View Full Version : New VICTIM of virtumonde
i am running on windows XP and have virtumonde hidden in my pc.
any help would be appreciated.
i am quite new to removals of malware manually etc.
i can send a copy of my HJT log when asked.
thank you
Hello Rabok
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
If you have the older version of Hijackthis, drag it to the trash and download and install the latest version by Trendmicro, make sure to follow the instructions and install it in its own folder.
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
thank you for your interest in helping
here is my current HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:52 AM, on 7/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Documents and Settings\Julian Nowicki\winlogon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Julian Nowicki\winlogon.exe
O4 - HKLM\..\Run: [{bd5515d4-7c80-23b0-f2a5-4b4220588292}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\mjjflvygqbbxpc.dll" DllStart
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [a81982f7] rundll32.exe "C:\WINDOWS\system32\cucsyjlb.dll",b
O4 - HKLM\..\Run: [BMab2ab16b] Rundll32.exe "C:\WINDOWS\system32\ypjtxnuu.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntmtdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rrwnw64n.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Julian Nowicki\Application Data\Dealio\kb127\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214995706949
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
--
End of file - 7977 bytes
Hello Rabok,
You have other infections on your system besides the Vundo Trojan, your also infected with the SDBot worm and this is most likely where you got them.
BitTorrent
You have BitTorrent, a P2P/file sharing program installed on your computer. These types of programs are not recommended as P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.
You can read about the dangers of these programs from these links
Here (http://www.microsoft.com/windows/ie/community/columns/protection.mspx)
Here (http://www.techweb.com/wire/160500554)
Here (http://malwareremoval.com/p2pindex.php)
You can uninstall this program and P2P programs like it from your Add Remove Programs in the Control Panel, if you decide to keep them, in away we are wasting our time because by using them you will almost certainly get yourself infected again in the future.
You also have Two Anti Virus Programs running, this is not recommended as they will conflict with each other at times and really hamper system performance, you have ESET NOD32 Antivirus and AVG8, your call but you need to uninstall one of them.
Keep in mind that this is a heavily infected computer and can't be fixed by the click of a mouse, its going to take some work removing all the garbage you have .
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Julian Nowicki\winlogon.exe
O4 - HKLM\..\Run: [{bd5515d4-7c80-23b0-f2a5-4b4220588292}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\mjjflvygqbbxpc.dll" DllStart
O4 - HKLM\..\Run: [a81982f7] rundll32.exe "C:\WINDOWS\system32\cucsyjlb.dll",b G
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\ypjtxnuu.dll",s
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntmtdm.exe G
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rrwnw64n.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it
To Enter Safemode
Go to [b]Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
thank you for the information
I have uninstalled AVG8 before but it has obviously left traces behind and am not sure if i have now gotten rid of all of it.
Also i am curious if there is a good torrent program to use so i wont get infected with the SDBot worm again.
Here is my current HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:28 PM, on 7/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214995706949
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
--
End of file - 6834 bytes
And here is the SDFix log:
[b]SDFix: Version 1.208
Run by Julian Nowicki on Sun 07/27/2008 at 12:42 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\JULIAN~1\Desktop\SDFix\SDFix
Checking Services :
Name :
MsSecurity1.209.4
Path :
C:\WINDOWS\444.470 service
MsSecurity1.209.4 - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\urqQJYpQ.dll - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\17PHolmes1188.exe - Deleted
C:\services.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
Folder C:\Temp\1cb - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 12:47:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"="C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\DOCUME~1\JULIAN~1\Desktop\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes :
Fri 27 Jun 2008 53,248 ..SH. --- "C:\Documents and Settings\Julian Nowicki\winlogon.exe"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 8 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 4 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d9f6fad75dbdac35a8ef8c60acfcb1a4\BIT2.tmp"
Finished!
thankyou and i will wait for further assistant
There are really no good P2P programs, the programs themselves are ok but you never know what's going to be bundled with that file you download, why take a chance, if you want to keep what you have then bear in mind that another infection is in your future.
Try going to your ADD Remove Programs in the Control Panel and uninstalling AVG, then do this.
Remove these with HJT.
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
thanks a lot. quite a few infections were removed and i hope we are close to end of my infected system.
mbam log:
Malwarebytes' Anti-Malware 1.23
Database version: 997
Windows 5.1.2600 Service Pack 3
7:56:15 PM 7/27/2008
mbam-log-7-27-2008 (19-56-15).txt
Scan type: Quick Scan
Objects scanned: 39421
Time elapsed: 2 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 20
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\ofvtqj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\opNfdefE.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{96db4e59-fb2b-e584-9ee5-3f8592cb5ff6} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96db4e59-fb2b-e584-9ee5-3f8592cb5ff6} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlayRPC (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e623ec5-477e-4c04-a428-bf27e0c09319} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9fa17f06-8329-4882-8796-7aa57a1fafcc} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3e623ec5-477e-4c04-a428-bf27e0c09319} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9fa17f06-8329-4882-8796-7aa57a1fafcc} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnfdefe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\opnfdefe -> Delete on reboot.
Folders Infected:
C:\WINDOWS\system32\kBin02 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Julian Nowicki\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Julian Nowicki\Local Settings\Application Data\Microsoft\Wallpaper1.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EfedfNpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opNfdefE.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\EfedfNpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ofvtqj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bqgkctsx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wlweqqwp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pwqqewlw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xstckgqb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bljyscuc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cucsyjlb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uosxrrvo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovrrxsou.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMab2ab16b.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMab2ab16b.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\edhrnwpp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\miytbakr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rkabtyim.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:54 PM, on 7/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0EB33462-77F2-4C15-8067-9E9E003C6BB8} - C:\WINDOWS\system32\khfEXrOf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7DC0C6C0-E2EA-44F0-9B5C-49D852921938} - C:\WINDOWS\system32\jkkKCsTN.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214995706949
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7350 bytes
thanks.
Yep, we have removed quite a bit, you should notice an improvement with your system, but there may be more hiding so lets do this.
Remove these with HJT.
O2 - BHO: (no name) - {0EB33462-77F2-4C15-8067-9E9E003C6BB8} - C:\WINDOWS\system32\khfEXrOf.dll (file missing)
O2 - BHO: (no name) - {7DC0C6C0-E2EA-44F0-9B5C-49D852921938} - C:\WINDOWS\system32\jkkKCsTN.dll (file missing)
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
combofix log:
ComboFix 08-07-26.1 - Julian Nowicki 2008-07-27 21:04:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1644 [GMT 8:00]
Running from: C:\Documents and Settings\Julian Nowicki\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\mainms.vpi
C:\WINDOWS\system32\bhpkeqds.ini
C:\WINDOWS\system32\dmswvs.dll
C:\WINDOWS\system32\EgMWGMoq.ini
C:\WINDOWS\system32\EgMWGMoq.ini2
C:\WINDOWS\system32\fbwfvr.dll
C:\WINDOWS\system32\fOrXEfhk.ini
C:\WINDOWS\system32\fOrXEfhk.ini2
C:\WINDOWS\system32\haersaqy.ini
C:\WINDOWS\system32\istvcf.dll
C:\WINDOWS\system32\jamphvtg.ini
C:\WINDOWS\system32\krhgntrw.dll
C:\WINDOWS\system32\LlnUDJjl.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mxlmpu.dll
C:\WINDOWS\system32\NTsCKkkj.ini
C:\WINDOWS\system32\NTsCKkkj.ini2
C:\WINDOWS\system32\nVGjknpo.ini
C:\WINDOWS\system32\nVGjknpo.ini2
C:\WINDOWS\system32\thchcafl.ini
C:\WINDOWS\system32\tjicicyj.ini
C:\WINDOWS\system32\tpsqxpti.dll
C:\WINDOWS\system32\ucatxekl.dll
C:\WINDOWS\system32\vhwmteha.dll
C:\WINDOWS\system32\wroujgcr.ini
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.
2008-07-27 19:51 . 2008-07-27 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 19:51 . 2008-07-27 19:51 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\Malwarebytes
2008-07-27 19:51 . 2008-07-27 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-27 19:51 . 2008-07-23 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-27 19:51 . 2008-07-23 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 12:41 . 2008-07-27 12:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-27 12:34 . 2008-07-24 01:27 <DIR> d-------- C:\SDFix
2008-07-27 12:22 . 2008-07-27 12:22 <DIR> d-------- C:\Program Files\CCleaner
2008-07-23 18:39 . 2008-07-23 18:39 <DIR> d-------- C:\Temp\epr1
2008-07-22 15:55 . 2008-07-22 15:55 <DIR> d-------- C:\Program Files\FDRLab
2008-07-22 15:39 . 2008-07-22 15:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 14:28 . 2008-07-20 14:28 <DIR> d-------- C:\WINDOWS\system32\carH18
2008-07-20 14:28 . 2008-07-20 14:28 <DIR> d-------- C:\Temp\btxv15
2008-07-19 14:48 . 2008-07-19 14:48 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\Search Settings
2008-07-19 11:52 . 2008-07-19 11:52 <DIR> d-------- C:\Program Files\Search Settings
2008-07-19 11:51 . 2008-07-19 11:51 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-07-18 08:47 . 2008-07-18 08:47 <DIR> d-------- C:\Program Files\ESET
2008-07-18 08:47 . 2008-07-18 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-18 08:32 . 2008-07-18 08:32 121,344 --a------ C:\WINDOWS\task32.exe
2008-07-18 08:32 . 2008-07-18 08:32 73 --a------ C:\WINDOWS\1163.bat
2008-07-17 18:24 . 2008-07-18 09:11 <DIR> d-------- C:\WINDOWS\system32\aumsDK18
2008-07-17 18:24 . 2008-07-17 18:24 <DIR> d-------- C:\Temp\zpv201
2008-07-15 23:18 . 2008-07-15 23:18 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\Apple Computer
2008-07-15 23:02 . 2008-07-15 23:02 <DIR> d-------- C:\Program Files\QuickTime
2008-07-15 23:02 . 2008-07-15 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-15 23:01 . 2008-07-15 23:01 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-15 23:01 . 2008-07-15 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-15 22:14 . 2008-07-15 22:14 <DIR> d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-07-15 22:14 . 2008-07-15 22:14 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-07-15 22:14 . 2008-07-15 22:14 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\SmartFTP
2008-07-15 14:07 . 2008-07-27 01:51 1,603 --a------ C:\WINDOWS\wininit.ini
2008-07-15 13:38 . 2008-01-02 12:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-07-15 13:38 . 2008-07-27 12:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-15 13:29 . 2008-07-15 13:29 <DIR> d-------- C:\WINDOWS\system32\2938
2008-07-15 12:28 . 2008-07-15 13:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-15 12:28 . 2008-07-27 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-15 12:20 . 2008-07-15 14:27 <DIR> d-------- C:\WINDOWS\system32\SP3
2008-07-15 12:20 . 2008-07-16 18:02 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-15 12:20 . 2008-07-15 14:01 <DIR> d-------- C:\WINDOWS\system32\mer
2008-07-15 12:20 . 2008-07-15 14:00 <DIR> d-------- C:\WINDOWS\system32\avi2
2008-07-15 12:20 . 2008-07-15 12:20 <DIR> d--hs---- C:\WINDOWS\SnVsaWFuIE5vd2lja2k
2008-07-15 12:20 . 2008-07-15 12:20 <DIR> d-------- C:\Temp\stmpv4
2008-07-15 12:20 . 2008-07-27 12:47 <DIR> d-------- C:\Temp
2008-07-15 12:19 . 2008-07-15 12:19 77 --a------ C:\Documents and Settings\Julian Nowicki\3383.bat
2008-07-11 22:22 . 2008-07-11 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-11 16:35 . 2008-04-14 08:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-08 19:28 . 2008-07-08 19:28 <DIR> d-------- C:\WINDOWS\Sun
2008-07-08 16:11 . 2008-07-19 00:48 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\LimeWire
2008-07-08 11:46 . 2008-07-08 11:46 <DIR> d-------- C:\Program Files\Java
2008-07-08 11:46 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-08 11:23 . 2008-07-08 11:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-08 10:53 . 2008-07-08 11:03 <DIR> d-------- C:\Program Files\LimeWire
2008-07-07 19:24 . 2008-07-07 19:24 <DIR> d-------- C:\WINDOWS\Profiles
2008-07-07 19:24 . 2008-07-07 19:24 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\InterTrust
2008-07-07 19:24 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-07 18:47 . 2008-07-07 18:47 <DIR> d-------- C:\Program Files\Bonjour
2008-07-07 18:39 . 2008-07-07 18:39 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-07 18:37 . 2008-07-15 16:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-07 18:35 . 2008-07-07 18:35 <DIR> d-------- C:\Program Files\NOS
2008-07-07 18:35 . 2008-07-07 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-04 23:33 . 2008-07-06 22:42 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-04 21:28 . 2008-07-04 21:28 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-07-04 21:28 . 2008-07-04 21:28 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\Media Player Classic
2008-07-04 16:14 . 2008-07-04 16:14 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Wallpaper
2008-07-04 14:12 . 2008-07-04 14:12 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\DivX
2008-07-04 01:26 . 2008-07-04 21:27 <DIR> d-------- C:\Program Files\DivX
2008-07-03 16:53 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-03 16:53 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-03 00:54 . 2008-07-03 00:54 <DIR> d-------- C:\Program Files\Windows Journal Viewer
2008-07-03 00:21 . 2008-07-03 00:21 <DIR> d-------- C:\Program Files\Canon
2008-07-03 00:21 . 2008-07-03 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Canon
2008-07-03 00:09 . 2008-07-03 00:09 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-07-03 00:09 . 2008-07-03 00:09 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-07-03 00:09 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-07-03 00:09 . 2008-07-03 00:09 376 --a------ C:\WINDOWS\ODBC.INI
2008-07-03 00:07 . 2008-07-03 00:07 <DIR> dr-h----- C:\MSOCache
2008-07-03 00:05 . 2008-07-03 00:05 <DIR> d-------- C:\Program Files\DNA
2008-07-03 00:05 . 2008-07-27 20:59 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\DNA
2008-07-03 00:05 . 2008-07-27 12:27 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Application Data\BitTorrent
2008-07-02 23:09 . 2008-04-14 08:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-07-02 23:09 . 2008-04-14 02:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-02 23:09 . 2008-04-14 02:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-02 23:09 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-07-02 22:53 . 2008-07-02 22:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-02 21:40 . 2008-07-02 21:40 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-02 20:42 . 2008-07-02 20:42 <DIR> d-------- C:\Program Files\Google
2008-07-02 20:26 . 2008-07-02 20:26 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-02 20:26 . 2008-07-02 20:26 <DIR> d-------- C:\Program Files\THQ
2008-07-02 20:26 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-07-02 20:26 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-07-02 20:26 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-07-02 20:23 . 2008-07-02 20:23 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-02 19:21 . 2008-06-13 19:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-02 19:20 . 2008-07-20 15:27 <DIR> d-------- C:\Documents and Settings\Julian Nowicki\Contacts
2008-07-02 19:19 . 2008-05-08 22:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-02 19:16 . 2008-07-02 19:19 <DIR> d-------- C:\Program Files\Windows Live
2008-07-02 19:16 . 2008-07-02 19:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-02 19:16 . 2008-07-02 19:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-02 19:06 . 2008-07-02 19:06 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-02 19:06 . 2008-07-02 19:06 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-02 19:06 . 2008-07-02 19:06 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-02 19:06 . 2008-07-02 19:06 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-02 19:05 . 2008-07-02 19:05 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-02 19:04 . 2008-07-02 19:04 <DIR> d-------- C:\WINDOWS\EHome
2008-07-02 17:52 . 2008-07-02 17:52 <DIR> d---s---- C:\Documents and Settings\Julian Nowicki\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 16:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:07 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-06-11 00:07 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-06-11 00:07 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-06-11 00:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-06-11 00:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-06-11 00:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-06-11 00:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-06-11 00:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-06-11 00:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-06-11 00:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-06-11 00:03 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-06-10 10:56 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 10:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 10:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2005-07-29 08:24 472 --sha-r C:\WINDOWS\SnVsaWFuIE5vd2lja2k\mBpPuqIRKHcSxZ53uZ4.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-07-03 00:05 289088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-10-09 04:02 1036288]
"Ai Nap"="C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe" [2007-09-07 03:19 1426432]
"CPU Power Monitor"="C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-17 03:35 626176]
"Cpu Level Up help"="C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-09-12 02:32 880640]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-02-28 13:34 13516800]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-02-28 13:34 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"nwiz"="nwiz.exe" [2008-02-28 13:34 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 19:10 55824 C:\WINDOWS\KHALMNPR.Exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-03 18:49:17 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-03 18:48:02 784912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-16 02:10 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-09 11:11]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
S0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys []
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys []
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe []
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys []
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 10:25]
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-07-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0 []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Bluetooth Connection Assistant - LBTWIZ.EXE
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.bigpond.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 21:06:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-27 21:07:16
ComboFix-quarantined-files.txt 2008-07-27 13:06:53
Pre-Run: 483,117,862,912 bytes free
Post-Run: 483,092,680,704 bytes free
248 --- E O F --- 2008-07-19 19:00:32
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:26 PM, on 7/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\AI Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214995706949
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7259 bytes
Logs looking good :bigthumb:
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 7 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
You still have Bit Torrent installed, hope we don't see you back here soon, keep in mind that you had some nasty infections and there are some out there that can't be fixed, the only option is a reformat and do a clean install of windows.
How is your system behaving now ???
system is behaving fine now.
java is updated to latest version
and bittorrent is completely removed from my system.
thankyou very much for you help.
if i was to go back to downloading torrents would it be ideal to scan torrents and files that are contained in the torrents with an AV or are worms etc very well hidden in them? such as the SDBot worm that i was infected with?
Good Morning,
Glad all is well, in answer to your question, this was just posted in our forum.
Use of P2P (Person to Person) file sharing programs
We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we felt we needed to change our policy on the use of P2P file sharing programs.
* If your helper detects the presence of such programs on your computer he/she will ask you to remove them. We will withdraw our help should you not agree to their removal.
* If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, we will refuse our help.
We do not ask you to do this without reason.
P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/...D-theft_1.html
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
We see no purpose in cleaning your machine if you use P2P programs, as it is pretty much certain that if you continue to use them then you will get infected again.
SDFix <---Drag it to the trash
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken