View Full Version : Another Virtumonde.dll
I followed all the steps you said to take. I did Kaspersky rebooted into safe mode and ran S&D 24 times but Virtumonde.dll kept coming up.
Here are the logs for Kasper and HJT. This is a computer I use in my home bussiness. Any fast help would be great.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 8:42:49 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 786770
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 72633
Number of viruses found: 20
Number of infected objects: 60
Number of suspicious objects: 0
Duration of the scan process: 01:22:59
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05162008-010439.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\6322e07f-470f0e25.bac_a49788/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\6322e07f-470f0e25.bac_a49788/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\6322e07f-470f0e25.bac_a49788/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\6322e07f-470f0e25.bac_a49788 ZIP: infected - 3 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\6322e07f-470f0e25.bac_a49788 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\AutoUpdateWin31.dll.bac_a49788 Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\AutoUpdateWin32.exe.bac_a49788 Infected: not-a-virus:AdWare.Win32.Agent.ed skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\golden-keylogger.zip.bac_a49788/GoldenKeylogger-setup.exe/stream/data0009 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\golden-keylogger.zip.bac_a49788/GoldenKeylogger-setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.132 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\golden-keylogger.zip.bac_a49788/GoldenKeylogger-setup.exe/stream/data0013 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.150 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\golden-keylogger.zip.bac_a49788/GoldenKeylogger-setup.exe/stream/data0014 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\golden-keylogger.zip.bac_a49788/GoldenKeylogger-setup.exe/stream Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\golden-keylogger.zip.bac_a49788/GoldenKeylogger-setup.exe Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\golden-keylogger.zip.bac_a49788 ZIP: infected - 6 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\golden-keylogger.zip.bac_a49788 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\GoldenKeylogger-setup.exe.bac_a49788/stream/data0009 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\GoldenKeylogger-setup.exe.bac_a49788/stream/data0010 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.132 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\GoldenKeylogger-setup.exe.bac_a49788/stream/data0013 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.150 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\GoldenKeylogger-setup.exe.bac_a49788/stream/data0014 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\GoldenKeylogger-setup.exe.bac_a49788/stream Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\GoldenKeylogger-setup.exe.bac_a49788 NSIS: infected - 5 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\GoldenKeylogger-setup.exe.bac_a49788 CryptFF.b: infected - 5 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\run.exe.bac_a49788 Infected: Trojan-Downloader.Win32.Zlob.cux skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\UFO Extraterrestrials.zip.bac_a49788/run.exe Infected: Trojan-Downloader.Win32.Zlob.cux skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\UFO Extraterrestrials.zip.bac_a49788 ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\UFO Extraterrestrials.zip.bac_a49788 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\WindowsUpdates.exe.bac_a49788 Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008051920080520\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\.tt288.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.WinFixer.g skipped
C:\Documents and Settings\Owner\Local Settings\Temp\.tt288.tmp/stream Infected: not-a-virus:FraudTool.Win32.WinFixer.g skipped
C:\Documents and Settings\Owner\Local Settings\Temp\.tt288.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\pqeftn24v1.dat/stream/Script Infected: Trojan.Win32.Vapsup.epc skipped
C:\Documents and Settings\Owner\Local Settings\Temp\pqeftn24v1.dat/stream Infected: Trojan.Win32.Vapsup.epc skipped
C:\Documents and Settings\Owner\Local Settings\Temp\pqeftn24v1.dat NSIS: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Temp\printsrv32.exe Infected: Trojan.Win32.Agent.mtm skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ATCCJMQ4\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.sfp skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZVCKDAS4\AtnvrsInstall[1].exe Infected: not-a-virus:Downloader.Win32.FraudLoad.ar skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Downloads\actualspy.exe/file02 Infected: not-a-virus:Monitor.Win32.ActualSpy.aj skipped
C:\Program Files\Downloads\actualspy.exe/file06 Infected: not-a-virus:Monitor.Win32.ActualSpy.aj skipped
C:\Program Files\Downloads\actualspy.exe/file07 Infected: not-a-virus:Monitor.Win32.ActualSpy.aj skipped
C:\Program Files\Downloads\actualspy.exe Inno: infected - 3 skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP302\A0039620.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.saw skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP302\A0039621.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.saw skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP302\A0039622.dll Infected: Trojan-Downloader.Win32.Mutant.xc skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0039708.dll Infected: Trojan-Downloader.Win32.Mutant.yf skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0039709.dll Infected: Trojan-Downloader.Win32.Mutant.xc skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0039721.sys Infected: Trojan-Dropper.Win32.Agent.ror skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0040708.dll Infected: Trojan-Downloader.Win32.Mutant.yf skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0040709.dll Infected: Trojan-Downloader.Win32.Mutant.xc skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0040714.sys Infected: Trojan-Dropper.Win32.Agent.ror skipped
C:\System Volume Information\_restore{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\change.log Object is locked skipped
C:\WINDOWS\AutoUpdateWin33.exe Infected: not-a-virus:AdWare.Win32.Agent.bm skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\exnk.exe Infected: Trojan.Win32.Vapsup.ffz skipped
C:\WINDOWS\fvowketqgbv.dll Infected: Trojan.Win32.Vapsup.ffz skipped
C:\WINDOWS\mpfanvqg.dll Infected: Trojan.Win32.Vapsup.ffz skipped
C:\WINDOWS\oadkxrts.exe Infected: Trojan.Win32.Vapsup.ffz skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\puD00.sys Object is locked skipped
C:\WINDOWS\system32\drivers\Qmu81.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\geBqNhig.dll Infected: Trojan-Downloader.Win32.ConHook.rg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jfcedjxx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.saw skipped
C:\WINDOWS\system32\urqQkHyA.dll Infected: Trojan-Downloader.Win32.ConHook.rg skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\WinCtrl32.dll Infected: Trojan-Downloader.Win32.Mutant.yf skipped
C:\WINDOWS\system32\WinCtrl32.dl_ Infected: Trojan-Downloader.Win32.Mutant.yf skipped
C:\WINDOWS\system32\WLCtrl32.dll Infected: Trojan-Downloader.Win32.Mutant.xc skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5d0.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_ee4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:37 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ATI Technologies\ATI.ACE\DualCoreCenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {2E529F87-2B52-438C-9E7C-7D0A0DD910BA} - C:\WINDOWS\system32\urqQkHyA.dll
O2 - BHO: (no name) - {2E8DEFA4-1389-405F-9925-AE262CEFA3FD} - C:\WINDOWS\system32\awtstUlK.dll (file missing)
O2 - BHO: (no name) - {30DC0B54-9E70-48B6-B92D-02B2DB7D856B} - (no file)
O2 - BHO: (no name) - {3CD84D09-7E99-403F-9694-BF5336DBDC7A} - C:\WINDOWS\system32\urqOGWNd.dll (file missing)
O2 - BHO: QXK Rhythm - {4E7E9FB8-7954-4B15-86BC-5E8D5549047A} - C:\WINDOWS\fvowketqgbv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EFC8BFA-5F55-4870-AAB1-0B30D59BAB80} - C:\WINDOWS\system32\hgGvuSml.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O3 - Toolbar: pvnsmfor - {91549F7B-90F9-4BBA-8599-7515EB4D87C1} - C:\WINDOWS\pvnsmfor.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188352149406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210914041995
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5296/mcfscan.cab
O20 - Winlogon Notify: urqQkHyA - C:\WINDOWS\SYSTEM32\urqQkHyA.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O21 - SSODL: mpfanvqg - {0DE2A432-1371-4282-AE21-BB5292B9D24B} - C:\WINDOWS\mpfanvqg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 7701 bytes
Please let me know what to do. Thanks a bunch, you guys are great.
Hello Slavik
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Let me tell ya if you already didn't know but you have a real mess going on.
Run these programs in the order listed please, I need to see the report for each program and after you run the last program ( Combofix) then post a new HJT log.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
I need to see the Vundofix log, the Malwarebytes log , the Combofix log and a new HJT log please
I ran the Vudofix.exe and it told me there were no infections.
I installed the malwarebytes' anti-malware and had update and launch checked then it game me:
Run-time error '372':
Failed to load control 'TabStrip' from COMCTL32.OCX. Your version of CMCTL32.OCX may be outdated. Make sure you are using the version of the control that was provided with your application.
What does that mean? I have a ligit copy of windows.
What do I do next?
Hi,
Run this one and then Combofix
Please download SuperAntiSpyware Free (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Okay I did what you asked
Installed Super AntiSpyware Free and ran it
Then did combfix then did hijack this again. Here are the logs for all of them.
Thanks
Josh
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 05/21/2008 at 02:34 PM
Application Version : 4.1.1046
Core Rules Database Version : 3465
Trace Rules Database Version: 1456
Scan type : Complete Scan
Total Scan Time : 00:15:55
Memory items scanned : 455
Memory threats detected : 8
Registry items scanned : 4318
Registry threats detected : 66
File items scanned : 14206
File threats detected : 76
Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\KXMYAOSX.DLL
C:\WINDOWS\SYSTEM32\KXMYAOSX.DLL
C:\WINDOWS\SYSTEM32\VNNGNULS.DLL
C:\WINDOWS\SYSTEM32\VNNGNULS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}
HKCR\CLSID\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}
HKCR\CLSID\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}\InprocServer32
HKCR\CLSID\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CF334F2F-BF3D-4652-9250-31A47C8CE726}
HKCR\CLSID\{CF334F2F-BF3D-4652-9250-31A47C8CE726}
HKCR\CLSID\{CF334F2F-BF3D-4652-9250-31A47C8CE726}\InprocServer32
HKCR\CLSID\{CF334F2F-BF3D-4652-9250-31A47C8CE726}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\urqQkHyA
C:\WINDOWS\SYSTEM32\GEBQNHIG.DLL
C:\WINDOWS\SYSTEM32\HVNBPHFD.DLL
C:\WINDOWS\SYSTEM32\JFCEDJXX.DLL
C:\WINDOWS\SYSTEM32\MCAFSYLY.DLL
Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\URQQKHYA.DLL
C:\WINDOWS\SYSTEM32\URQQKHYA.DLL
Trojan.Unclassified/Dropper-WinNT32
C:\WINDOWS\SYSTEM32\WINCTRL32.DLL
C:\WINDOWS\SYSTEM32\WINCTRL32.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WinCtrl32
Rootkit.Runtime3/Mutant-A
C:\WINDOWS\SYSTEM32\WLCTRL32.DLL
C:\WINDOWS\SYSTEM32\WLCTRL32.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\WLCtrl32
Adware.VideoAccessCodec/Gen
C:\WINDOWS\MPFANVQG.DLL
C:\WINDOWS\MPFANVQG.DLL
Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\JKKHARRJ.DLL
C:\WINDOWS\SYSTEM32\JKKHARRJ.DLL
Trojan.Dropper/BHONew
C:\WINDOWS\FVOWKETQGBV.DLL
C:\WINDOWS\FVOWKETQGBV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}
HKCR\CLSID\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}
HKCR\CLSID\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}
HKCR\CLSID\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}\InprocServer32
HKCR\CLSID\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}\InprocServer32#ThreadingModel
HKCR\CLSID\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}\ProgID
HKCR\CLSID\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}\Programmable
HKCR\CLSID\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}\TypeLib
HKCR\CLSID\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}\VersionIndependentProgID
Trojan.Unclassified/GTS
HKLM\Software\Classes\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}
HKCR\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}
HKCR\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}
HKCR\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}\InprocServer32
HKCR\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}\InprocServer32#ThreadingModel
HKCR\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}\ProgID
HKCR\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}\Programmable
HKCR\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}\TypeLib
HKCR\CLSID\{91549F7B-90F9-4BBA-8599-7515EB4D87C1}\VersionIndependentProgID
C:\WINDOWS\PVNSMFOR.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{91549F7B-90F9-4BBA-8599-7515EB4D87C1}
HKCR\pvnsmfor.1
HKCR\pvnsmfor
HKCR\TypeLib\{9209A88A-455F-4DE4-97D9-0B32E537DBF7}
HKCR\TypeLib\{9209A88A-455F-4DE4-97D9-0B32E537DBF7}\1.0
HKCR\TypeLib\{9209A88A-455F-4DE4-97D9-0B32E537DBF7}\1.0\0
HKCR\TypeLib\{9209A88A-455F-4DE4-97D9-0B32E537DBF7}\1.0\0\win32
HKCR\TypeLib\{9209A88A-455F-4DE4-97D9-0B32E537DBF7}\1.0\FLAGS
HKCR\TypeLib\{9209A88A-455F-4DE4-97D9-0B32E537DBF7}\1.0\HELPDIR
Trojan.Downloader-ChinaHot
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A75E294E-C047-4D29-B07E-37B792881BEF}
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0\0
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0\0\win32
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0\FLAGS
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0\HELPDIR
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}\ProxyStubClsid
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}\ProxyStubClsid32
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}\TypeLib
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}\TypeLib#Version
Rootkit.RunTime3/WinCtrl32
HKLM\System\ControlSet001\Services\puD00
C:\WINDOWS\SYSTEM32\DRIVERS\PUD00.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_puD00
HKLM\System\ControlSet002\Services\puD00
HKLM\System\ControlSet002\Enum\Root\LEGACY_puD00
HKLM\System\CurrentControlSet\Services\puD00
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_puD00
C:\SYSTEM VOLUME INFORMATION\_RESTORE{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0039721.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0040714.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0040791.SYS
Rootkit.Runtime3/Mutant
HKLM\System\ControlSet001\Services\Qmu81
C:\WINDOWS\SYSTEM32\DRIVERS\QMU81.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_Qmu81
HKLM\System\ControlSet002\Services\Qmu81
HKLM\System\ControlSet002\Enum\Root\LEGACY_Qmu81
HKLM\System\CurrentControlSet\Services\Qmu81
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Qmu81
C:\SYSTEM VOLUME INFORMATION\_RESTORE{157321A7-45C1-4658-8EFB-7936375C39EB}\RP303\A0040790.SYS
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxxstreamonline[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.zanox-affiliate[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.findlegalforms[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.findlegalforms[4].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gomyhit[3].txt
C:\Documents and Settings\Owner\Cookies\owner@kontera[2].txt
C:\Documents and Settings\Owner\Cookies\owner@gomyhit[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.system-defender[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.findlegalforms[3].txt
C:\Documents and Settings\Owner\Cookies\owner@sexsearchcom[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.findlegalforms[5].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@xxxstreamonline[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.findlegalforms[1].txt
C:\Documents and Settings\Owner\Cookies\owner@findlegalforms[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@linksynergy[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@CAB3X6NL.txt
C:\Documents and Settings\Owner\Cookies\owner@wt.sexsearch[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tour.sexsearchcom[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@antivirus-scanner[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@82.98.235[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[9].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[7].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[8].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[5].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[6].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[3].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[4].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-pcsecurityshield.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[10].txt
Desktop Hijacker.AboutYourPrivacy
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\images
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\privacy_danger
Toolbar.PVNSMFOR
HKCR\pvnsmfor.ToolBar.1
HKCR\pvnsmfor.ToolBar.1\CLSID
Trojan.Net-VBK/NMC
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#mpfanvqg [ {0DE2A432-1371-4282-AE21-BB5292B9D24B} ]
Rogue.AdvancedXPDefender
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\.TT288.TMP
Trojan.Unclassified/PrintSrv32
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\PRINTSRV32.EXE
Rogue.Antivirus 2008/Installer
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ZVCKDAS4\ATNVRSINSTALL[1].EXE
Keylogger.Actual Spy
C:\PROGRAM FILES\DOWNLOADS\ACTUALSPY.EXE
Adware.VideoAccessCodec-Gen
C:\WINDOWS\EXNK.EXE
C:\WINDOWS\Prefetch\EXNK.EXE-191A398D.pf
Trojan.Unclassified/Dropper
C:\WINDOWS\OADKXRTS.EXE
ComboFix 08-05-20.5 - Owner 2008-05-21 15:00:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.632 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\dfhpbnvh.ini
C:\WINDOWS\system32\dNWGOqru.ini
C:\WINDOWS\system32\dNWGOqru.ini2
C:\WINDOWS\system32\JRrAHkkj.ini
C:\WINDOWS\system32\JRrAHkkj.ini2
C:\WINDOWS\system32\KlUtstwa.ini
C:\WINDOWS\system32\KlUtstwa.ini2
C:\WINDOWS\system32\lmSuvGgh.ini
C:\WINDOWS\system32\lmSuvGgh.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qenwtfhx.ini
C:\WINDOWS\system32\rdophawq.ini
C:\WINDOWS\system32\slungnnv.ini
C:\WINDOWS\system32\xsoaymxk.ini
C:\WINDOWS\system32\xxjdecfj.ini
C:\WINDOWS\system32\ylysfacm.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Legacy_OULTRAF
-------\Service_Iprip
-------\Service_oUltraf
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.
2008-05-21 14:17 . 2008-05-21 14:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 14:17 . 2008-05-21 14:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-21 14:17 . 2008-05-21 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-20 22:21 . 2008-05-20 22:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 22:21 . 2008-05-20 22:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-20 22:21 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-20 22:21 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-20 22:03 . 2008-05-20 22:03 <DIR> d-------- C:\VundoFix Backups
2008-05-20 00:20 . 2008-05-20 00:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-19 20:51 . 2008-05-19 20:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-18 23:03 . 2008-05-18 23:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-18 23:03 . 2008-05-18 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 01:04 . 2008-05-16 01:04 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-16 00:47 . 2008-05-16 00:47 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-05-16 00:02 . 2008-05-16 00:01 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-16 00:01 . 2008-05-16 01:16 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-15 23:33 . 2008-05-15 23:33 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-07 23:30 . 2003-12-11 11:15 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-05-07 23:30 . 2003-12-11 11:15 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-05-07 23:30 . 2003-12-11 11:15 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-05-07 23:30 . 2003-12-11 11:15 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-05-07 23:29 . 2008-05-07 23:29 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-07 23:24 . 2008-05-07 23:35 <DIR> d-------- C:\Program Files\HP
2008-05-07 23:23 . 2004-01-05 02:30 38,867 --------- C:\WINDOWS\hpomdl03.dat
2008-05-07 23:23 . 2008-05-07 23:30 29,089 --a------ C:\WINDOWS\hpoins03.dat
2008-05-07 22:17 . 2008-05-07 22:17 268 --ah----- C:\sqmdata05.sqm
2008-05-07 22:17 . 2008-05-07 22:17 244 --ah----- C:\sqmnoopt05.sqm
2008-05-04 18:01 . 2008-05-04 18:01 <DIR> d-------- C:\Program Files\House
2008-04-29 22:53 . 2008-04-29 22:53 268 --ah----- C:\sqmdata04.sqm
2008-04-29 22:53 . 2008-04-29 22:53 244 --ah----- C:\sqmnoopt04.sqm
2008-04-26 00:09 . 2008-04-26 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-04-26 00:08 . 2008-04-27 04:05 <DIR> d-------- C:\Program Files\Risk II
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 19:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 15:21 --------- d-----w C:\Program Files\Downloads
2008-05-03 17:59 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-05-03 17:59 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-05-03 17:59 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-05-03 05:39 --------- d-----w C:\Program Files\Diablo II
2008-04-26 07:22 --------- d-----w C:\Program Files\Bodog Poker
2008-04-19 04:11 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-04-19 04:11 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-04-12 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-04-12 02:51 --------- d-----w C:\Program Files\ATI Technologies
2008-03-30 22:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-30 22:07 --------- d-----w C:\Program Files\PIXELA
2008-03-30 21:59 --------- d-----w C:\Program Files\DVD-RAM
2008-03-30 21:58 405,504 ----a-w C:\WINDOWS\system32\DVDTool.exe
2008-03-30 21:58 233,472 ----a-w C:\WINDOWS\system32\DVDTools.dll
2008-03-30 21:58 155,648 ----a-w C:\WINDOWS\system32\RAMASST.exe
2008-03-30 21:58 135,168 ----a-w C:\WINDOWS\system32\DVDMenu.dll
2008-03-30 21:58 110,592 ----a-w C:\WINDOWS\system32\DVDRAMSV.exe
2008-03-30 21:58 102,384 ----a-w C:\WINDOWS\system32\drivers\meiudf.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 04:01 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 03:12 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-02-26 03:10 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-02-26 03:10 299,520 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-02-26 03:02 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-02-26 03:02 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-02-26 03:01 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-02-26 03:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-02-26 03:01 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-02-26 03:00 520,192 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-02-26 02:59 9,797,632 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-02-26 02:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-02-26 02:49 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-02-26 02:41 1,755,264 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-02-26 02:29 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-02-26 02:25 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-02-26 02:23 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-02-26 02:21 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-02-26 02:19 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-02-26 02:16 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-02-26 02:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
.
------- Sigcheck -------
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe
2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll
2007-06-27 09:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 05:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 08:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2004-08-04 07:00 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ie7\wininet.dll
2006-11-07 21:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 09:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 05:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\system32\wininet.dll
2008-03-01 08:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\system32\dllcache\wininet.dll
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-04 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 03:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-04 07:00 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 04:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe
2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E8DEFA4-1389-405F-9925-AE262CEFA3FD}]
C:\WINDOWS\system32\awtstUlK.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30DC0B54-9E70-48B6-B92D-02B2DB7D856B}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CD84D09-7E99-403F-9694-BF5336DBDC7A}]
C:\WINDOWS\system32\urqOGWNd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7E9FB8-7954-4B15-86BC-5E8D5549047A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6EFC8BFA-5F55-4870-AAB1-0B30D59BAB80}]
C:\WINDOWS\system32\hgGvuSml.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A75E294E-C047-4D29-B07E-37B792881BEF}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 06:24 167368]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 16380416 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"Secure"="C:\WINDOWS\WindowsUpdates.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [ ]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DualCoreCenter.lnk - C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe [2007-08-28 22:14:02 192512]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqQkHyA]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\puD00.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qmu81.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\HeroesOfAE\\Data\\engine.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Tri Synergy\\UFO Extraterrestrials\\TrueUpdate.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"=
"C:\\Program Files\\Ubisoft\\Heroes of Might and Magic V Collector Edition\\bin\\H5_Game.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"=
"C:\\Program Files\\BitLord\\Downloads\\Magic\\Magic\\Manalink.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 psdrv01a;CD Guard Environment Driver (v1a);C:\WINDOWS\system32\drivers\psdrv01a.sys [2006-07-05 07:55]
R0 pshlp02;CD Guard Helper Driver (v2);C:\WINDOWS\system32\drivers\pshlp02.sys [2006-06-14 09:59]
R0 pssync04;CD Guard Synchronization Driver (v4);C:\WINDOWS\system32\drivers\pssync04.sys [2006-08-11 08:52]
R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-07 03:57]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 DualCoreCenter;DualCoreCenter;C:\Program Files\ATI Technologies\ATI.ACE\NTGLM7X.sys [2007-01-22 13:58]
R3 RushTopDevice2;RushTopDevice2;C:\Program Files\ATI Technologies\ATI.ACE\RushTop.sys [2007-03-22 13:39]
S2 psrem01;CD Guard Drivers Auto Removal (v1);C:\WINDOWS\system32\psrem01.exe svc []
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a5ac468-55c7-11dc-8c9e-97a3e74b0bc5}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 19:51:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 15:04:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\ATI Technologies\ATI.ACE\DualCoreCenter.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-21 15:07:31 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-21 20:07:28
Pre-Run: 60,614,750,208 bytes free
Post-Run: 61,336,358,912 bytes free
303
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:58 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\DualCoreCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {2E529F87-2B52-438C-9E7C-7D0A0DD910BA} - (no file)
O2 - BHO: (no name) - {2E8DEFA4-1389-405F-9925-AE262CEFA3FD} - C:\WINDOWS\system32\awtstUlK.dll (file missing)
O2 - BHO: (no name) - {30DC0B54-9E70-48B6-B92D-02B2DB7D856B} - (no file)
O2 - BHO: (no name) - {3CD84D09-7E99-403F-9694-BF5336DBDC7A} - C:\WINDOWS\system32\urqOGWNd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EFC8BFA-5F55-4870-AAB1-0B30D59BAB80} - C:\WINDOWS\system32\hgGvuSml.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188352149406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210914041995
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5296/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: urqQkHyA - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 7250 bytes
Please let me know what my next step is. Your Great!
Hello,
Just a bit more to do. The fixes may not take if the TeaTimer is running
Do this first...Important
Disable the TeaTimer, you can re enable it when were done if you wish
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {2E529F87-2B52-438C-9E7C-7D0A0DD910BA} - (no file)
O2 - BHO: (no name) - {2E8DEFA4-1389-405F-9925-AE262CEFA3FD} - C:\WINDOWS\system32\awtstUlK.dll (file missing)
O2 - BHO: (no name) - {30DC0B54-9E70-48B6-B92D-02B2DB7D856B} - (no file)
O2 - BHO: (no name) - {3CD84D09-7E99-403F-9694-BF5336DBDC7A} - C:\WINDOWS\system32\urqOGWNd.dll (file missing)
O2 - BHO: (no name) - {6EFC8BFA-5F55-4870-AAB1-0B30D59BAB80} - C:\WINDOWS\system32\hgGvuSml.dll (file missing)
O2 - BHO: (no name) - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O20 - Winlogon Notify: urqQkHyA - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\privacy_danger <-- delete this
Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent , uses system resources and basically is a useless program.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Post a new HJT log and let me know how your system is running now????
When i ran Hijackthis and was checking things to be deleted the top O2 wasnt ther enor was the botem one
Both O2O wernt there and windows\privacy_danger wasnt there nor can I find it in the folder.
Here is the new HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:45 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\DualCoreCenter.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188352149406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210914041995
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5296/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe
--
End of file - 6310 bytes
System seems to be running fine. I can see my desktop picture now, and I dont have things poping up telling me i am not connected or missing a .dll
Is there anything else i need to do? Besides go back and delete everything I have installed for this?
Josh
Josh,
Still a few items to take care of.
Remove these with HJT
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - C:\WINDOWS\system32\psrem01.exe
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\AutoUpdateWin33.exe
C:\WINDOWS\fvowketqgbv.dll
C:\WINDOWS\WindowsUpdates.exe
C:\WINDOWS\system32\psrem01.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Post the OTMoveIt log and a new HJT log and hopefully we will have gotten it all.
Here it is man
C:\WINDOWS\AutoUpdateWin33.exe moved successfully.
File/Folder C:\WINDOWS\fvowketqgbv.dll not found.
File/Folder C:\WINDOWS\WindowsUpdates.exe not found.
C:\WINDOWS\system32\psrem01.exe moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05212008_211441
Post a new HJT log and lets see how it looks
Here it is
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:25 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188352149406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210914041995
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5296/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Unknown owner - C:\WINDOWS\system32\psrem01.exe (file missing)
--
End of file - 6271 bytes
Hello,
One of the entries we removed was related to the SDBot worm, even though we removed the file with OTMoveIt lets check to see if there is anymore of this infection present and this tool will remove it if it is.
To be effective this tool needs to be run from Safemode
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Here it is man
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:19 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188352149406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210914041995
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5296/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Unknown owner - C:\WINDOWS\system32\psrem01.exe (file missing)
--
End of file - 6348 bytes
Sorry man wait for my next post this one is a copy of the last one
Slavik,
Its important to run SDfix and post the log along with a new HJT log, take your time as I will be away all day today and won't be back online until late this evening.
Ken
Here they are man
SDFix: Version 1.185
Run by Administrator on Sat 05/24/2008 at 01:57 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 14:03:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:7d,bd,65,92,76,5d,cf,55,17,c6,3f,24,66,0f,f7,64,69,ea,db,81,e2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,7a,6d,17,06,63,12,bf,85,0e,7c,f4,45,ca,56,54,93,bc,..
"khjeh"=hex:66,61,94,49,d6,80,92,17,88,bf,8b,dd,d1,01,19,33,9c,9a,c2,7a,e4,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bc,e6,ac,f6,12,bb,62,b6,0b,d9,a5,00,f2,b2,e0,5b,15,7d,e4,51,e0,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:7d,bd,65,92,76,5d,cf,55,17,c6,3f,24,66,0f,f7,64,69,ea,db,81,e2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,7a,6d,17,06,63,12,bf,85,0e,7c,f4,45,ca,56,54,93,bc,..
"khjeh"=hex:66,61,94,49,d6,80,92,17,88,bf,8b,dd,d1,01,19,33,9c,9a,c2,7a,e4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bc,e6,ac,f6,12,bb,62,b6,0b,d9,a5,00,f2,b2,e0,5b,15,7d,e4,51,e0,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"="C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe:*:Enabled:Warhammerr: Mark of ChaosT"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\HeroesOfAE\\Data\\engine.exe"="C:\\Program Files\\HeroesOfAE\\Data\\engine.exe:*:Enabled:Heroes of Annihilated Empires"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"="C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat:*:Enabled:game"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Tri Synergy\\UFO Extraterrestrials\\TrueUpdate.exe"="C:\\Tri Synergy\\UFO Extraterrestrials\\TrueUpdate.exe:*:Enabled:TrueUpdate 2.0 Client"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"="C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars"
"C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe"="C:\\Program Files\\Eidos\\Kane and Lynch Dead Men\\kaneandlynch.exe:*:Enabled:Kane & Lynch: Dead Men"
"C:\\Program Files\\Ubisoft\\Heroes of Might and Magic V Collector Edition\\bin\\H5_Game.exe"="C:\\Program Files\\Ubisoft\\Heroes of Might and Magic V Collector Edition\\bin\\H5_Game.exe:*:Enabled:Heroes of Might and Magic V"
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"="C:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"="C:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\BitLord\\Downloads\\Magic\\Magic\\Manalink.exe"="C:\\Program Files\\BitLord\\Downloads\\Magic\\Magic\\Manalink.exe:*:Enabled:manalink"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 28 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 21 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT2.tmp"
Fri 11 Jan 2008 1,301 ...HR --- "C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:10 AM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ATI Technologies\ATI.ACE\DualCoreCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\ATI Technologies\ATI.ACE\StartUpDualCoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188352149406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210914041995
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5296/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Unknown owner - C:\WINDOWS\system32\psrem01.exe (file missing)
--
End of file - 6247 bytes
Looking good :bigthumb:
You can drag OTMovIt and SDFix to the trash, Malwarebytes is yours to keep.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken