Destroying the Virtumondicon [Archive] - Safer-Networking Forums

View Full Version : Destroying the Virtumondicon

bigheadzach

2008-05-28, 06:25

First off, thanks to whoever becomes the volunteer to help me clean this accursed malware from my sight.

Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 27, 2008 9:36:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/05/2008
Kaspersky Anti-Virus database records: 802914
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 110998
Number of viruses found: 11
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 01:21:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temp\Free Download Manager\tic3.tmp Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\Content.IE5\4R1MS9W9\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.ttd skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\Content.IE5\4R1MS9W9\kb516107[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\Content.IE5\6QTG1HLO\kb767887[1] Infected: Trojan-Downloader.Win32.ConHook.te skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\Content.IE5\D6U2TROJ\css4[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.ttd skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\Content.IE5\D6U2TROJ\kb456456[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.ttc skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\Content.IE5\XYB5I5AH\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.tsj skipped
C:\Documents and Settings\Zach Gaskins\Local Settings\Temporary Internet Files\Content.IE5\XYB5I5AH\css4[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.ttd skipped
C:\Documents and Settings\Zach Gaskins\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Zach Gaskins\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP174\A0012543.msi/data.cab/LogMeIn.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.e skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP174\A0012543.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.e skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP174\A0012543.msi Embedded: infected - 2 skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP187\A0013501.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trp skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP188\A0013576.dll Infected: Trojan.Win32.Pakes.cym skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP188\A0013598.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsk skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP188\A0013599.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsk skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0014105.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.e skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0014790.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ttc skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0014978.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trp skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0014979.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsm skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0014981.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsm skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0015092.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0015093.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0015094.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ttc skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0015095.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\A0015096.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ttc skipped
C:\System Volume Information\_restore{CF6D1689-8F6C-4EB1-87EA-AAA13EC5A09C}\RP190\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\fkfpruky.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ttc skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\loqqcrhx.dll Infected: Trojan-Downloader.Win32.ConHook.te skipped
C:\WINDOWS\system32\pjqerpwp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tsz skipped
C:\WINDOWS\system32\urqppQJa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trz skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Spybot S&D Run In Safe Mode:

Bit of a snag here. The first time around, I removed 2 instances of Virtumonde and 3 of the Virtumonde.dll. The second time around, just one instance of Virtumonde.dll, and this instance continued to show up after successive scans:

SB1 $A65264B2 - C:\windows\system32\opnnIJcd.dll_old

After several tries, I gave up and moved on.

HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:52 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Zach Gaskins\Desktop\AytchJayTee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: (no name) - {06AA9FDC-10F8-40F5-B0C8-F17769BE83D8} - C:\WINDOWS\system32\urqPhhGW.dll (file missing)
O2 - BHO: (no name) - {22EB48D3-DD2C-429E-961F-C639401E37D1} - C:\WINDOWS\system32\khfEXOGv.dll (file missing)
O2 - BHO: (no name) - {29F74D5B-D0E8-4A3E-B2E7-FE5AC250D8BC} - C:\WINDOWS\system32\nnnmnLFU.dll (file missing)
O2 - BHO: (no name) - {44B69923-F41F-422B-AC7E-FE06628D3DB0} - C:\WINDOWS\system32\opnnlJcd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A00C386-6E5E-43BD-9E3D-312EF17E753F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {B6E95516-27C0-443D-9BA9-ABD8C12BAE16} - C:\WINDOWS\system32\urqppQJa.dll
O2 - BHO: (no name) - {C383B612-D862-455F-B49C-3FB72D10DD40} - C:\WINDOWS\system32\cbXOEurR.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMc33fdd63] Rundll32.exe "C:\WINDOWS\system32\pjqerpwp.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - Winlogon Notify: urqppQJa - C:\WINDOWS\SYSTEM32\urqppQJa.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8250 bytes

Again, any help is appreciated. Let me know what your favorite beer is.

pskelley

2008-05-28, 16:17

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

(thanks for posting the correct information:bigthumb:)

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) System Configuration Utility (MSConfig) is running in Selective Startup, return to Normal Startup until we finish then you can return to SS to save your resources.

3) Almost every problem with this tool is caused when the directions are not followed, please do not do that.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks...Phil

bigheadzach

2008-05-29, 02:02

Combofix Log:

ComboFix 08-05-27.4 - Zach Gaskins 2008-05-28 18:49:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1483 [GMT -4:00]
Running from: C:\Documents and Settings\Zach Gaskins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zach Gaskins\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
/wow section - STAGE 38
The syntax of the command is incorrect.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMc33fdd63.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aIjkmUvw.ini
C:\WINDOWS\system32\aIjkmUvw.ini2
C:\WINDOWS\system32\aoabdyqy.dll
C:\WINDOWS\system32\dcJlnnpo.ini
C:\WINDOWS\system32\dcJlnnpo.ini2
C:\WINDOWS\system32\dgcknssu.ini
C:\WINDOWS\system32\dinjewho.ini
C:\WINDOWS\system32\dtlnfkam.ini
C:\WINDOWS\system32\fkfpruky.dll
C:\WINDOWS\system32\ghibxfhc.ini
C:\WINDOWS\system32\greiaoga.ini
C:\WINDOWS\system32\hivrawup.ini
C:\WINDOWS\system32\hnbittrl.dll
C:\WINDOWS\system32\hnvndlul.dll
C:\WINDOWS\system32\iibtmqnl.dll
C:\WINDOWS\system32\lnuumavw.dll
C:\WINDOWS\system32\loqqcrhx.dll
C:\WINDOWS\system32\lrttibnh.ini
C:\WINDOWS\system32\oklpnqeh.ini
C:\WINDOWS\system32\pihdojyy.ini
C:\WINDOWS\system32\pjqerpwp.dll
C:\WINDOWS\system32\RruEOXbc.ini
C:\WINDOWS\system32\RruEOXbc.ini2
C:\WINDOWS\system32\sivguysl.dll
C:\WINDOWS\system32\UFLnmnnn.ini
C:\WINDOWS\system32\UFLnmnnn.ini2
C:\WINDOWS\system32\ujiwjnrp.dll
C:\WINDOWS\system32\urqppQJa.dll
C:\WINDOWS\system32\vGOXEfhk.ini
C:\WINDOWS\system32\vGOXEfhk.ini2
C:\WINDOWS\system32\WGhhPqru.ini
C:\WINDOWS\system32\WGhhPqru.ini2
C:\WINDOWS\system32\wvUmkjIa.dll
C:\WINDOWS\system32\ykurpfkf.ini
C:\WINDOWS\system32\yyjodhip.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 20:37 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-05-26 20:37 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-05-26 20:37 . 2008-05-26 20:37 0 --a------ C:\WINDOWS\Irremote.ini
2008-05-25 21:32 . 2008-05-27 22:43 616 --a------ C:\WINDOWS\wininit.ini
2008-05-25 21:04 . 2008-05-25 21:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-25 21:04 . 2008-05-26 00:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-25 11:53 . 2008-05-25 11:53 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-25 11:50 . 2008-05-25 11:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-25 03:02 . 2008-05-25 03:02 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-05-25 03:01 . 2008-05-25 03:01 <DIR> d-------- C:\Documents and Settings\Zach Gaskins\Application Data\Nero
2008-05-25 02:58 . 2008-05-25 02:58 <DIR> d-------- C:\Program Files\Nero
2008-05-25 02:58 . 2008-05-26 20:38 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-05-25 02:58 . 2008-05-26 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-25 02:47 . 2008-05-25 02:47 <DIR> d-------- C:\tmp
2008-05-15 20:59 . 2008-05-15 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-05-08 23:36 . 2008-05-28 02:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-08 08:50 . 2008-05-08 08:50 <DIR> d-------- C:\Documents and Settings\Zach Gaskins\Application Data\Creative
2008-05-08 00:59 . 2008-05-28 18:53 <DIR> d-------- C:\Program Files\Steam
2008-04-30 18:08 . 2008-04-30 18:08 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 22:53 --------- d-----w C:\Documents and Settings\Zach Gaskins\Application Data\OpenOffice.org2
2008-05-28 22:52 --------- d-----w C:\Documents and Settings\Zach Gaskins\Application Data\Free Download Manager
2008-05-27 02:18 --------- d-----w C:\Documents and Settings\Zach Gaskins\Application Data\AVG7
2008-05-27 01:56 --------- d-----w C:\Program Files\Alcohol 120% 1.9.5.4212 Retail
2008-05-27 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-25 22:58 --------- d-----w C:\Documents and Settings\Zach Gaskins\Application Data\uTorrent
2008-05-24 21:25 --------- d-----w C:\Program Files\uTorrent
2008-05-21 02:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 00:09 --------- d-----w C:\Program Files\QuickTime
2008-04-17 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 00:07 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-28 04:01 --------- d-----w C:\Program Files\Macromedia
2008-03-28 03:58 --------- d-----w C:\Program Files\Common Files\Macromedia
2006-03-29 23:24 331,806,720 ----a-w C:\Program Files\Macromedia.Studio.8.Final.iso
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06AA9FDC-10F8-40F5-B0C8-F17769BE83D8}]
C:\WINDOWS\system32\urqPhhGW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22EB48D3-DD2C-429E-961F-C639401E37D1}]
C:\WINDOWS\system32\khfEXOGv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29F74D5B-D0E8-4A3E-B2E7-FE5AC250D8BC}]
C:\WINDOWS\system32\nnnmnLFU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44B69923-F41F-422B-AC7E-FE06628D3DB0}]
C:\WINDOWS\system32\opnnlJcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C383B612-D862-455F-B49C-3FB72D10DD40}]
C:\WINDOWS\system32\cbXOEurR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"ABIT uGuruIII"="C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe" [2006-11-28 18:39 421888]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-05-08 01:00 1271032]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2007-12-16 21:39 2449455]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 11:40 270336]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 23:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 05:24 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 12:34 219136]

C:\Documents and Settings\Zach Gaskins\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\trackmania united\\TmForever.exe"=

R3 ABIT-IO;ABIT-IO;C:\Program Files\U-ABIT\ABITEQ\ABIT-IO.sys [2005-12-08 15:53]
S3 PciCon;PciCon;D:\PciCon.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 02:10:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 18:53:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-05-28 18:56:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-28 22:56:10

Pre-Run: 14,194,679,808 bytes free
Post-Run: 15,142,236,160 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

185 --- E O F --- 2008-05-25 15:50:29

[b]HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:32 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Zach Gaskins\Desktop\AytchJayTee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06AA9FDC-10F8-40F5-B0C8-F17769BE83D8} - C:\WINDOWS\system32\urqPhhGW.dll (file missing)
O2 - BHO: (no name) - {22EB48D3-DD2C-429E-961F-C639401E37D1} - C:\WINDOWS\system32\khfEXOGv.dll (file missing)
O2 - BHO: (no name) - {29F74D5B-D0E8-4A3E-B2E7-FE5AC250D8BC} - C:\WINDOWS\system32\nnnmnLFU.dll (file missing)
O2 - BHO: (no name) - {44B69923-F41F-422B-AC7E-FE06628D3DB0} - C:\WINDOWS\system32\opnnlJcd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {C383B612-D862-455F-B49C-3FB72D10DD40} - C:\WINDOWS\system32\cbXOEurR.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7563 bytes

What's the next move, Phil-o-matic? :)

pskelley

2008-05-29, 03:04

Thanks for returning your information, you had a load of junk hiding that combofix removed. You also have infected System Restore files, do not use System Restore until we clean it later.

I do not know why combofix is reading like this:
C:\Documents and Settings\Zach Gaskins\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

This is from another members log and it is correct:
C:\Documents and Settings\Ahmad\Desktop\ComboFix.exe

Please delete combofix, return to the instructions I posted and follow them. After you do that, then follow these direction. It is very important the directions are followed as posted.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\urqPhhGW.dll
C:\WINDOWS\system32\khfEXOGv.dll
C:\WINDOWS\system32\nnnmnLFU.dll
C:\WINDOWS\system32\opnnlJcd.dll
C:\WINDOWS\system32\cbXOEurR.dll

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06AA9FDC-10F8-40F5-B0C8-F17769BE83D8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22EB48D3-DD2C-429E-961F-C639401E37D1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29F74D5B-D0E8-4A3E-B2E7-FE5AC250D8BC}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44B69923-F41F-422B-AC7E-FE06628D3DB0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C383B612-D862-455F-B49C-3FB72D10DD40}]

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {06AA9FDC-10F8-40F5-B0C8-F17769BE83D8} - C:\WINDOWS\system32\urqPhhGW.dll (file missing)
O2 - BHO: (no name) - {22EB48D3-DD2C-429E-961F-C639401E37D1} - C:\WINDOWS\system32\khfEXOGv.dll (file missing)
O2 - BHO: (no name) - {29F74D5B-D0E8-4A3E-B2E7-FE5AC250D8BC} - C:\WINDOWS\system32\nnnmnLFU.dll (file missing)
O2 - BHO: (no name) - {44B69923-F41F-422B-AC7E-FE06628D3DB0} - C:\WINDOWS\system32\opnnlJcd.dll (file missing)
O2 - BHO: (no name) - {C383B612-D862-455F-B49C-3FB72D10DD40} - C:\WINDOWS\system32\cbXOEurR.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post the combofix log, a new HijackThis log and tell me how the computer is running.

Thanks

bigheadzach

2008-05-29, 05:04

I do not know why combofix is reading like this:
C:\Documents and Settings\Zach Gaskins\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

This is from another members log and it is correct:
C:\Documents and Settings\Ahmad\Desktop\ComboFix.exe

That's because the instructions in the ComboFix tutorial says to drag the MS Recovery Console exe onto the ComboFix icon. Otherwise, I performed everything as instructed.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ComboFix log

ComboFix 08-05-28.4 - Zach Gaskins 2008-05-28 21:49:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1446 [GMT -4:00]
Running from: C:\Documents and Settings\Zach Gaskins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zach Gaskins\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\cbXOEurR.dll
C:\WINDOWS\system32\khfEXOGv.dll
C:\WINDOWS\system32\nnnmnLFU.dll
C:\WINDOWS\system32\opnnlJcd.dll
C:\WINDOWS\system32\urqPhhGW.dll
.
/wow section - STAGE 38
The syntax of the command is incorrect.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 18:55 . 2008-05-28 18:55 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 20:37 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-05-26 20:37 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-05-26 20:37 . 2008-05-26 20:37 0 --a------ C:\WINDOWS\Irremote.ini
2008-05-25 21:32 . 2008-05-27 22:43 616 --a------ C:\WINDOWS\wininit.ini
2008-05-25 21:04 . 2008-05-25 21:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-25 21:04 . 2008-05-26 00:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-25 11:53 . 2008-05-25 11:53 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-25 11:50 . 2008-05-25 11:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-25 03:02 . 2008-05-25 03:02 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-05-25 03:01 . 2008-05-25 03:01 <DIR> d-------- C:\Documents and Settings\Zach Gaskins\Application Data\Nero
2008-05-25 02:58 . 2008-05-25 02:58 <DIR> d-------- C:\Program Files\Nero
2008-05-25 02:58 . 2008-05-26 20:38 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-05-25 02:58 . 2008-05-26 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-25 02:47 . 2008-05-25 02:47 <DIR> d-------- C:\tmp
2008-05-15 20:59 . 2008-05-15 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-05-08 23:36 . 2008-05-28 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-05-08 08:50 . 2008-05-08 08:50 <DIR> d-------- C:\Documents and Settings\Zach Gaskins\Application Data\Creative
2008-05-08 00:59 . 2008-05-28 19:29 <DIR> d-------- C:\Program Files\Steam
2008-04-30 18:08 . 2008-04-30 18:08 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 23:28 --------- d-----w C:\Documents and Settings\Zach Gaskins\Application Data\OpenOffice.org2
2008-05-28 23:28 --------- d-----w C:\Documents and Settings\Zach Gaskins\Application Data\Free Download Manager
2008-05-27 02:18 --------- d-----w C:\Documents and Settings\Zach Gaskins\Application Data\AVG7
2008-05-27 01:56 --------- d-----w C:\Program Files\Alcohol 120% 1.9.5.4212 Retail
2008-05-27 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-25 22:58 --------- d-----w C:\Documents and Settings\Zach Gaskins\Application Data\uTorrent
2008-05-24 21:25 --------- d-----w C:\Program Files\uTorrent
2008-05-21 02:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 00:09 --------- d-----w C:\Program Files\QuickTime
2008-04-17 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 00:07 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-28 04:01 --------- d-----w C:\Program Files\Macromedia
2008-03-28 03:58 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 20:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-28_18.56.02.45 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"ABIT uGuruIII"="C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe" [2006-11-28 18:39 421888]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-05-08 01:00 1271032]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2007-12-16 21:39 2449455]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 11:40 270336]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 23:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 05:24 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-30 12:34 219136]

C:\Documents and Settings\Zach Gaskins\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\trackmania united\\TmForever.exe"=

R3 ABIT-IO;ABIT-IO;C:\Program Files\U-ABIT\ABITEQ\ABIT-IO.sys [2005-12-08 15:53]
S3 PciCon;PciCon;D:\PciCon.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 02:10:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 21:50:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-28 21:51:07
ComboFix-quarantined-files.txt 2008-05-29 01:51:02
ComboFix2.txt 2008-05-28 22:56:13

Pre-Run: 19,065,368,576 bytes free
Post-Run: 19,054,714,880 bytes free

128 --- E O F --- 2008-05-25 15:50:29

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:55 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Zach Gaskins\Desktop\AytchJayTee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6782 bytes

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {06AA9FDC-10F8-40F5-B0C8-F17769BE83D8} - C:\WINDOWS\system32\urqPhhGW.dll (file missing)
O2 - BHO: (no name) - {22EB48D3-DD2C-429E-961F-C639401E37D1} - C:\WINDOWS\system32\khfEXOGv.dll (file missing)
O2 - BHO: (no name) - {29F74D5B-D0E8-4A3E-B2E7-FE5AC250D8BC} - C:\WINDOWS\system32\nnnmnLFU.dll (file missing)
O2 - BHO: (no name) - {44B69923-F41F-422B-AC7E-FE06628D3DB0} - C:\WINDOWS\system32\opnnlJcd.dll (file missing)
O2 - BHO: (no name) - {C383B612-D862-455F-B49C-3FB72D10DD40} - C:\WINDOWS\system32\cbXOEurR.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

None of those lines appeared in HJT when I ran it after the ComboFix/CFScript.

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Done.

Final HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:11 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Zach Gaskins\Desktop\AytchJayTee.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\U-ABIT\ABITEQ\ABITEQ.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6782 bytes

Things seem to be running normally at this point, and I don't see any strange popups.

pskelley

2008-05-29, 11:56

That's because the instructions in the ComboFix tutorial says to drag the MS Recovery Console exe onto the ComboFix icon. Otherwise, I performed everything as instructed.
I understand, it is probably best to install RC first in the event of a major issue but I have been waiting until near the end which is why I post the tutorial near the end of the fix. I appreciate the feedback.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:52:55 PM, on 5/28/2008
C:\Program Files\Java\jre1.6.0_05\ <<< Check Java for an update:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Let's remove combofix: Click *START* then *RUN*
Now type or copy *Combofix /u* in the runbox and click *OK*.
Note the *space* between the *X* and the *U*, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Run a new Kaspersky Online Scan (KOS) to make sure we missed nothing using these settings:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. <<< no need to post a clean scan results.

Thanks

bigheadzach

2008-05-30, 03:56

0 viruses, 0 infections, 0 suspicious items. Looks all clear!

Thank you lots for stepping me through this. Sounds like you gotta get Virtumonde when it isn't expecting, and kill every head at once...like a hydra. Burn the stumps.

I'll be updating my Java version as well.

pskelley

2008-05-30, 15:09

Thanks for the feedback, some information about this junk for you:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn

Safe surfing:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.