C:\WINDOWS\pss\Remote Controller.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scheduler.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Scheduler.lnk
backup=C:\WINDOWS\pss\Scheduler.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TV Scheduler.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TV Scheduler.lnk
backup=C:\WINDOWS\pss\TV Scheduler.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10187:TCP"= 10187:TCP:BitComet 10187 TCP
"10187:UDP"= 10187:UDP:BitComet 10187 UDP
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-09-10 11:09]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-09-10 11:08]
R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.SYS [2003-01-16 17:14]
R2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2003-01-16 17:14]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2003-01-16 17:14]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 20:00]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-08 09:47]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 04:29:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-08 01:55:24 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 00:31:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\PSEXESVC.EXE 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-11 0:34:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 16:34:22
Pre-Run: 64,105,840,640 bytes free
Post-Run: 64,131,661,824 bytes free
.
2008-04-09 15:36:31 --- E O F ---
executing HJThis after ComboFix run;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:58 AM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\PowerS.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
D:\TEMP DOWNLOADS\vunfixed\HiJackThis2123.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {771B2F75-7467-497F-BB00-CD38C195A377} - C:\WINDOWS\system32\khfEWoLF.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: opnmKbYS - opnmKbYS.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7563 bytes
Hello,
Apprantly you missed our sticky topics. :p:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806)
Because of the volume of posts to your own topic, helpers may think you are already being assisted as they look for topics with no response.
Just make a note for our volunteers so they are aware, as it would be best to start off with no more than two posts (total) in your topic before a helper responds.Please keep this link handy: The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)
Also see:
Sun Microsystems~Java. Security vunerability in older versions left on system (http://forums.spybot.info/showpost.php?p=12880&postcount=2 )
Best regards. :)
my bad...i thought it would facilitate if i run combo fix...
so where do i go from here now?
if anyone is available to read my logs, please help me...2 weeks seems to be forever already...
if anyone is available to read my logs, please help me...2 weeks seems to be forever already...
Hello,
Your topic was started today and clearly you have not read the stickies or you wouldn't keep adding posts to the thread.
Here they are again.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)
oh my apologies again....its just its has so taken me so long to fight this malware and im so eager to know what to do next..ill make sure to follow the rules next time.