View Full Version : Bad Virtumonde Infection
slash_tbh
2008-04-25, 14:48
I'm not Sure HOW i got this virus, but its been keeping me from doing alot things on the web.
I did read the "Read before posting" Topic but I think i'm so baddly infected that Kaspersky is failing to run, i get an error "Unknown error detected while checking the license for kaspersky online scanner product"
I'm not sure how to go on with this, i've trying to get rid of it for 2weeks now, i've tried doing a distructive system restore as well but it just seems to lay dormant untill i get on the web long enough. i've download the combofix but haven't touched it yet. Waiting for futher info on what to do about this.
And thank you for you time.
Rorschach112
2008-04-25, 15:30
Hello
Delete ComboFix.exe there and do this
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
slash_tbh
2008-04-26, 00:08
Hi Here are the requested logs, sorry i was away w/o notice.. been up all night trying to fix this..
ComboFix 08-04-24.1 - Owner 2008-04-25 6:17:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.239 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\mcroso~1.net\M?crosoft.NET\
C:\Program Files\Common Files\mcroso~1.net\nslookup.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Behjmnnn.ini
C:\WINDOWS\system32\Behjmnnn.ini2
C:\WINDOWS\system32\cefuoawl.dll
C:\WINDOWS\system32\glrxhkpn.dll
C:\WINDOWS\system32\HjmnnUtv.ini
C:\WINDOWS\system32\HjmnnUtv.ini2
C:\WINDOWS\system32\ilUCLnpo.ini
C:\WINDOWS\system32\ilUCLnpo.ini2
C:\WINDOWS\system32\irumxrq.dll
C:\WINDOWS\system32\ljJCvUMC.dll
C:\WINDOWS\system32\ljJcyVon.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\npkhxrlg.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sks~1\l?gonui.exe
C:\WINDOWS\system32\vruwrhuf.dll
C:\WINDOWS\system32\vtUnnmjH.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.
2008-04-25 04:01 . 2008-04-25 04:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 04:01 . 2008-04-25 04:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 03:49 . 2008-04-25 03:49 <DIR> d-------- C:\Documents and Settings\Owner\dwhelper
2008-04-25 03:12 . 2008-04-25 03:12 <DIR> d-------- C:\Program Files\Safer Networking
2008-04-24 23:27 . 2002-12-12 00:34 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-24 21:28 . 2008-04-24 21:28 136 --ah----- C:\sqmnoopt02.sqm
2008-04-24 21:28 . 2008-04-24 21:28 136 --ah----- C:\sqmdata02.sqm
2008-04-24 13:47 . 2008-04-24 13:47 1,509,099 --ahs---- C:\WINDOWS\system32\uugsaihc.ini
2008-04-24 13:37 . 2008-04-24 13:37 268 --ah----- C:\sqmdata01.sqm
2008-04-24 13:37 . 2008-04-24 13:37 244 --ah----- C:\sqmnoopt01.sqm
2008-04-24 13:13 . 2008-04-24 13:16 543 --a------ C:\WINDOWS\wininit.ini
2008-04-24 12:20 . 2008-04-24 12:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-24 12:20 . 2008-04-24 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 03:21 . 2008-04-24 03:21 268 --ah----- C:\sqmdata00.sqm
2008-04-24 03:21 . 2008-04-24 03:21 244 --ah----- C:\sqmnoopt00.sqm
2008-04-23 21:41 . 2008-04-24 13:12 1,540,789 --ahs---- C:\WINDOWS\system32\sdythuuj.ini
2008-04-23 15:55 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-23 15:55 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-23 07:06 . 2008-04-23 07:10 <DIR> d-------- C:\Program Files\BitLord
2008-04-23 06:30 . 2008-04-23 07:23 <DIR> d-------- C:\Program Files\eMule
2008-04-23 04:40 . 2008-04-23 04:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Soldat
2008-04-23 04:40 . 2008-04-23 04:40 0 -ra------ C:\logwmemory.bin
2008-04-23 04:36 . 2008-04-23 04:36 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-23 04:35 . 2008-04-23 04:35 <DIR> d-------- C:\Program Files\MSN Messenger
2008-04-23 04:30 . 2008-04-23 04:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2008-04-23 04:29 . 2008-04-23 04:30 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-23 04:29 . 2008-04-23 04:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-23 04:29 . 2008-04-23 04:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-23 04:29 . 2008-04-23 04:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-23 04:28 . 2008-04-23 04:28 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-23 04:28 . 2008-04-23 04:30 <DIR> d-------- C:\Program Files\AIM6
2008-04-23 04:28 . 2008-04-23 04:30 450 --ah----- C:\IPH.PH
2008-04-23 04:08 . 2007-03-07 16:51 9,464 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-23 04:08 . 2007-03-07 16:51 9,336 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-23 04:07 . 2008-04-23 04:12 <DIR> d-------- C:\Program Files\Winamp
2008-04-23 04:07 . 2008-04-23 04:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-04-23 04:07 . 2007-03-07 16:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-04-23 03:23 . 2008-04-23 03:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nexon
2008-04-23 02:59 . 2008-04-23 02:59 <DIR> d-------- C:\Nexon
2008-04-23 01:54 . 2008-04-23 01:55 <DIR> d-------- C:\Program Files\Unlocker
2008-04-22 21:53 . 2008-04-22 21:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\.clamwin
2008-04-22 21:52 . 2008-04-22 21:52 <DIR> d-------- C:\Program Files\ClamWin
2008-04-22 21:52 . 2008-04-22 21:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin
2008-04-22 21:41 . 2003-03-03 10:24 33,792 --a------ C:\WINDOWS\ieuninst.exe
2008-04-22 21:36 . 2008-04-22 21:37 1,540,617 --ahs---- C:\WINDOWS\system32\lirosyxt.ini
2008-04-22 21:34 . 2008-04-25 04:05 109,772 --a------ C:\WINDOWS\BMbff1958b.xml
2008-04-22 21:31 . 2002-08-29 01:50 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-22 21:31 . 2002-08-29 01:50 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-22 21:28 . 2008-04-22 21:28 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-22 21:28 . 2008-04-22 21:28 <DIR> d-------- C:\Temp\berDrv11
2008-04-22 21:28 . 2008-04-22 21:28 <DIR> d-------- C:\Temp
2008-04-22 21:23 . 2008-04-22 21:23 <DIR> d-------- C:\WINDOWS\Sun
2008-04-22 19:03 . 2002-08-29 01:32 159,360 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-04-22 19:03 . 2002-08-28 23:16 142,208 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-04-22 19:03 . 2002-08-29 02:00 77,440 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-22 19:03 . 2002-08-29 02:01 56,832 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-22 19:03 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-04-22 19:03 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-04-22 19:03 . 2002-08-29 01:32 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-04-22 19:03 . 2002-08-29 01:32 2,816 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-04-22 19:02 . 2008-04-22 19:46 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-22 19:02 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-04-22 19:02 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-04-22 19:02 . 2002-08-29 01:33 55,680 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-22 19:02 . 2005-02-24 20:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-22 19:02 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-04-22 18:59 . 2008-04-22 18:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-22 18:58 . 2008-04-25 06:28 247 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-04-22 18:57 . 2004-07-01 15:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-04-22 18:57 . 2004-07-01 15:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-22 18:57 . 2004-07-01 15:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-04-22 18:57 . 2004-06-30 16:59 158,720 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-04-22 18:57 . 2004-07-01 15:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-22 18:57 . 2004-07-01 15:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-04-22 18:57 . 2004-07-01 15:08 7,680 --a--c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-22 18:57 . 2004-07-01 15:08 7,680 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-04-22 18:57 . 2004-07-01 15:08 7,168 --a--c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-22 18:57 . 2004-07-01 15:08 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-04-22 18:55 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-22 18:55 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-22 18:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-22 18:55 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-22 18:55 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-22 18:53 . 2008-04-22 18:53 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2008-04-22 18:53 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-22 18:53 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-22 18:53 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-22 18:53 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-04-22 18:53 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-04-22 18:53 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-22 18:51 . 2008-04-22 18:51 <DIR> d--h----- C:\BJPrinter
2008-04-22 18:51 . 2002-09-05 14:00 87,552 --a------ C:\WINDOWS\system32\CNMLM3m.DLL
2008-04-22 18:51 . 2002-07-30 02:59 73,728 --a------ C:\WINDOWS\system32\CNMCP3m.exe
2008-04-22 18:51 . 2002-09-05 14:00 5,632 --a------ C:\WINDOWS\system32\CNMVS3m.DLL
2008-04-22 18:46 . 2008-04-22 18:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-22 18:46 . 2008-04-22 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-22 18:42 . 2008-04-25 03:12 <DIR> dr------- C:\Program Files
2008-04-22 18:42 . 2008-04-22 18:53 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-04-22 18:39 . 2008-04-23 04:11 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2008-04-22 17:33 . 2008-04-22 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 17:32 . 2008-04-22 17:32 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-22 17:24 . 2008-04-22 17:24 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-22 17:18 . 2008-04-22 17:21 3,884 --a------ C:\WINDOWS\viassary-hp.reg
2008-04-22 17:14 . 2008-04-22 17:14 4,158 -rahs---- C:\WINDOWS\system32\drivers\HP_DQ174A-ABA A410N_YC_Pavi_QMXK349_E41NAheBLU4_4_IMS-6577_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.02_T031031_WXH1_L409_M504_J123_7Intel_8Celeron_92.8_111063044_N10EC8139_P_Z11C1044C_K_A808624C5_U808624C2_G80862562.MRK
2008-04-22 17:13 . 2003-10-13 22:21 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-04-22 17:13 . 2003-10-10 21:57 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Sonic
2008-04-22 17:13 . 2003-10-10 22:47 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2008-04-22 17:13 . 2003-10-13 22:24 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\interMute
2008-04-22 17:12 . 2003-10-10 22:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-04-22 17:12 . 2008-04-25 01:05 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
2008-04-22 17:10 . 2008-04-22 17:10 <DIR> d-------- C:\Program Files\ArcSoft
2008-04-22 17:10 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-04-22 17:09 . 2008-04-22 17:09 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-22 17:09 . 2008-04-22 17:09 <DIR> d-------- C:\Program Files\Multimedia Card Reader
2008-04-22 17:07 . 2002-08-29 01:09 62,976 --a------ C:\WINDOWS\system32\drivers\pci.sys
2008-04-22 17:06 . 2001-08-17 13:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-22 17:05 . 2002-08-29 02:06 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-22 17:05 . 2002-08-29 01:27 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-22 17:04 . 2003-10-10 22:19 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-04-22 17:04 . 2008-04-22 17:12 1,024 --ah----- C:\Documents and Settings\Default User\ntuser.dat.LOG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 00:18 --------- d-----w C:\Program Files\Easy Internet signup
2008-04-23 00:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83955744-3395-48D8-848B-10BEFB2BC81A}]
C:\WINDOWS\System32\opnLCUli.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6759C9B-BF22-40AF-BB88-E9A24968B967}]
C:\WINDOWS\System32\nnnmjheB.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 21:58 151597]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 19:19 53248]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"VTTimer"="VTTimer.exe" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 00:59 70816]
"LTMSG"="LTMSG.exe" [2003-07-14 17:52 40960 C:\WINDOWS\ltmsg.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 13:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57 81920]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 20:11 139264]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 18:13 118784]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 16:37 53248]
"AntiSpywareMaster"="C:\Program Files\AntiSpywareMaster\asm.exe" [ ]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-04-19 16:35 77824]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-02-29 22:10 15872]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 22:24:52 557056]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 08:20:40 233472]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 04:49:48 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 22:26:40 16384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJcyVon]
ljJcyVon.dll
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 00:18:22 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-25 06:29:45 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-25 06:29:47 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 06:28:49
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP.NEW 468 bytes
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP.NEW 2672 bytes
C:\WINDOWS\system32\wbem\Repository\FS\ROLL_FORWARD 0 bytes
scan completed successfully
hidden files: 3
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-25 6:32:43 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-25 13:32:31
Pre-Run: 104,230,498,304 bytes free
Post-Run: 104,194,588,672 bytes free
244 --- E O F --- 2008-04-23 21:00:37
<Hijackthis Log>
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:01, on 2008-04-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {83955744-3395-48D8-848B-10BEFB2BC81A} - C:\WINDOWS\System32\opnLCUli.dll (file missing)
O2 - BHO: (no name) - {F6759C9B-BF22-40AF-BB88-E9A24968B967} - C:\WINDOWS\System32\nnnmjheB.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208915641656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208916465093
O20 - Winlogon Notify: ljJcyVon - ljJcyVon.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8128 bytes
Rorschach112
2008-04-26, 14:17
Hello
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {83955744-3395-48D8-848B-10BEFB2BC81A} - C:\WINDOWS\System32\opnLCUli.dll (file missing)
O2 - BHO: (no name) - {F6759C9B-BF22-40AF-BB88-E9A24968B967} - C:\WINDOWS\System32\nnnmjheB.dll (file missing)
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O20 - Winlogon Notify: ljJcyVon - ljJcyVon.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\uugsaihc.ini
C:\WINDOWS\system32\sdythuuj.ini
C:\WINDOWS\system32\lirosyxt.ini
C:\WINDOWS\BMbff1958b.xml
Folder::
C:\WINDOWS\system32\xcsDd01
C:\Temp\berDrv11
C:\Program Files\AntiSpywareMaster
Registry::
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Reboot and post a new HijackThis log
slash_tbh
2008-04-27, 03:29
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 08:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 14:51 118784]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 06:23 90112]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 01:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 07:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 20:58 151597]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 18:19 53248]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42 212992]
"VTTimer"="VTTimer.exe" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-14 23:59 70816]
"LTMSG"="LTMSG.exe" [2003-07-14 16:52 40960 C:\WINDOWS\ltmsg.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57 81920]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 19:11 139264]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 17:13 118784]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 15:37 53248]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-04-19 15:35 77824]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-02-29 21:10 15872]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 14:55 155648]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 21:24:52 557056]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 07:20:40 233472]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 03:49:48 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 21:26:40 16384]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 00:18:22 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-26 10:57:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-25 06:29:47 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 16:03:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-26 16:07:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 00:07:31
ComboFix2.txt 2008-04-25 13:32:45
Pre-Run: 96,266,366,976 bytes free
Post-Run: 96,243,855,360 bytes free
5069 --- E O F --- 2008-04-26 22:11:18
slash_tbh
2008-04-27, 03:34
Sorry. i got this error in the forum saying my post was too long. that was the end of it i think. Is there somewhere i can upload this log too?
Rorschach112
2008-04-27, 15:09
You will need to use multiple posts to fit it all
Can you try post it again
slash_tbh
2008-04-27, 17:28
ComboFix 08-04-24.1 - Owner 2008-04-26 15:58:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.213 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\BMbff1958b.xml
C:\WINDOWS\system32\lirosyxt.ini
C:\WINDOWS\system32\sdythuuj.ini
C:\WINDOWS\system32\uugsaihc.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\berDrv11
C:\Temp\berDrv11\fxpNbu.log
C:\WINDOWS\BMbff1958b.xml
C:\WINDOWS\system32\lirosyxt.ini
C:\WINDOWS\system32\sdythuuj.ini
C:\WINDOWS\system32\uugsaihc.ini
C:\WINDOWS\system32\xcsDd01
C:\WINDOWS\system32\xcsDd01\xcsDd011065.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NWSAPAGENT
-------\Service_NwSapAgent
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.
2008-04-26 14:31 . 2002-04-11 20:21 13,335 --a------ C:\WINDOWS\system32\drivers\usbcm.sys
2008-04-26 14:04 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-26 14:04 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-26 14:04 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-26 13:59 . 2008-04-26 13:59 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-26 09:23 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-26 03:57 . 2008-04-26 03:57 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-26 03:57 . 2008-04-26 03:57 <DIR> d-------- C:\WINDOWS\peernet
2008-04-26 03:54 . 2008-04-26 03:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-26 03:41 . 2008-04-26 03:41 <DIR> d-------- C:\WINDOWS\EHome
2008-04-26 03:23 . 2004-08-20 14:50 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-26 02:30 . 2004-08-03 22:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-04-26 02:30 . 2004-08-03 22:07 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-04-25 03:01 . 2008-04-25 03:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 03:01 . 2008-04-25 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 02:49 . 2008-04-25 02:49 <DIR> d-------- C:\Documents and Settings\Owner\dwhelper
2008-04-25 02:12 . 2008-04-25 02:12 <DIR> d-------- C:\Program Files\Safer Networking
2008-04-24 22:27 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-24 20:28 . 2008-04-24 20:28 136 --ah----- C:\sqmnoopt02.sqm
2008-04-24 20:28 . 2008-04-24 20:28 136 --ah----- C:\sqmdata02.sqm
2008-04-24 12:37 . 2008-04-24 12:37 268 --ah----- C:\sqmdata01.sqm
2008-04-24 12:37 . 2008-04-24 12:37 244 --ah----- C:\sqmnoopt01.sqm
2008-04-24 12:13 . 2008-04-24 12:16 543 --a------ C:\WINDOWS\wininit.ini
2008-04-24 11:20 . 2008-04-24 11:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-24 11:20 . 2008-04-24 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 02:21 . 2008-04-24 02:21 268 --ah----- C:\sqmdata00.sqm
2008-04-24 02:21 . 2008-04-24 02:21 244 --ah----- C:\sqmnoopt00.sqm
2008-04-23 14:55 . 2007-07-30 18:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-23 14:55 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-23 06:06 . 2008-04-23 06:10 <DIR> d-------- C:\Program Files\BitLord
2008-04-23 05:30 . 2008-04-23 06:23 <DIR> d-------- C:\Program Files\eMule
2008-04-23 03:40 . 2008-04-23 03:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Soldat
2008-04-23 03:40 . 2008-04-23 03:40 0 -ra------ C:\logwmemory.bin
2008-04-23 03:36 . 2008-04-23 03:36 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-23 03:35 . 2008-04-23 03:35 <DIR> d-------- C:\Program Files\MSN Messenger
2008-04-23 03:30 . 2008-04-23 03:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2008-04-23 03:29 . 2008-04-23 03:30 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-23 03:29 . 2008-04-23 03:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-23 03:29 . 2008-04-23 03:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-23 03:29 . 2008-04-23 03:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-23 03:28 . 2008-04-23 03:28 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-23 03:28 . 2008-04-23 03:30 <DIR> d-------- C:\Program Files\AIM6
2008-04-23 03:28 . 2008-04-23 03:30 450 --ah----- C:\IPH.PH
2008-04-23 03:08 . 2007-03-07 15:51 9,464 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-04-23 03:08 . 2007-03-07 15:51 9,336 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-04-23 03:07 . 2008-04-23 03:12 <DIR> d-------- C:\Program Files\Winamp
2008-04-23 03:07 . 2008-04-23 03:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-04-23 03:07 . 2007-03-07 15:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-04-23 02:23 . 2008-04-23 02:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nexon
2008-04-23 01:59 . 2008-04-23 01:59 <DIR> d-------- C:\Nexon
2008-04-23 00:54 . 2008-04-23 00:55 <DIR> d-------- C:\Program Files\Unlocker
2008-04-22 20:53 . 2008-04-22 20:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\.clamwin
2008-04-22 20:52 . 2008-04-22 20:52 <DIR> d-------- C:\Program Files\ClamWin
2008-04-22 20:52 . 2008-04-22 20:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin
2008-04-22 20:41 . 2003-03-03 09:24 33,792 --a------ C:\WINDOWS\ieuninst.exe
2008-04-22 20:31 . 2004-08-03 22:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-22 20:28 . 2008-04-26 15:58 <DIR> d-------- C:\Temp
2008-04-22 20:23 . 2008-04-22 20:23 <DIR> d-------- C:\WINDOWS\Sun
2008-04-22 19:06 . 2002-04-15 20:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-04-22 19:06 . 2004-08-03 23:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-04-22 19:06 . 2004-08-02 13:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-04-22 19:06 . 2004-08-02 13:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-04-22 18:41 . 2005-10-20 14:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-04-22 18:03 . 2006-06-14 00:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-04-22 18:03 . 2006-02-14 16:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-04-22 18:03 . 2006-06-14 01:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-22 18:03 . 2004-08-03 22:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-22 18:03 . 2001-08-17 13:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-04-22 18:03 . 2004-08-03 22:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-04-22 18:03 . 2006-06-14 00:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-04-22 18:03 . 2004-08-03 22:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-04-22 18:02 . 2008-04-26 14:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-22 18:02 . 2004-08-03 22:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-22 18:02 . 2005-06-28 09:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-22 18:02 . 2001-08-17 12:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-04-22 17:59 . 2008-04-22 17:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-22 17:58 . 2008-04-26 16:03 247 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-04-22 17:57 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-22 17:57 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-22 17:57 . 2004-08-03 23:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-04-22 17:57 . 2004-08-03 23:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-04-22 17:55 . 2007-07-30 18:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-22 17:55 . 2007-07-30 18:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-22 17:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-22 17:55 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-22 17:55 . 2007-07-30 18:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-22 17:53 . 2008-04-22 17:53 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2008-04-22 17:53 . 2007-07-30 18:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-22 17:53 . 2007-07-30 18:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-22 17:53 . 2007-07-30 18:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-22 17:53 . 2004-08-03 13:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-04-22 17:53 . 2004-08-03 13:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-04-22 17:53 . 2007-07-30 18:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-22 17:51 . 2008-04-22 17:51 <DIR> d--h----- C:\BJPrinter
2008-04-22 17:51 . 2002-09-05 13:00 87,552 --a------ C:\WINDOWS\system32\CNMLM3m.DLL
2008-04-22 17:51 . 2002-07-30 01:59 73,728 --a------ C:\WINDOWS\system32\CNMCP3m.exe
2008-04-22 17:51 . 2002-09-05 13:00 5,632 --a------ C:\WINDOWS\system32\CNMVS3m.DLL
2008-04-22 17:46 . 2008-04-22 17:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-22 17:46 . 2008-04-22 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-22 17:42 . 2008-04-26 13:59 <DIR> dr------- C:\Program Files
2008-04-22 17:42 . 2008-04-22 17:53 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-04-22 17:39 . 2008-04-26 14:12 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2008-04-22 16:33 . 2008-04-22 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 16:32 . 2008-04-22 16:32 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-22 16:24 . 2008-04-22 16:24 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-22 16:18 . 2008-04-22 16:21 3,884 --a------ C:\WINDOWS\viassary-hp.reg
2008-04-22 16:14 . 2008-04-22 16:14 4,158 -rahs---- C:\WINDOWS\system32\drivers\HP_DQ174A-ABA A410N_YC_Pavi_QMXK349_E41NAheBLU4_4_IMS-6577_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.02_T031031_WXH1_L409_M504_J123_7Intel_8Celeron_92.8_111063044_N10EC8139_P_Z11C1044C_K_A808624C5_U808624C2_G80862562.MRK
2008-04-22 16:13 . 2003-10-13 21:21 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-04-22 16:13 . 2003-10-10 20:57 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Sonic
2008-04-22 16:13 . 2003-10-10 21:47 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2008-04-22 16:13 . 2003-10-13 21:24 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\interMute
2008-04-22 16:12 . 2003-10-10 21:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-04-22 16:12 . 2008-04-25 00:05 1,024 --ah----- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
2008-04-22 16:10 . 2008-04-22 16:10 <DIR> d-------- C:\Program Files\ArcSoft
2008-04-22 16:10 . 1995-07-31 12:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-04-22 16:09 . 2008-04-22 16:09 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-22 16:09 . 2008-04-22 16:09 <DIR> d-------- C:\Program Files\Multimedia Card Reader
2008-04-22 16:07 . 2004-08-03 22:07 68,224 --a------ C:\WINDOWS\system32\drivers\pci.sys
2008-04-22 16:06 . 2001-08-17 12:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-22 16:05 . 2004-08-03 22:14 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-22 16:05 . 2004-08-03 21:58 24,576 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-22 16:04 . 2003-10-10 21:19 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-04-22 16:04 . 2008-04-22 16:12 1,024 --ah----- C:\Documents and Settings\Default User\ntuser.dat.LOG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 22:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-23 00:18 --------- d-----w C:\Program Files\Easy Internet signup
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 08:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 15:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 14:51 118784]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 06:23 90112]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 01:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 07:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 20:58 151597]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 18:19 53248]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 20:42 212992]
"VTTimer"="VTTimer.exe" []
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-14 23:59 70816]
"LTMSG"="LTMSG.exe" [2003-07-14 16:52 40960 C:\WINDOWS\ltmsg.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 15:57 81920]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 19:11 139264]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 17:13 118784]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 15:37 53248]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-04-19 15:35 77824]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-02-29 21:10 15872]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 14:55 155648]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 21:24:52 557056]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 07:20:40 233472]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 03:49:48 57344]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 21:26:40 16384]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 00:18:22 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2008-04-26 10:57:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-04-25 06:29:47 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 16:03:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-26 16:07:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 00:07:31
ComboFix2.txt 2008-04-25 13:32:45
Pre-Run: 96,266,366,976 bytes free
Post-Run: 96,243,855,360 bytes free
5069 --- E O F --- 2008-04-26 22:11:18
Rorschach112
2008-04-27, 17:29
Looking good
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also post a new HijackThis log and tell me how your PC is running
slash_tbh
2008-04-27, 17:32
The reason it was so long was because Windows patched me XP SP2 i skipped that. it was the only thing installed since i didn't touch the internet while this was being installed and when i ran hijackthis
Rorschach112
2008-04-27, 17:37
Ok no worries, nearly done now I think :)
slash_tbh
2008-04-27, 18:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:42, on 2008-04-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208915641656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208916465093
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7906 bytes
slash_tbh
2008-04-27, 18:49
Oops posted the wrong one first
Malwarebytes' Anti-Malware 1.11
Database version: 689
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 135419
Time elapsed: 49 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 34
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
Files Infected:
C:\QooBox\Quarantine\C\Program Files\Common Files\MCROSO~1.NET\nslookup.exe.vir (Adware.Purityscan) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\glrxhkpn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\irumxrq.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJCvUMC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJcyVon.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vruwrhuf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUnnmjH.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xcsDd01\xcsDd011065.exe.vir (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP12\A0001255.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP12\A0001256.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP12\A0001257.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP12\A0001258.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP12\A0001261.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP128\A0006517.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP13\A0001290.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP13\A0001291.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP13\A0001293.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001454.exe (Adware.Purityscan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001455.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001459.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001461.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001462.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001463.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001464.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001465.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001504.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001506.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001507.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001538.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP14\A0001543.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP6\A0000211.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
Rorschach112
2008-04-28, 02:57
Your logs are clean ! We need to do a few things
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
slash_tbh
2008-04-29, 06:42
Thank you SOOOO much for your help! :D: You guys are absolutely amazing, I'm sure i'd still be very frustrated without your assistance. I did everything you suggested i download to help keep my computer virus free! Keep up the excellent work. If i ever need help with viruses i'll know what team to turn too :bigthumb:
Rorschach112
2008-04-29, 15:05
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
slash_tbh
2008-05-07, 05:01
Sorry to post here again but i have a quick question, Why is that after all this, that now i can't Click on links my friends send me for Youtube or a link to yahoo profiles and other things like, in yahoo messenger i can't right click and then click on "View profile" When i do.. nothing happens. soo maybe the protection i have is blocking mostly everything else?