View Full Version : virtumonde has struck me too
Riveyman
2008-05-19, 00:37
Well, looks like I've got this thing too. Any help would be awesome. I ran the Hijack This this morning and the Kaspersky scan last night but I didn't do it in the order suggested. So , I tried to run the Kaspersky again and it ran but locked up the computer, So, I'll list the 2 I have and hope help is on the way. If it is recommended to run the Kaspersky again I can but it takes about 3 hours to run. Thanks..
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:44 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\Program Files\WinTV\Ir.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
d:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Randy\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {300420F8-6C1B-416A-B0D5-3E26B41BDC6A} - C:\WINDOWS\system32\nnnnNHwU.dll (file missing)
O2 - BHO: (no name) - {3AF4FBDE-C350-415C-9235-687F954B7F0A} - C:\WINDOWS\system32\ssqRIYrS.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79809A62-D979-41C6-A7D6-4279256897B0} - C:\WINDOWS\system32\pmnmjGaX.dll (file missing)
O2 - BHO: (no name) - {9BE5ED41-142E-4C25-A3E2-2A9D220ECB93} - C:\WINDOWS\system32\nnnnOeFV.dll (file missing)
O2 - BHO: (no name) - {AEC58B68-6AD1-4D32-B380-77F197B1C36A} - C:\WINDOWS\system32\geBuUlLD.dll (file missing)
O2 - BHO: {70cb0d03-9f0f-09da-5074-58d802daae1b} - {b1eaad20-8d85-4705-ad90-f0f930d0bc07} - C:\WINDOWS\system32\frbrwjsn.dll
O2 - BHO: (no name) - {B8FE23A6-5A9A-496B-A40E-26BC0483E570} - C:\WINDOWS\system32\xxyvwXRk.dll (file missing)
O2 - BHO: (no name) - {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} - C:\WINDOWS\system32\urqNEWMC.dll
O2 - BHO: (no name) - {F781623F-09FB-4D28-9B2E-3484469C826C} - C:\WINDOWS\system32\qoMcdDUO.dll (file missing)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [20497053] rundll32.exe "C:\WINDOWS\system32\fabktujc.dll",b
O4 - HKLM\..\Run: [BM237a43cf] Rundll32.exe "C:\WINDOWS\system32\hbpfdgji.dll",s
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA393] command /c del "C:\WINDOWS\system32\qoMcdDUO.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2583] cmd /c del "C:\WINDOWS\system32\qoMcdDUO.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6560] command /c del "C:\WINDOWS\system32\geBuUlLD.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7384] cmd /c del "C:\WINDOWS\system32\geBuUlLD.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoStart IR.lnk = D:\Program Files\WinTV\Ir.exe
O4 - Global Startup: hp psc 2000 Series.lnk = D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://D:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123298872394
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - Winlogon Notify: urqNEWMC - C:\WINDOWS\SYSTEM32\urqNEWMC.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 11619 bytes
and the Kaspersky scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 10:16:38 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/05/2008
Kaspersky Anti-Virus database records: 781688
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
A:\
C:\
E:\
Scan Statistics:
Total number of scanned objects: 80358
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:36:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\cert8.db Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\history.dat Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\key3.db Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\parent.lock Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Randy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Application Data\Mozilla\Firefox\Profiles\t5m3pip6.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\History\History.IE5\MSHist012008051720080518\index.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\Perflib_Perfdata_884.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\Perflib_Perfdata_d30.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\Perflib_Perfdata_f90.dat Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DF37C2.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DF4778.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DF76FB.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DFCCC5.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temp\~DFD2D2.tmp Object is locked skipped
C:\Documents and Settings\Randy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Randy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Randy\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\CA\SharedComponents\PPRT\logs\2008-05-17.csv Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BC88BEE4-9985-4D66-9E80-391046883EF4}\RP1067\A0164704.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rkm skipped
C:\System Volume Information\_restore{BC88BEE4-9985-4D66-9E80-391046883EF4}\RP1068\A0166695.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{BC88BEE4-9985-4D66-9E80-391046883EF4}\RP1070\A0167810.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{BC88BEE4-9985-4D66-9E80-391046883EF4}\RP1073\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd6845.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Logfiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\qoMcdDUO.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\ulwheeoi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thanks a million..
Hello Riveyman
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Yep, Vundo has you big time :sad: Before we begin the cleaning I need you to go to C:\Program Files and create a new folder and name it HJT, then go to the desktop where you have HJT and Cut and Paste it into the new folder.
I need you to run these programs in the order I posted them, print out the instructions is you wish it may make it easier for you to follow. After you run the last scan ( Combofix} then post a new HJT log.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
I need to see the Vundofix log, the Malwarebytes log, the Combofix log and a New HJT log please, they most likely will not fit all in one reply so take as many replies as you need by using the Submit Reply only
Riveyman
2008-05-19, 17:31
Ken545, thanks for the help...
Here are the logs :
Vundofix.log
VundoFix V7.0.3
Scan started at 9:00:02 AM 5/19/2008
Listing files found while scanning....
No infected files were found.
Malwarebytes log:
Malwarebytes' Anti-Malware 1.12
Database version: 767
Scan type: Quick Scan
Objects scanned: 44353
Time elapsed: 9 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\fabktujc.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jkkIBSJy.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\urqNEWMC.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0137aef2-7551-4d99-bd1e-111f8d2ccd55} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0137aef2-7551-4d99-bd1e-111f8d2ccd55} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f1b2b165-fbf2-4eb3-98ff-9cf5506062b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f1b2b165-fbf2-4eb3-98ff-9cf5506062b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqnewmc (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20497053 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM237a43cf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f1b2b165-fbf2-4eb3-98ff-9cf5506062b5} (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkibsjy.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkibsjy.dll -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\fabktujc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cjutkbaf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkIBSJy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yJSBIkkj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yJSBIkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Randy\Local Settings\Temporary Internet Files\Content.IE5\B1Z4H4GY\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Randy\Local Settings\Temporary Internet Files\Content.IE5\HWGKXWNA\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hbpfdgji.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\urqNEWMC.dll (Trojan.Vundo) -> Delete on reboot.
Combofix log :
ComboFix 08-05-15.3 - Randy 2008-05-19 9:59:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.113 [GMT -4:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\DLlUuBeg.ini
C:\WINDOWS\system32\DLlUuBeg.ini2
C:\WINDOWS\system32\jkkIBSJy.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\OUDdcMoq.ini
C:\WINDOWS\system32\OUDdcMoq.ini2
C:\WINDOWS\system32\yJSBIkkj.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-19 09:21 . 2008-05-19 09:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 09:21 . 2008-05-19 09:21 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Malwarebytes
2008-05-19 09:21 . 2008-05-19 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 09:21 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-19 09:21 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-19 09:00 . 2008-05-19 09:00 <DIR> d-------- C:\VundoFix Backups
2008-05-19 08:10 . 2008-05-19 08:10 <DIR> d-------- C:\Program Files\HJT
2008-05-17 16:32 . 2008-05-17 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 16:31 . 2008-05-17 16:31 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 14:16 . 2008-05-17 14:17 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 14:11 . 2008-05-17 14:56 <DIR> d-------- C:\SDFix
2008-05-16 22:20 . 2008-05-16 22:20 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 19:06 . 2008-05-16 19:06 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-14 05:41 . 2008-05-14 05:41 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-05-14 05:41 . 2008-05-14 05:41 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-13 22:32 . 2008-05-13 22:31 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-13 22:32 . 2008-05-13 22:32 2,546 --a------ C:\WINDOWS\unins000.dat
2008-05-13 21:43 . 2008-05-19 09:34 114,176 --------- C:\WINDOWS\system32\fabktujc.dll
2008-05-13 21:34 . 2008-05-13 21:34 133,632 --a------ C:\WINDOWS\system32\frbrwjsn.dll
2008-05-13 21:32 . 2008-05-19 09:34 123,392 --------- C:\WINDOWS\system32\hbpfdgji.dll
2008-05-12 20:03 . 2008-05-12 20:03 132,096 --a------ C:\WINDOWS\system32\vyunrqcv.dll
2008-05-12 20:00 . 2008-05-12 20:00 115,712 --a------ C:\WINDOWS\system32\lwqfbxtm.dll
2008-05-12 19:59 . 2008-05-19 08:12 109,857 --a------ C:\WINDOWS\BM237a43cf.xml
2008-05-12 19:58 . 2008-05-12 19:58 125,952 --a------ C:\WINDOWS\system32\ulwheeoi.dll
2008-05-11 22:35 . 2008-05-19 10:11 91,020 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-05-11 16:29 . 2007-08-20 13:37 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-05-11 16:29 . 2007-08-20 13:26 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-05-11 16:29 . 2007-08-20 13:37 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2008-05-11 16:29 . 2007-08-20 13:38 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-05-11 16:29 . 2007-08-20 13:38 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-05-11 16:29 . 2007-08-20 13:38 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-05-11 16:29 . 2007-08-20 13:38 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-05-11 16:28 . 2008-05-11 16:28 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-05-11 16:28 . 2008-05-11 16:28 <DIR> d-------- C:\Program Files\CA
2008-05-11 16:01 . 2008-05-11 16:01 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-05-11 15:50 . 2008-05-11 15:50 0 --------- C:\WINDOWS\WB.ini
2008-05-11 15:24 . 2008-05-19 09:34 59,904 --------- C:\WINDOWS\system32\urqNEWMC.dll
2008-05-11 14:09 . 2008-04-26 16:14 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-05-11 14:09 . 2005-01-22 18:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2008-05-11 13:06 . 2008-05-11 13:06 <DIR> d-------- C:\Program Files\FileSubmitDotCom
2008-05-04 13:47 . 2008-05-04 13:47 <DIR> d-------- C:\Documents and Settings\Shelley\Application Data\SoundSpectrum
2008-05-03 20:49 . 2008-05-03 20:56 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\SoundSpectrum
2008-04-19 15:05 . 2008-04-19 15:05 38,056,995 --a------ C:\WINDOWS\system32\SNAGIT7
2008-04-19 11:22 . 2008-04-19 11:22 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-19 11:22 . 2008-04-19 11:22 <DIR> d-------- C:\Program Files\Adobe Media Player
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 02:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 20:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-05-11 19:34 --------- d-----w C:\Documents and Settings\Randy\Application Data\Azureus
2008-05-04 00:56 --------- d-----w C:\Program Files\SoundSpectrum
2008-04-19 19:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-15 23:40 --------- d-----w C:\Documents and Settings\Randy\Application Data\dvdcss
2008-04-06 20:36 --------- d-----w C:\Documents and Settings\Randy\Application Data\vlc
2008-04-05 14:19 --------- d-----w C:\Program Files\Java
2008-03-28 01:14 --------- d-----w C:\Documents and Settings\Randy\Application Data\pdf995
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-26 02:15 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-17_15.56.17.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:45:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 14:12:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-17 19:45:37 220,382 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-19 14:12:46 220,382 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{300420F8-6C1B-416A-B0D5-3E26B41BDC6A}]
C:\WINDOWS\system32\nnnnNHwU.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AF4FBDE-C350-415C-9235-687F954B7F0A}]
C:\WINDOWS\system32\ssqRIYrS.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79809A62-D979-41C6-A7D6-4279256897B0}]
C:\WINDOWS\system32\pmnmjGaX.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BE5ED41-142E-4C25-A3E2-2A9D220ECB93}]
C:\WINDOWS\system32\nnnnOeFV.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEC58B68-6AD1-4D32-B380-77F197B1C36A}]
C:\WINDOWS\system32\geBuUlLD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1eaad20-8d85-4705-ad90-f0f930d0bc07}]
2008-05-13 21:34 133632 --a------ C:\WINDOWS\system32\frbrwjsn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8FE23A6-5A9A-496B-A40E-26BC0483E570}]
C:\WINDOWS\system32\xxyvwXRk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F781623F-09FB-4D28-9B2E-3484469C826C}]
C:\WINDOWS\system32\qoMcdDUO.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"updateMgr"="D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-06-29 01:09 32768]
"RoxioDragToDisc"="D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 17:39 1179648]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"cctray"="D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:19 177416]
"QOELOADER"="D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-05-11 16:29 14088]
"CAVRID"="D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 13:36 230664]
"cafwc"="D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-02-05 11:19 1193224]
"capfasem"="D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-02-05 11:19 173320]
"capfupgrade"="D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-02-05 11:19 259336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\WINDOWS\system32\mstask.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="D:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-14 15:16:00 113664]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-06-29 01:09:28 32768]
AutoStart IR.lnk - D:\Program Files\WinTV\Ir.exe [2005-08-07 09:45:30 102455]
hp psc 2000 Series.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 17:41:38 323646]
hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\RRIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"=
"D:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"D:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 10:24]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 10:24]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 13:30]
R3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2004-09-22 09:01]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
R3 PPCtlPriv;PPCtlPriv;"D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 21:10]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 21:15:18 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Randy at 4 49 PM.job"
- D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2006-07-24 00:28:22 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1145665591.job"
- d:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-07 17:16:00 C:\WINDOWS\Tasks\RoxioUpdator.job"
- C:\Program Files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 10:14:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
.
**************************************************************************
.
Completion time: 2008-05-19 10:22:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 14:21:48
ComboFix2.txt 2008-05-17 20:00:59
Pre-Run: 4,129,468,416 bytes free
Post-Run: 4,124,364,800 bytes free
237 --- E O F --- 2008-05-17 02:20:42
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:23 AM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\Program Files\WinTV\Ir.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
d:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {300420F8-6C1B-416A-B0D5-3E26B41BDC6A} - C:\WINDOWS\system32\nnnnNHwU.dll (file missing)
O2 - BHO: (no name) - {3AF4FBDE-C350-415C-9235-687F954B7F0A} - C:\WINDOWS\system32\ssqRIYrS.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79809A62-D979-41C6-A7D6-4279256897B0} - C:\WINDOWS\system32\pmnmjGaX.dll (file missing)
O2 - BHO: (no name) - {9BE5ED41-142E-4C25-A3E2-2A9D220ECB93} - C:\WINDOWS\system32\nnnnOeFV.dll (file missing)
O2 - BHO: (no name) - {AEC58B68-6AD1-4D32-B380-77F197B1C36A} - C:\WINDOWS\system32\geBuUlLD.dll (file missing)
O2 - BHO: {70cb0d03-9f0f-09da-5074-58d802daae1b} - {b1eaad20-8d85-4705-ad90-f0f930d0bc07} - C:\WINDOWS\system32\frbrwjsn.dll
O2 - BHO: (no name) - {B8FE23A6-5A9A-496B-A40E-26BC0483E570} - C:\WINDOWS\system32\xxyvwXRk.dll (file missing)
O2 - BHO: (no name) - {F781623F-09FB-4D28-9B2E-3484469C826C} - C:\WINDOWS\system32\qoMcdDUO.dll (file missing)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoStart IR.lnk = D:\Program Files\WinTV\Ir.exe
O4 - Global Startup: hp psc 2000 Series.lnk = D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://D:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123298872394
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 10664 bytes
Thanks!
Hello,
Open Notepad ( this will only work in Notepad ), go to Start> All Programs> Assessories> Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\fabktujc.dll
C:\WINDOWS\system32\frbrwjsn.dll
C:\WINDOWS\system32\hbpfdgji.dll
C:\WINDOWS\system32\vyunrqcv.dll
C:\WINDOWS\system32\lwqfbxtm.dll
C:\WINDOWS\system32\ulwheeoi.dll
C:\WINDOWS\system32\urqNEWMC.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{300420F8-6C1B-416A-B0D5-3E26B41BDC6A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AF4FBDE-C350-415C-9235-687F954B7F0A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79809A62-D979-41C6-A7D6-4279256897B0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BE5ED41-142E-4C25-A3E2-2A9D220ECB93}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEC58B68-6AD1-4D32-B380-77F197B1C36A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1eaad20-8d85-4705-ad90-f0f930d0bc07}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8FE23A6-5A9A-496B-A40E-26BC0483E570}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F781623F-09FB-4D28-9B2E-3484469C826C}]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Riveyman
2008-05-19, 22:52
Here are the 2 new logs the ComboFix and the new HJT log.
ComboFix log:
ComboFix 08-05-15.3 - Randy 2008-05-19 13:51:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT -4:00]
Running from: C:\Documents and Settings\Randy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Randy\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\fabktujc.dll
C:\WINDOWS\system32\frbrwjsn.dll
C:\WINDOWS\system32\hbpfdgji.dll
C:\WINDOWS\system32\lwqfbxtm.dll
C:\WINDOWS\system32\ulwheeoi.dll
C:\WINDOWS\system32\urqNEWMC.dll
C:\WINDOWS\system32\vyunrqcv.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\fabktujc.dll
C:\WINDOWS\system32\frbrwjsn.dll
C:\WINDOWS\system32\hbpfdgji.dll
C:\WINDOWS\system32\lwqfbxtm.dll
C:\WINDOWS\system32\ulwheeoi.dll
C:\WINDOWS\system32\urqNEWMC.dll
C:\WINDOWS\system32\vyunrqcv.dll
.
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-19 09:21 . 2008-05-19 09:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 09:21 . 2008-05-19 09:21 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\Malwarebytes
2008-05-19 09:21 . 2008-05-19 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 09:21 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-19 09:21 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-19 09:00 . 2008-05-19 09:00 <DIR> d-------- C:\VundoFix Backups
2008-05-19 08:10 . 2008-05-19 10:25 <DIR> d-------- C:\Program Files\HJT
2008-05-17 16:32 . 2008-05-17 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 16:31 . 2008-05-17 16:31 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 14:16 . 2008-05-17 14:17 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 14:11 . 2008-05-17 14:56 <DIR> d-------- C:\SDFix
2008-05-16 22:20 . 2008-05-16 22:20 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 19:06 . 2008-05-16 19:06 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-14 05:41 . 2008-05-14 05:41 880,432 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-05-14 05:41 . 2008-05-14 05:41 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-13 22:32 . 2008-05-13 22:31 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-13 22:32 . 2008-05-13 22:32 2,546 --a------ C:\WINDOWS\unins000.dat
2008-05-12 19:59 . 2008-05-19 08:12 109,857 --a------ C:\WINDOWS\BM237a43cf.xml
2008-05-11 22:35 . 2008-05-19 10:11 91,020 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-05-11 22:35 . 2008-05-19 10:11 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-05-11 16:29 . 2007-08-20 13:37 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-05-11 16:29 . 2007-08-20 13:26 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-05-11 16:29 . 2007-08-20 13:37 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2008-05-11 16:29 . 2007-08-20 13:38 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-05-11 16:29 . 2007-08-20 13:38 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-05-11 16:29 . 2007-08-20 13:38 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-05-11 16:29 . 2007-08-20 13:38 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-05-11 16:28 . 2008-05-11 16:28 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-05-11 16:28 . 2008-05-11 16:28 <DIR> d-------- C:\Program Files\CA
2008-05-11 16:01 . 2008-05-11 16:01 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-05-11 15:50 . 2008-05-11 15:50 0 --------- C:\WINDOWS\WB.ini
2008-05-11 14:09 . 2008-04-26 16:14 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-05-11 14:09 . 2005-01-22 18:05 20,480 --a------ C:\WINDOWS\system32\wbload.dll
2008-05-11 13:06 . 2008-05-11 13:06 <DIR> d-------- C:\Program Files\FileSubmitDotCom
2008-05-04 13:47 . 2008-05-04 13:47 <DIR> d-------- C:\Documents and Settings\Shelley\Application Data\SoundSpectrum
2008-05-03 20:49 . 2008-05-03 20:56 <DIR> d-------- C:\Documents and Settings\Randy\Application Data\SoundSpectrum
2008-04-19 15:05 . 2008-04-19 15:05 38,056,995 --a------ C:\WINDOWS\system32\SNAGIT7
2008-04-19 11:22 . 2008-04-19 11:22 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-19 11:22 . 2008-04-19 11:22 <DIR> d-------- C:\Program Files\Adobe Media Player
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 02:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 20:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-05-11 19:34 --------- d-----w C:\Documents and Settings\Randy\Application Data\Azureus
2008-05-04 00:56 --------- d-----w C:\Program Files\SoundSpectrum
2008-04-19 19:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-15 23:40 --------- d-----w C:\Documents and Settings\Randy\Application Data\dvdcss
2008-04-06 20:36 --------- d-----w C:\Documents and Settings\Randy\Application Data\vlc
2008-04-05 14:19 --------- d-----w C:\Program Files\Java
2008-03-28 01:14 --------- d-----w C:\Documents and Settings\Randy\Application Data\pdf995
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-26 02:15 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-17_15.56.17.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:45:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 14:12:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-17 19:45:37 220,382 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-19 14:16:36 220,378 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"updateMgr"="D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-06-29 01:09 32768]
"RoxioDragToDisc"="D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 17:39 1179648]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"cctray"="D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:19 177416]
"QOELOADER"="D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-05-11 16:29 14088]
"CAVRID"="D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 13:36 230664]
"cafwc"="D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-02-05 11:19 1193224]
"capfasem"="D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-02-05 11:19 173320]
"capfupgrade"="D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-02-05 11:19 259336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\WINDOWS\system32\mstask.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="D:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-14 15:16:00 113664]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-06-29 01:09:28 32768]
AutoStart IR.lnk - D:\Program Files\WinTV\Ir.exe [2005-08-07 09:45:30 102455]
hp psc 2000 Series.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 17:41:38 323646]
hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\RRIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"=
"D:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"=
"D:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 10:24]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 10:24]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 13:30]
R3 hcwPVRP2;Hauppauge WinTV-PVR PCI II (Encoder-16);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys [2004-09-22 09:01]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
R3 PPCtlPriv;PPCtlPriv;"D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 21:10]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 21:15:18 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Randy at 4 49 PM.job"
- D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2006-07-24 00:28:22 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1145665591.job"
- d:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-05-07 17:16:00 C:\WINDOWS\Tasks\RoxioUpdator.job"
- C:\Program Files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 13:59:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-19 14:03:50
ComboFix-quarantined-files.txt 2008-05-19 18:03:16
ComboFix2.txt 2008-05-19 14:22:53
ComboFix3.txt 2008-05-17 20:00:59
Pre-Run: 4,106,940,416 bytes free
Post-Run: 4,098,154,496 bytes free
201 --- E O F --- 2008-05-17 02:20:42
Latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:42 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\Program Files\WinTV\Ir.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
d:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
d:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [cctray] "D:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] D:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoStart IR.lnk = D:\Program Files\WinTV\Ir.exe
O4 - Global Startup: hp psc 2000 Series.lnk = D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://D:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123298872394
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - D:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 9799 bytes
Looking good :bigthumb: Good job following all the instructions, they can be a bit overwhelming if your not used to them.
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 6 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Run this free cleaner program, I run this on my own systems a few times a month.
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
**Note** Go to Options> Cookies and any you want to keep move them to The Keep window
How is your system behaving now ??????????
Riveyman
2008-05-20, 02:38
:2thumb: THANK YOU!!! THANK YOU!!!! :2thumb:
Everything is running smooth. I've updated the Java as you suggested, didn't realize it was out of date.
Again, Thanks a million for you assistance ....
Thats great...If your happy than I'm happy :bigthumb:
Some reading for you written by all the experts in the security field
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken