PDA

View Full Version : Virtumonde Trojan Issues



Kubota402004
2008-07-27, 23:36
Hi, I'm Kubota. I've read a lot of these posts and I'm hoping you can help me. I think I've cleaned up most of the major issues, but there are some lingering ones and would like some help in how to write the CFscript. My issues are still:
1. Unable to get the automatic updates back working. Error 1058
2. Mouse jumps around on its own. Snaps into a new position

I've run MawareBytes Anti-Malware and Spybot.

Below are my HijackThis log and my Combo Fix Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:06 PM, on 7/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Startup: MEMonitor.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184272106500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186182377000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.partypics.com/events/26319309/00229/DSC_8079.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Samantha/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 6748 bytes


ComboFix 08-07-26.1 - Samantha 2008-07-27 15:47:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1441 [GMT -4:00]
Running from: C:\Documents and Settings\Samantha\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-27 13:11 . 2008-07-27 13:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-27 13:08 . 2008-07-27 13:08 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-27 13:08 . 2008-07-27 13:08 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-27 13:08 . 2008-07-27 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-26 21:04 . 2008-07-26 21:04 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\Malwarebytes
2008-07-26 21:03 . 2008-07-26 21:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 21:03 . 2008-07-26 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 21:03 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 21:03 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-25 06:56 . 2008-07-25 06:56 <DIR> d-------- C:\Program Files\Avira
2008-07-25 06:56 . 2008-07-25 06:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-25 05:59 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-25 05:51 . 2008-07-25 05:51 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-25 05:49 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003387_.tmp
2008-07-24 22:59 . 2008-07-24 22:59 <DIR> d-------- C:\Documents and Settings\Samantha\.housecall6.6
2008-07-24 22:57 . 2008-07-24 22:57 <DIR> d-------- C:\Program Files\Java
2008-07-24 22:57 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-24 22:56 . 2008-07-24 22:56 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-24 20:13 . 2008-07-27 15:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-24 20:12 . 2008-07-24 20:52 <DIR> d-------- C:\Program Files\Google
2008-07-24 20:10 . 2008-07-25 06:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-24 19:41 . 2008-07-26 20:07 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-24 19:41 . 2008-07-24 19:41 <DIR> d-------- C:\Program Files\AVG
2008-07-24 19:41 . 2008-07-24 19:41 <DIR> d-------- C:\Documents and Settings\Samantha\Application Data\AVGTOOLBAR
2008-07-24 19:41 . 2008-07-24 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-24 19:41 . 2008-07-24 19:41 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-24 19:41 . 2008-07-24 19:41 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-24 19:28 . 2008-07-24 19:28 <DIR> d-------- C:\VundoFix Backups
2008-07-24 18:13 . 2008-07-24 19:27 256 --a------ C:\WINDOWS\wininit.ini
2008-07-24 17:55 . 2008-07-24 17:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-24 17:55 . 2008-07-24 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 18:03 . 2008-04-14 00:15 60,032 --a------ C:\WINDOWS\system32\drivers\usbaudio.sys
2008-07-20 18:03 . 2008-04-14 05:41 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-20 18:03 . 2008-04-14 00:15 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-20 18:02 . 2008-04-14 00:15 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-28 16:24 . 2008-06-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 13:02 --------- d-----w C:\Program Files\LogMeIn
2008-06-28 20:25 --------- d-----w C:\Program Files\Opera
2008-06-20 21:19 --------- d-----w C:\Documents and Settings\Samantha\Application Data\SmartDraw
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 21:19 --------- d-----w C:\Documents and Settings\Samantha\Application Data\U3
2008-05-28 16:33 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-05-28 16:32 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2008-05-28 16:32 24,608 ----a-w C:\WINDOWS\system32\LMIport.dll
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-27_13.02.34.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-24 19:41 1232152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]

C:\Documents and Settings\Samantha\Start Menu\Programs\Startup\
MEMonitor.lnk.disabled [2007-12-26 10:20:26 872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"487b13d8"=rundll32.exe "C:\WINDOWS\system32\cgdvsdgo.dll",b
"BM4b482044"=Rundll32.exe "C:\WINDOWS\system32\kyipfpyc.dll",s
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RTHDCPL"=RTHDCPL.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-24 19:41]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-24 19:41]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
S3 cpuz127;cpuz127;C:\DOCUME~1\Pierre\LOCALS~1\Temp\cpuz_x32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2ae03b8-2e86-11dd-8740-00044b025010}]
\Shell\AutoRun\command - E:\LaunchU3.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-07-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!$;:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0% []
2008-07-27 C:\WINDOWS\Tasks\SDMsgUpdate (SD).job - s !(.+C:\PROGRA1\SMARTD1\Messages\SDNotify.exeQ-PSD -V764 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -TSamantha00 []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.myspace.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 15:48:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-27 15:50:00
ComboFix-quarantined-files.txt 2008-07-27 19:49:14
ComboFix2.txt 2008-07-27 17:03:01

Pre-Run: 265,852,895,232 bytes free
Post-Run: 265,841,614,848 bytes free

142 --- E O F --- 2008-07-09 07:01:36

Kubota402004
2008-07-27, 23:42
In the ComboFix log, I found this:
2008-07-25 05:59 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

wmpns.dll supposedly is for Windows Media Player, but why did it show up on the list if the date is 2004? Could it be an issue?

And I found this: 2008-07-25 05:49 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003387_.tmp

This also has an old date.

I also found these entries:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"487b13d8"=rundll32.exe "C:\WINDOWS\system32\cgdvsdgo.dll",b
"BM4b482044"=Rundll32.exe "C:\WINDOWS\system32\kyipfpyc.dll",s

In the Hijack log, I am unfamiliar with these entries:

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

Please let me know what I should do next. Thank you,

Kubota

tashi
2008-08-04, 18:26
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )

Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)

If you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to this thread in your new topic.

Best regards.