View Full Version : Need help removing Virtumonde
I am in need of help to safely remove Virtumonde.
Just downloaded HJT. Log below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:03:01, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
E:\PROGRA~1\Iomega\System32\AppServices.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Iomega\AutoDisk\ADService.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Analog Devices\Core\smax4pnp.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
E:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
E:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
E:\WINDOWS\system32\InetCntrl\InetCntrl.exe
E:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
E:\Program Files\Iomega\AutoDisk\ADUserMon.exe
E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
E:\WINDOWS\system32\rundll32.exe
E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myafo.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {E0019445-4C1F-414D-A70E-AD80F231C584} - (no file)
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] E:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] E:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] E:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [InetCntrl] E:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [ADUserMon] E:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] E:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKLM\..\Run: [Antivirus] E:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [bc6f5476] rundll32.exe "E:\WINDOWS\system32\xxlcnyjq.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKCU\..\Run: [Antivirus] E:\Program Files\VAV\vav.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: SBC Self Support Tool.lnk = E:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - E:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - E:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - E:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 10095 bytes
I ran CombFix followed by HJT. My ComboFix log is pasted below. I will post my HJT log in another post right after this.
BTW: I still receive the "Unable to complete genuine Windows validation." icon in my system tray. That has been going on since yesterday when I was infected by Virtumonde. I will post any other remaining symptoms as I discover them.
My ComboFix log:
ComboFix 08-07-20.7 - James 2008-07-21 9:09:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.412 [GMT -5:00]
Running from: E:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\Documents and Settings\James\Local Settings\Temporary Internet Files\temp.dmf
E:\WINDOWS\cookies.ini
E:\WINDOWS\Downloaded Program Files\setup.inf
E:\WINDOWS\erms.exe
E:\WINDOWS\privacy_danger
E:\WINDOWS\privacy_danger\images\capt.gif
E:\WINDOWS\privacy_danger\images\danger.jpg
E:\WINDOWS\privacy_danger\images\down.gif
E:\WINDOWS\privacy_danger\images\spacer.gif
E:\WINDOWS\system32\FeNmTBeg.ini
E:\WINDOWS\system32\FeNmTBeg.ini2
E:\WINDOWS\system32\fpcfbk.dll
E:\WINDOWS\system32\geBTmNeF.dll
E:\WINDOWS\system32\mcrh.tmp
E:\WINDOWS\system32\pmqwprle.dll
E:\WINDOWS\system32\qjynclxx.ini
E:\WINDOWS\system32\ssqPJdeE.dll
E:\WINDOWS\system32\trwicecx.dll
E:\WINDOWS\system32\vav.cpl
E:\WINDOWS\system32\xxlcnyjq.dll
E:\WINDOWS\system32\yixuwi.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.
2008-07-21 00:02 . 2008-07-21 00:02 <DIR> d-------- E:\Program Files\Trend Micro
2008-07-20 23:21 . 2008-07-20 23:21 0 --a------ E:\WINDOWS\nsreg.dat
2008-07-20 22:13 . 2008-07-20 23:15 145 --a------ E:\WINDOWS\wininit.ini
2008-07-20 22:01 . 2008-07-20 22:01 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy
2008-07-20 22:01 . 2008-07-20 22:10 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 18:46 . 2008-07-20 18:46 <DIR> d--h----- E:\WINDOWS\system32\GroupPolicy
2008-07-20 17:56 . 2008-07-20 18:48 <DIR> d-------- E:\Documents and Settings\James\Application Data\TmpRecentIcons
2008-07-20 17:56 . 2008-07-17 05:14 155,648 --a------ E:\WINDOWS\agpqlrfm.exe
2008-07-15 10:00 . 2008-07-15 09:04 3,638 --a------ E:\WINDOWS\system32\onesuite.ico
2008-07-12 22:24 . 2008-07-12 22:14 3,638 --a------ E:\WINDOWS\system32\bsafe.ico
2008-07-12 22:20 . 2008-07-12 22:09 3,638 --a------ E:\WINDOWS\system32\schwab.ico
2008-07-12 22:12 . 2008-07-12 22:01 3,638 --a------ E:\WINDOWS\system32\mtrush.ico
2008-07-12 22:09 . 2008-07-12 21:58 3,638 --a------ E:\WINDOWS\system32\nfcu2.ico
2008-07-12 13:48 . 2008-07-12 13:37 3,638 --a------ E:\WINDOWS\system32\thcu.ico
2008-07-12 13:45 . 2008-07-12 13:34 3,638 --a------ E:\WINDOWS\system32\paybills.ico
2008-07-12 13:43 . 2008-07-12 13:32 3,638 --a------ E:\WINDOWS\system32\usaa.ico
2008-07-12 13:40 . 2008-07-12 13:29 3,638 --a------ E:\WINDOWS\system32\mc.ico
2008-07-12 13:35 . 2008-07-12 13:23 3,638 --a------ E:\WINDOWS\system32\travelers2.ico
2008-07-12 13:28 . 2008-07-12 13:17 3,638 --a------ E:\WINDOWS\system32\wamu.ico
2008-07-12 13:26 . 2008-07-12 13:15 3,638 --a------ E:\WINDOWS\system32\virgin.ico
2008-07-12 13:23 . 2008-07-12 13:11 3,638 --a------ E:\WINDOWS\system32\txtag.ico
2008-07-12 13:07 . 2008-07-12 12:54 3,638 --a------ E:\WINDOWS\system32\visalogo.ico
2008-07-12 13:07 . 2008-07-12 12:52 3,638 --a------ E:\WINDOWS\system32\visa2.ico
2008-07-12 13:07 . 2008-07-12 12:49 3,638 --a------ E:\WINDOWS\system32\visa.ico
2008-07-12 12:55 . 2008-07-12 12:40 3,638 --a------ E:\WINDOWS\system32\bank.ico
2008-07-12 12:26 . 2008-03-18 12:40 1,406 --a------ E:\WINDOWS\system32\UTSeal.ico
2008-07-12 12:21 . 2008-03-18 21:25 3,638 --a------ E:\WINDOWS\system32\UTDirect.ico
2008-07-12 12:15 . 2008-03-18 21:01 3,638 --a------ E:\WINDOWS\system32\UTTower.ico
2008-07-04 19:11 . 2003-09-01 11:45 1,718,499 --a------ E:\Documents and Settings\James\Burn4Free_Setup.exe
2008-07-04 16:45 . 2008-07-04 16:45 <DIR> d-------- E:\Program Files\Microsoft Silverlight
2008-06-25 07:30 . 2008-06-26 23:02 <DIR> d-------- E:\Documents and Settings\James\Application Data\Active Disk
2008-06-25 07:30 . 2004-08-03 23:00 17,664 --a------ E:\WINDOWS\system32\drivers\ppa3.sys
2008-06-25 07:30 . 2004-08-03 23:00 17,664 --a--c--- E:\WINDOWS\system32\dllcache\ppa3.sys
2008-06-25 07:28 . 1999-12-17 10:13 86,016 --a------ E:\WINDOWS\unvise32.exe
2008-06-25 07:27 . 2008-06-25 07:28 <DIR> d-------- E:\Program Files\Iomega
2008-06-24 01:39 . 2008-01-29 10:39 184,320 --a------ E:\WINDOWS\system32\InetCntrl0011.dll
2008-06-24 01:39 . 2007-06-04 10:56 29,024 --a------ E:\WINDOWS\system32\drivers\bsofrwl.sys
2008-06-23 23:11 . 2005-11-30 10:35 1,327,189 --a------ E:\WINDOWS\system32\odSupp_M.dll
2008-06-23 23:11 . 2005-12-14 19:30 634,880 --a------ E:\WINDOWS\system32\ANIWZCS2.dll
2008-06-23 23:11 . 2005-11-30 10:35 237,568 --a------ E:\WINDOWS\system32\wlanapi.dll
2008-06-23 23:11 . 2005-11-30 10:35 204,800 --a------ E:\WINDOWS\system32\aIPH.dll
2008-06-23 23:11 . 2005-12-14 19:50 167,936 --a------ E:\WINDOWS\system32\WlanApp.dll
2008-06-23 23:11 . 2005-11-30 10:35 57,407 --a------ E:\WINDOWS\system32\ANICtl.dll
2008-06-23 23:11 . 2005-10-27 08:55 49,152 --a------ E:\WINDOWS\system32\JJAKEn.dll
2008-06-23 23:11 . 2005-11-30 10:35 49,152 --a------ E:\WINDOWS\system32\AQCKGen.dll
2008-06-23 23:10 . 2008-06-23 23:10 <DIR> d-------- E:\Program Files\D-Link
2008-06-23 23:10 . 2008-06-23 23:10 <DIR> d-------- E:\Program Files\ANI
2008-06-23 23:10 . 2005-12-13 10:38 48,128 --a------ E:\WINDOWS\system32\ANIO64.sys
2008-06-23 23:10 . 2005-10-21 15:56 36,864 --a------ E:\WINDOWS\system32\ANIOApi.dll
2008-06-23 23:10 . 2005-12-11 11:55 28,195 --a------ E:\WINDOWS\system32\ANIO.sys
2008-06-23 23:10 . 2004-10-14 10:29 16,997 --a------ E:\WINDOWS\system32\ANIO.VXD
2008-06-23 23:10 . 2004-10-14 10:29 11,904 --a------ E:\WINDOWS\system32\anio4.sys
2008-06-23 23:08 . 2008-06-23 23:08 <DIR> d-------- E:\WINDOWS\system32\LogFiles
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 13:03 --------- d-----w E:\Documents and Settings\All Users\Application Data\avg7
2008-07-21 02:06 --------- d-----w E:\Program Files\Google
2008-07-21 00:28 --------- d-----w E:\Documents and Settings\James\Application Data\AVG7
2008-07-18 16:21 --------- d-----w E:\Documents and Settings\All Users\Application Data\pdf995
2008-07-14 14:25 --------- d-----w E:\Program Files\e-Sword
2008-07-05 00:16 --------- d-----w E:\Program Files\FreeRIP2
2008-06-24 06:55 --------- d-----w E:\Program Files\Yahoo!
2008-06-24 06:54 --------- d-----w E:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 04:30 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-06-20 10:45 360,320 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w E:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w E:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w E:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 13:57 --------- d-----w E:\Documents and Settings\James\Application Data\Motive
2008-05-26 19:26 --------- d-----w E:\Documents and Settings\Safe Web\Application Data\Sony Corporation
2008-05-26 01:20 --------- d-----w E:\Documents and Settings\James\Application Data\Sony Corporation
2008-05-26 00:36 --------- d-----w E:\Program Files\Sony
2008-05-26 00:35 --------- d-----w E:\Program Files\Common Files\Sony Shared
2008-05-26 00:35 --------- d-----w E:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-05-26 00:34 --------- d-----w E:\Program Files\Common Files\InstallShield
2008-05-26 00:33 --------- d-----w E:\Program Files\Wal-Mart Music Downloads Store
2008-05-26 00:33 --------- d-----w E:\Program Files\Quicken
2008-05-24 19:42 --------- d-----w E:\Documents and Settings\Safe Web\Application Data\Yahoo!
2008-05-24 19:42 --------- d-----w E:\Documents and Settings\Safe Web\Application Data\AVG7
2007-12-09 03:50 63,264 ----a-w E:\Documents and Settings\James\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"789:;<=>?@ABCDEFGHIJexe"="" [?]
"3456789:;<=>?@ABCDEFexe"="()*+" [?]
"Yahoo! Pager"="1" [X]
"SsAAD.exe"="E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 13:43 472632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"789:;<=>?@ABCDEFGHIJexe"="" [?]
"3456789:;<=>?@ABCDEFexe"="()*+" [?]
"BJCFD"="E:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 23:26 368706]
"Motive SmartBridge"="E:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 09:51 442455]
"AVG7_CC"="E:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 03:39 580096]
"SoundMAXPnP"="E:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-21 04:11 925696]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2006-07-13 00:19 7626752]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2006-07-13 00:19 86016]
"SunJavaUpdateSched"="E:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe" [2007-05-22 19:39 32881]
"ISUSPM"="E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 19:34 213936]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-04-17 09:58 413696]
"D-Link Wireless G WUA-1340"="E:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe" [2005-12-15 12:19 2715648]
"ANIWZCS2Service"="E:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 10:35 49152]
"InetCntrl"="E:\WINDOWS\system32\InetCntrl\InetCntrl.exe" [2008-01-29 16:37 841008]
"ADUserMon"="E:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 16:39 147456]
"Iomega Drive Icons"="E:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 14:30 86016]
"Deskup"="E:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 10:55 32768]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 17:21 61952 E:\WINDOWS\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2006-07-13 00:19 1519616 E:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="E:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-28 17:11 219136]
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SBC Self Support Tool.lnk - E:\Program Files\SBC Self Support Tool\bin\matcli.exe [2007-09-29 21:34:24 217088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 E:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"E:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"E:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"E:\\WINDOWS\\system32\\InetCntrl\\InetCntrl.exe"=
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;E:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 14:12]
S3 MRVW225;D-Link AirPlus G DWL-G122 Wireless USB Dirver for Windows XP;E:\WINDOWS\system32\DRIVERS\MRVW225.sys [2005-09-30 21:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb20fc45-d4ae-11dc-acfd-0018f30ebd6d}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
HKLM-Run-Antivirus - E:\Program Files\VAV\vav.exe
HKLM-Run-bc6f5476 - E:\WINDOWS\system32\xxlcnyjq.dll
HKU-Default-Run-swg - E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.myafo.net/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: E&xport to Microsoft Excel - E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 -: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
E:\WINDOWS\Downloaded Program Files\OSDED4D.OSD
E:\WINDOWS\Downloaded Program Files\InstallerControl.dll
O16 -: Microsoft XML Parser for Java - file://E:\WINDOWS\Java\classes\xmldso.cab
E:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 09:15:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
E:\PROGRA~1\Iomega\System32\AppServices.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Iomega\AutoDisk\ADService.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-21 9:17:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 14:17:41
Pre-Run: 228,682,526,720 bytes free
Post-Run: 228,788,441,088 bytes free
218 --- E O F --- 2008-07-09 01:33:31
I restarted SpyBot TeaTimer along with my AVG resident shield before getting back onto the Internet. After I restarted TeaTimer, I received 10 or more prompts about registry changes that I did not understand. I just clicked "Allow Change" for all of them since I assumed thay were changes that SpyBot was making in order to run properly. Please let me know if you think this sound OK.
OK. Now my HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:18:15, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
E:\PROGRA~1\Iomega\System32\AppServices.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Iomega\AutoDisk\ADService.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Analog Devices\Core\smax4pnp.exe
E:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
E:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
E:\WINDOWS\system32\InetCntrl\InetCntrl.exe
E:\Program Files\Iomega\AutoDisk\ADUserMon.exe
E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myafo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {E0019445-4C1F-414D-A70E-AD80F231C584} - (no file)
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] E:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] E:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] E:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [InetCntrl] E:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [ADUserMon] E:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] E:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: SBC Self Support Tool.lnk = E:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - E:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - E:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - E:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 9832 bytes
------------------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )
shelf life
2008-07-27, 19:08
hi,
please remove combofix like this;
start>run and type in combofix /u
click "ok"
note; there is a space after the x and before the /
we will use hjt; but first disable spybots tea timer so it dosnt interfere with the changes. how:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
next:
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O4 - HKLM\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKLM\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
O4 - HKCU\..\Run: [789:;<=>?@ABCDEFGHIJexe] ,-./0123456789:;<=>?@ABCDEFGHIJexe
O4 - HKCU\..\Run: [3456789:;<=>?@ABCDEFexe] ()*+,-./0123456789:;<=>?@ABCDEFexe
next:
run sdfix, runs in safe mode only. link and directions;post the log it generates
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
-----------------------------
please post a new hjt log and a hjt log uninstall list;
the uinstall list you can get like this:
start hjt
click on "open misc tools section"
then "open uninstall manager"
then "save list" post the list in reply.
Thanks very much for your help.
First, I must have deleted ComboFix prior to your reply. Neither the download command nor I were able to locate the ComboFix executable. Do I need to re-install ComboFix and perform the correct uninstall as you directed?
Second, the four items you directed me to fix with HJT were not there when I ran HJT.
I downloaded and ran SDFix. Below are 3 logs:1) the SDFix Report.txt, 2) latest HJT log, and 3) the HJT uninstall_list.txt
BTW, I am still receiving the error message in my system tray that my system is unable to complete genuine Windows validation. This error started the minute I was infected with Virtumonde.
Now the 3 requested logs:
1) SDFix Report.txt
SDFix: Version 1.209
Run by Administrator on Tue 07/29/2008 at 07:00 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
E:\WINDOWS\browser.exe - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 07:05:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="E:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"E:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="E:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"E:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="E:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"E:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="E:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"E:\\WINDOWS\\system32\\InetCntrl\\InetCntrl.exe"="E:\\WINDOWS\\system32\\InetCntrl\\InetCntrl.exe:*:Enabled:Bsecure Internet Protection Services - Application"
"E:\\Program Files\\AVG\\AVG8\\avgupd.exe"="E:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - E:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 7 Jul 2008 1,429,840 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 9 May 2008 0 A..H. --- "E:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT1.tmp"
Mon 15 Oct 2001 0 A..H. --- "E:\Documents and Settings\James\My Documents\Education\Foods\~WRL3485.tmp"
Fri 25 May 2001 1,017,556 A..H. --- "E:\Documents and Settings\James\My Documents\Financial\ExpenceSheets\PFT52C5.TMP"
Mon 3 Sep 2001 1,018,510 A..H. --- "E:\Documents and Settings\James\My Documents\Financial\ExpenceSheets\PFT70B0.TMP"
Sun 20 Mar 2005 33,792 A..H. --- "E:\Documents and Settings\James\My Documents\Letters\Activism\~WRL0003.tmp"
Finished!
2) Latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:08:20, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
E:\PROGRA~1\Iomega\System32\AppServices.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Iomega\AutoDisk\ADService.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
E:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
E:\Program Files\Analog Devices\Core\smax4pnp.exe
E:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
E:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
E:\WINDOWS\system32\InetCntrl\InetCntrl.exe
E:\Program Files\Iomega\AutoDisk\ADUserMon.exe
E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myafo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3AA6678D-1CE0-499E-B9F6-8444DEE39D88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program
Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {C7EB791C-DD60-4EA9-BA71-E6D69C0E7994} - (no file)
O2 - BHO: (no name) - {e45a6bff-b399-4558-a0ac-d0c7a3174493} - (no file)
O3 - Toolbar: (no name) - {E0019445-4C1F-414D-A70E-AD80F231C584} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - E:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] E:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] E:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] E:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [InetCntrl] E:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [ADUserMon] E:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] E:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] E:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: SBC Self Support Tool.lnk = E:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program
Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O10 - Unknown file in Winsock LSP: inetcntrl0011.dll
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) -
http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) -
http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ssqPJdeE - E:\WINDOWS\
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - E:\Program Files\ANI\ANIWZCS2
Service\ANIWZCSdS.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - E:\Program Files\NVIDIA
Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common
Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - E:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - E:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - E:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony
Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - E:\Program Files\Common Files\Sony
Shared\AVLib\SSScsiSV.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - E:\Program
Files\Iomega\AutoDisk\ADService.exe
--
End of file - 10076 bytes
3) Unistall HJT log:
Active Disk
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
ANIO Service
ANIWZCS2 Service
AT&T Self Support Tool
AVG Free 8.0
BroadJump Client Foundation
Bsecure Internet Protection Services v.5.0
Chuzzle Deluxe (remove only)
Citrix Presentation Server Client
e-Sword
FreeUndelete
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
IomegaWare 4.0.2
Java 2 Runtime Environment, SE v1.4.2_15
Jewel Quest II (remove only)
Korean Fonts Support For Adobe Reader 8
LogicAid
Microsoft Office Publisher 2003
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
ModelSim PE Student Edition 6.3c
Mozilla Firefox (3.0.1)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
OpenMG Secure Module 4.6.01
Pdf995
PdfEdit995
Quicken 2006
RealPlayer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Showoff Home Design 1.0
Shred 2 (PC Magazine)
SimUaid
SonicStage 4.2
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.1
TrueCrypt
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Voxware Audio decoder 1.6
Wal-Mart Music Downloads Store
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Wireless G WUA-1340
Xming 6.9.0.31
Xming-fonts 7.3.0.11
shelf life
2008-07-30, 00:30
hi,
ok thanks for the info.
Do I need to re-install ComboFix
hold off on that for now.
Second, the four items you directed me to fix with HJT were not there when I ran HJT.
this is good
lets get one more download to see if it can dig up any malware. please post the log it generates. link and directions for use:
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Thanks for the latest Malware Removal tip.
I ran Malwarebytes and it identified 7 items which I removed. I pasted the log below.
Also, since I had 3 more free tech support calls to Microsoft for my Windows XP, I called them and, after 5 hours, they were able to fix my Genuine Verification error and re-registered some other corrupted system files that enabled them to identify 80 not-yet-installed Windows security updates that I was then able to download and install.
Now for my Malwarebytes log:
Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 2
9:49:40 PM 8/7/2008
mbam-log-8-7-2008 (21-49-40).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 224583
Time elapsed: 2 hour(s), 46 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a}
(Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
shelf life
2008-08-09, 00:06
hi toglelt
ok looking good all the way around. post one last hjt log, then we can finish it up.
This topic has been archived due to inactivity.
As it has been five days or more since your last post, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.
Thank you shelf life. ;)