PDA

View Full Version : Help With Vundo


jaybuk
2008-06-26, 00:48
Hi Guys an having BIG probs with Vundo :-( , have read your posts and i have del all ver of Conbofix and downloaded new ver to my desktop, run file also run Hijack and posted both logs below can you help me remove the Vundo .

Cheers

jay

COMBOFIX LOG>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


ComboFix 08-06-20.4 - PB1919 2008-06-25 22:25:55.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2348 [GMT 1:00]
Running from: D:\Documents and Settings\PB1919\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\wdxpomrl.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-25 21:54 . 2008-06-25 21:54 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\EAST Technologies
2008-06-24 05:01 . 2008-06-24 05:01 105,984 --a------ C:\WINDOWS\system32\jhwkcqmw.dll
2008-06-24 05:01 . 2008-06-24 05:01 81,408 --a------ C:\WINDOWS\system32\lrmopxdw.dll
2008-06-24 04:59 . 2008-06-24 04:59 91,136 --a------ C:\WINDOWS\system32\yrrhnauh.dll
2008-06-24 04:35 . 2008-06-24 05:01 474 --ahs---- C:\WINDOWS\system32\reruejbx.ini
2008-06-23 16:12 . 2008-06-23 16:12 105,984 --a------ C:\WINDOWS\system32\soghgbuh.dll
2008-06-23 16:10 . 2008-06-23 16:10 91,136 --a------ C:\WINDOWS\system32\mtlsmdwr.dll
2008-06-23 14:41 . 2008-06-23 14:40 99,328 --a------ C:\WINDOWS\system32\wjodsyji.dll
2008-06-23 14:32 . 2008-06-23 14:41 354 --ahs---- C:\WINDOWS\system32\bfjejpfn.ini
2008-06-23 13:30 . 2008-06-23 13:30 99,328 --a------ C:\WINDOWS\system32\ssyqcvpf.dll
2008-06-23 13:27 . 2008-06-23 13:27 81,408 --a------ C:\WINDOWS\system32\nfpjejfb.dll
2008-06-23 13:25 . 2008-06-23 13:25 0 --a------ C:\WINDOWS\BM0792abfd.xml
2008-06-23 13:15 . 2008-06-23 13:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SlySoft
2008-06-23 13:15 . 2008-06-23 13:15 0 ---hs---- C:\WINDOWS\S8E50C308.tmp
2008-06-23 13:14 . 2008-06-23 13:14 24,576 --a------ C:\WINDOWS\system32\nnnnMGVM.dll
2008-06-23 13:14 . 2008-06-23 13:14 24,576 --a------ C:\WINDOWS\system32\ddcDsrSJ.dll.vir
2008-06-21 16:44 . 2008-06-21 17:03 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Codemasters
2008-06-21 16:44 . 2008-06-21 16:44 <DIR> d-------- C:\Program Files\OpenAL
2008-06-21 14:02 . 2008-06-25 22:27 <DIR> d-------- D:\Documents and Settings\PB1919\Application Data\Free Download Manager
2008-06-19 13:13 . 2008-06-20 17:30 <DIR> d-------- D:\Documents and Settings\PB1919\Application Data\AVGTOOLBAR
2008-06-19 13:13 . 2008-06-25 21:33 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-19 13:13 . 2008-06-20 09:30 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-19 13:13 . 2008-06-20 09:30 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-19 13:13 . 2008-06-20 09:30 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-06-19 13:13 . 2008-06-20 09:30 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-14 23:42 . 2008-06-15 23:22 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-14 21:14 . 2008-06-25 22:11 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-13 18:38 . 2008-06-19 13:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\avg8
2008-06-13 18:38 . 2008-06-13 18:38 <DIR> d-------- C:\Program Files\AVG
2008-06-13 18:37 . 2008-06-13 18:41 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-06-13 18:21 . 2007-08-01 23:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-13 17:23 . 2008-06-16 09:58 <DIR> d-------- C:\VundoFix Backups
2008-06-13 14:25 . 2008-06-16 10:51 325 --a------ C:\WINDOWS\wininit.ini
2008-06-11 10:32 . 2008-06-13 14:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 10:32 . 2008-06-13 14:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-31 01:24 . 2008-05-31 01:24 230,424 --a------ C:\img2-001.raw
2008-05-29 15:58 . 2008-05-29 15:58 0 --a------ C:\WINDOWS\system32\drivers\SETFC.tmp
2008-05-28 17:05 . 2008-04-17 11:57 508,544 --a------ C:\WINDOWS\system32\sndtdriverv32.sys.bak
2008-05-28 17:05 . 2008-05-28 16:47 508,544 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-05-25 19:13 . 2008-05-25 19:13 <DIR> d-------- D:\Documents and Settings\PB1919\Application Data\EPSON

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 14:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 10:33 --------- d-----w C:\Program Files\oneworldflights
2008-06-22 07:28 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-06-21 15:44 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-06-21 15:44 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-06-21 15:44 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-21 15:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 08:02 --------- d-----w C:\Program Files\Windows Live
2008-05-30 07:57 --------- d-----w D:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-25 18:21 --------- d-----w C:\Program Files\RocketDock
2008-05-22 11:47 --------- d-----w C:\Program Files\Memory-Map
2008-05-22 11:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 10:39 --------- d-----w C:\Program Files\CompePocket
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-02 15:52 --------- d-----w C:\Program Files\BA Flight Training
2008-04-30 15:03 --------- d-----w D:\Documents and Settings\All Users\Application Data\Ahead
2008-04-28 11:29 805,400 ----a-r C:\WINDOWS\system32\tmpCC.tmp
2008-04-28 11:29 805,400 ----a-r C:\WINDOWS\system32\tmpCB.tmp
2008-04-23 21:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 13:04 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-02-20 13:25 22,328 ----a-w D:\Documents and Settings\PB1919\Application Data\PnkBstrK.sys
2004-12-01 18:34 716 ---ha-w D:\Documents and Settings\All Users\Application Data\pb7msys.dat
.

((((((((((((((((((((((((((((( snapshot_2008-06-23_14.28.51.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 13:23:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-25 21:01:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-07-11 08:41:36 345,656 ----a-w C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll
- 2000-08-31 07:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 07:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dead2995-c1bf-4c24-85b3-4b19939fa63a}]
2008-06-24 05:01 105984 --a------ C:\WINDOWS\system32\jhwkcqmw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]
"H/PC Connection Agent"="F:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 14:30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 15:00 455168]
"NECHotkey"="mHotkey.exe" [2006-01-11 11:29 548864 C:\WINDOWS\mHotkey.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 13:30 139264]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 16:55 57344]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 13:25 14720000 C:\WINDOWS\RTHDCPL.EXE]
"MM_MODULE"="C:\Program Files\MIC\HAWAII\Hawaii.exe" [2005-11-16 14:27 121856]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 15:00 208952]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 19:53 153136]
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"EPSON Stylus Photo RX420 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 04:00 98304]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 18:04 707376]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 18:01 277296]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-03 15:26 13508608]
"nwiz"="nwiz.exe" [2008-01-03 15:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-01-03 15:26 86016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 09:30 1231128]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"BM0792abfd"="C:\WINDOWS\system32\yrrhnauh.dll" [2008-06-24 04:59 91136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 15:00 15360]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - F:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-20 13:58:10 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2007-11-15 11:10 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll soghgbuh.dll jhwkcqmw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"F:\\Program Files\\BitComet\\BitComet.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Program Files\\icuii\\ICUII.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"F:\\Program Files\\RconMax(MW)\\RconMaxMW.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"F:\Program Files\Microsoft ActiveSync\rapimgr.exe"= F:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"F:\Program Files\Microsoft ActiveSync\wcescomm.exe"= F:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"F:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= F:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"F:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"F:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"D:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"D:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"D:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1069:UDP"= 1069:UDP:reconman
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-20 09:30]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 09:30]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 09:30]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 09:30]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 18:01]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-05-27 12:51]
R3 MosIrUsb;MosIrUsb.sys;C:\WINDOWS\system32\DRIVERS\MosIrUsb.sys [2004-04-14 15:52]
R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 11:45]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2008-05-28 16:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - L:\Directx\dxsetup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 18:00:01 C:\WINDOWS\Tasks\Extended Warranty.job"
- C:\APPS\SMP\PBCARNOT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 22:27:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\soghgbuh.dll
-> C:\WINDOWS\system32\jhwkcqmw.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\soghgbuh.dll
-> C:\WINDOWS\system32\jhwkcqmw.dll
.
Completion time: 2008-06-25 22:27:55
ComboFix-quarantined-files.txt 2008-06-25 21:27:45
ComboFix2.txt 2008-06-25 20:35:32

Pre-Run: 21,786,132,480 bytes free
Post-Run: 21,771,481,088 bytes free

224 --- E O F --- 2008-06-20 21:59:36

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



HIJACK LOG >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29:05, on 25/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
f:\Program Files\TVersity\Media Server\MediaServer.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
F:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MIC\HAWAII\Hawaii.exe
F:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\Program Files\QuickTime\qttask.exe
C:\Program Files\RocketDock\RocketDock.exe
F:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\PROGRA~1\MICROS~2\rapimgr.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\msiexec.exe
f:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequest?updtConfId=1527&updtReqId=1609305139
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - f:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: {a36af939-91b4-3b58-42c4-fb1c5992daed} - {dead2995-c1bf-4c24-85b3-4b19939fa63a} - C:\WINDOWS\system32\jhwkcqmw.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NECHotkey] mHotkey.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MM_MODULE] C:\Program Files\MIC\HAWAII\Hawaii.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM0792abfd] Rundll32.exe "C:\WINDOWS\system32\yrrhnauh.dll",s
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://f:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://f:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://f:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://f:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.co.uk/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25371985-E7A6-4036-A896-505D0EABF0A2}: NameServer = 192.168.1.254,0.0.0.0
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll soghgbuh.dll jhwkcqmw.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: IntelŽ Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TVersityMediaServer - Unknown owner - f:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 13249 bytes

Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )
Blade81
2008-06-28, 02:18
Hi


Start hjt, do a system scan, check:
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close browsers and other windows. Click fix checked.



Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\jhwkcqmw.dll
C:\WINDOWS\system32\lrmopxdw.dll
C:\WINDOWS\system32\yrrhnauh.dll
C:\WINDOWS\system32\reruejbx.ini
C:\WINDOWS\system32\soghgbuh.dll
C:\WINDOWS\system32\mtlsmdwr.dll
C:\WINDOWS\system32\wjodsyji.dll
C:\WINDOWS\system32\bfjejpfn.ini
C:\WINDOWS\system32\ssyqcvpf.dll
C:\WINDOWS\system32\nfpjejfb.dll
C:\WINDOWS\BM0792abfd.xml
C:\WINDOWS\S8E50C308.tmp
C:\WINDOWS\system32\nnnnMGVM.dll
C:\WINDOWS\system32\ddcDsrSJ.dll.vir

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dead2995-c1bf-4c24-85b3-4b19939fa63a}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM0792abfd"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.



Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) CleanerŠ by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.