View Full Version : help with virtumonde
Hi
Pls help me remove this malware
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:53 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\W\Explorer.EXE
C:\W\system32\svchost.exe
C:\W\RTHDCPL.EXE
C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\W\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\HiJackThis.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BM935349dd] Rundll32.exe "C:\W\system32\djfugpgr.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8751] command /c del "C:\W\system32\nnnoLdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8522] cmd /c del "C:\W\system32\nnnoLdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5344] command /c del "C:\W\system32\djfugpgr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5231] cmd /c del "C:\W\system32\djfugpgr.dll_old"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Chsr] "C:\W\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\RunOnce: [SpybotDeletingB580] command /c del "C:\W\system32\nnnoLdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7158] cmd /c del "C:\W\system32\nnnoLdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9784] command /c del "C:\W\system32\djfugpgr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1560] cmd /c del "C:\W\system32\djfugpgr.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 3941 bytes
Thx for help
-----------------------------------
pls help:|
i have this virus for 6 months
The sistem is more messed up now:sad:, so i post a new HJT.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:45 AM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\W\system32\svchost.exe
C:\W\system32\wscntfy.exe
C:\W\explorer.exe
C:\W\RTHDCPL.EXE
C:\Program Files\JavaCore\JavaCore.exe
C:\W\DOBE~1\cmd.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\HiJackThis.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Chsr] "C:\W\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 3195 bytes
Hi Cristi
Rename HijackThis.exe to Cristi.exe and post back a fresh HijackThis log, please :)
Here it is:cool:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:58 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\W\system32\svchost.exe
C:\W\system32\wscntfy.exe
C:\W\explorer.exe
C:\W\RTHDCPL.EXE
C:\Program Files\JavaCore\JavaCore.exe
C:\W\DOBE~1\cmd.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\w3hph.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\Cristi.exe
O2 - BHO: (no name) - {007C0568-5EEB-45A1-BE86-10AA7BEAB6BB} - C:\W\system32\nnnoLdcd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7F8A5D98-E320-43FA-BDE7-DB3D4C7238DE} - C:\W\system32\tuvVNDvw.dll (file missing)
O2 - BHO: (no name) - {88E6C3E6-13D5-41DF-854E-0F2001FDC928} - (no file)
O2 - BHO: {5cde57bc-d711-c2cb-4c44-29494464df59} - {95fd4644-9492-44c4-bc2c-117dcb75edc5} - C:\W\system32\biccwu.dll
O2 - BHO: (no name) - {BCD12850-2080-4D78-AD4D-C1807F8A4D7F} - C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\Content.IE5\0X63C5YV\3077ahntdksr[1].dll
O2 - BHO: (no name) - {F935D841-7905-4E1F-9F5C-47E6C50BABD0} - C:\W\system32\vtUmLcdd.dll
O2 - BHO: (no name) - {FA8BE6D5-40E0-48B8-B317-18A4A590918A} - C:\W\system32\vtUopqND.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BM935349dd] Rundll32.exe "C:\W\system32\hmpvxrwp.dll",s
O4 - HKLM\..\Run: [90607a41] rundll32.exe "C:\W\system32\yfevfnpw.dll",b
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Chsr] "C:\W\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O20 - Winlogon Notify: nnnoLdcd - C:\W\SYSTEM32\nnnoLdcd.dll
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 4572 bytes
Create own folder for Cristi.exe to desktop and move it into that folder.
After that:
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
Please post back a fresh HijackThis log after that and we'll continue :)
Thanx for your help :)
When i open the laptop it does not open explorer.exe and it does not show icons on the deskop or start bar only the picture on the deskop,i must CTRL+ALT DELETE than new task than i must open "C:\Documents and Settings\Cristi.CRISTI-C1582905\Start Menu\Programs\Accessories\Windows Explorer.lnk" to work normal.
I downloaded Antivir than scaned and found 127 viruses:sad:,and every 10 sec it shows a virus in "C:\W\system32\vtUmLcdd.dll" it says that it is TR/Vundo.fci.3 Trojan,i selected delete but it shows this trojan every 10 seconds.
Sorry for my pure enlish
Here it is the HJT renamed Cristi.exe and moved to a foldar in deskop.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:04 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\W\system32\svchost.exe
C:\W\system32\wscntfy.exe
C:\W\explorer.exe
C:\W\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Program Files\JavaCore\JavaCore.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\Cristi\Cristi.exe
O2 - BHO: (no name) - {007C0568-5EEB-45A1-BE86-10AA7BEAB6BB} - C:\W\system32\nnnoLdcd.dll
O2 - BHO: (no name) - {289E7B19-E671-4A0B-955B-489706ABECD8} - C:\W\system32\vtUmLcdd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7F8A5D98-E320-43FA-BDE7-DB3D4C7238DE} - C:\W\system32\tuvVNDvw.dll (file missing)
O2 - BHO: (no name) - {88E6C3E6-13D5-41DF-854E-0F2001FDC928} - (no file)
O2 - BHO: {5cde57bc-d711-c2cb-4c44-29494464df59} - {95fd4644-9492-44c4-bc2c-117dcb75edc5} - C:\W\system32\biccwu.dll
O2 - BHO: (no name) - {BCD12850-2080-4D78-AD4D-C1807F8A4D7F} - C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\Content.IE5\0X63C5YV\3077ahntdksr[1].dll (file missing)
O2 - BHO: (no name) - {FA8BE6D5-40E0-48B8-B317-18A4A590918A} - C:\W\system32\vtUopqND.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BM935349dd] Rundll32.exe "C:\W\system32\hmpvxrwp.dll",s
O4 - HKLM\..\Run: [90607a41] rundll32.exe "C:\W\system32\yfevfnpw.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Chsr] "C:\W\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O20 - Winlogon Notify: nnnoLdcd - C:\W\SYSTEM32\nnnoLdcd.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 5243 bytes
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Combofix
ComboFix 08-08-02.01 - Cristi 2008-08-03 17:12:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT 2:00]
Running from: C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\CPV.stt
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\Temporary
C:\W\BM935349dd.txt
C:\W\BM935349dd.xml
C:\W\cookies.ini
C:\W\dobe~1
C:\W\dobe~1\?dobe\
C:\W\pskt.ini
C:\W\system32\axngzo.dll
C:\W\system32\bhnpscsy.ini
C:\W\system32\biccwu.dll
C:\W\system32\cmslhnkf.ini
C:\W\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\W\system32\ddcLmUtv.ini
C:\W\system32\ddcLmUtv.ini2
C:\W\system32\dobe~1
C:\W\system32\dobe~1\?dobe\
C:\W\system32\dpyyfvng.ini
C:\W\system32\ftnuqhcj.dll
C:\W\system32\ganqmnud.ini
C:\W\system32\gmjglvqo.ini
C:\W\system32\gsbgqpwwfw.sys
C:\W\system32\hjtjvfhl.dll
C:\W\system32\hllmixhh.ini
C:\W\system32\hmpvxrwp.dll
C:\W\system32\huvjfy.dll
C:\W\system32\imdrgute.dll
C:\W\system32\ivkmqosu.ini
C:\W\system32\jchquntf.ini
C:\W\system32\jcnjfrja.ini
C:\W\system32\jklpnlri.ini
C:\W\system32\jrskggut.ini
C:\W\system32\jxbrxnys.ini
C:\W\system32\jyhgdfih.dll
C:\W\system32\kvmlrbak.ini
C:\W\system32\lhfvjtjh.ini
C:\W\system32\lqrnqikt.ini
C:\W\system32\mcrh.tmp
C:\W\system32\meujoenj.dll
C:\W\system32\mkfikcgb.ini
C:\W\system32\mlyjya.dll
C:\W\system32\moxhrspf.ini
C:\W\system32\mpmevjol.dll
C:\W\system32\muubjm.dll
C:\W\system32\mvkxpedm.ini
C:\W\system32\mwsvrfnl.ini
C:\W\system32\nikuftrg.ini
C:\W\system32\nnnoLdcd.dll
C:\W\system32\qdxhxwxg.ini
C:\W\system32\qesyer.dll
C:\W\system32\qfetdwek.dll
C:\W\system32\qgqxjdwi.ini
C:\W\system32\qkamoqqd.dll
C:\W\system32\reuegihm.dll
C:\W\system32\rtyqwcut.dll
C:\W\system32\scurit~1
C:\W\system32\sgwadjpy.dll
C:\W\system32\synxrbxj.dll
C:\W\system32\tuggksrj.dll
C:\W\system32\ubhxicpt.ini
C:\W\system32\vtUmLcdd.dll
C:\W\system32\wmroaucq.ini
C:\W\system32\wpnfvefy.ini
C:\W\system32\wvDNVvut.ini
C:\W\system32\wvDNVvut.ini2
C:\W\system32\xxsomksv.ini
C:\W\system32\yarogmjx.dll
C:\W\system32\yfevfnpw.dll
C:\W\system32\ypjdawgs.ini
C:\W\system32\yyjlad.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gsbgqpwwfw
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.
2008-08-03 14:27 . 2008-08-03 14:27 <DIR> d-------- C:\Program Files\Avira
2008-08-03 14:27 . 2008-08-03 14:27 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\Avira
2008-07-31 16:53 . 2008-07-31 16:53 <DIR> d-------- C:\Program Files\Common Files\MainConcept
2008-07-31 16:53 . 2008-07-31 16:53 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\.SimpleCenter
2008-07-31 16:41 . 2008-07-31 16:41 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\AdobeUM
2008-07-31 16:35 . 2008-07-31 16:35 <DIR> d-------- C:\Program Files\SimpleCenter
2008-07-31 16:35 . 2008-07-31 16:35 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2008-07-31 16:25 . 2008-07-31 16:28 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\Nokia Multimedia Player
2008-07-31 16:23 . 2008-07-31 16:40 <DIR> d--hs---- C:\Documents and Settings\Cristi.CRISTI-C1582905\Phone Browser
2008-07-29 21:27 . 2008-07-29 21:27 <DIR> d-------- C:\Program Files\Xvid
2008-07-29 21:27 . 2008-04-27 10:33 765,952 --a------ C:\W\system32\xvidcore.dll
2008-07-29 21:27 . 2008-04-27 10:35 180,224 --a------ C:\W\system32\xvidvfw.dll
2008-07-29 21:27 . 2007-06-28 18:55 77,824 --a------ C:\W\system32\xvid.ax
2008-07-29 19:16 . 2008-07-29 19:16 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-29 19:05 . 2008-07-29 19:05 <DIR> d-------- C:\W\Sun
2008-07-27 15:56 . 2008-07-27 15:56 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-27 15:56 . 2007-02-22 10:15 137,216 --a------ C:\W\system32\drivers\nmwcd.sys
2008-07-27 15:56 . 2007-02-22 10:15 65,536 --a------ C:\W\system32\nmwcdcocls.dll
2008-07-27 15:56 . 2007-02-22 10:15 12,288 --a------ C:\W\system32\drivers\nmwcdcm.sys
2008-07-27 15:56 . 2007-02-22 10:15 12,288 --a------ C:\W\system32\drivers\nmwcdcj.sys
2008-07-27 15:56 . 2007-02-22 10:15 8,320 --a------ C:\W\system32\drivers\nmwcdc.sys
2008-07-27 15:54 . 2008-07-27 16:41 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\Installations
2008-07-26 17:26 . 2008-06-10 02:32 73,728 --a------ C:\W\system32\javacpl.cpl
2008-07-26 17:25 . 2008-07-26 17:26 <DIR> d-------- C:\Program Files\Java
2008-07-26 17:25 . 2008-07-26 17:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-26 16:53 . 2008-07-26 16:53 <DIR> d-------- C:\W\SxsCaPendDel
2008-07-25 20:22 . 2008-07-27 15:57 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-07-25 20:22 . 2008-07-25 20:22 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\Nokia
2008-07-25 20:20 . 2008-07-31 16:24 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\Nokia
2008-07-25 20:20 . 2008-07-25 20:26 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\PC Suite
2008-07-25 20:18 . 2008-07-27 15:59 <DIR> d-------- C:\Program Files\DIFX
2008-07-25 20:18 . 2008-07-27 15:57 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-25 20:18 . 2008-07-27 16:06 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\PC Suite
2008-07-25 20:17 . 2008-07-27 15:57 <DIR> d-------- C:\Program Files\Nokia
2008-07-25 20:17 . 2007-02-22 10:15 90,624 --a------ C:\W\system32\nmwcdcls.dll
2008-07-25 18:42 . 2008-07-25 18:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-24 12:14 . 2008-07-24 12:18 139,264 --a------ C:\W\War3Unin.exe
2008-07-24 12:14 . 2008-07-24 13:00 68,979 --a------ C:\W\War3Unin.dat
2008-07-24 12:14 . 2008-07-24 12:18 2,829 --a------ C:\W\War3Unin.pif
2008-07-09 17:43 . 2008-07-09 17:43 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\Yahoo!
2008-07-09 17:42 . 2008-07-09 18:13 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-08 17:45 . 2008-07-08 17:45 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\MSNInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 08:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-25 16:44 --------- d-----w C:\Documents and Settings\All Users.W\Application Data\Spybot - Search & Destroy
2008-06-16 17:04 --------- d-----w C:\Program Files\WinPcap
2008-06-03 17:46 --------- d-----w C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\Winamp
2008-06-03 17:45 --------- d-----w C:\Program Files\Winamp
2008-05-19 16:01 21,840 ----atw C:\W\system32\SIntfNT.dll
2008-05-19 16:01 17,212 ----atw C:\W\system32\SIntf32.dll
2008-05-19 16:01 12,067 ----atw C:\W\system32\SIntf16.dll
2008-05-15 10:57 315,392 ----a-w C:\W\HideWin.exe
2006-11-02 12:48 174 --sh--w C:\Program Files\desktop.ini
.
------- Sigcheck -------
2007-02-18 23:39 360704 9941382a1c2289f5fb4c87d0daacc21c C:\W\$NtUninstallKB941644$\tcpip.sys
2008-05-19 08:55 360832 ce3ec03c9f65302e44af5c452d20a86f C:\W\system32\dllcache\TCPIP.SYS
2008-05-19 08:55 360832 ce3ec03c9f65302e44af5c452d20a86f C:\W\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VodafoneUSBPP.exe"="C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe" [2007-03-03 17:49 954368]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-02-18 21:41 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 00:00 128920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 09:28 16126464 C:\W\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=biccwu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-07-14 15:09 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-03-17 07:05 159744 C:\W\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-03-17 07:05 135168 C:\W\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 2007-05-09 08:57 3084288 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-03-17 07:05 131072 C:\W\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sclauncher]
--a------ 2007-01-30 11:41 94208 C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 20:49 36352 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 12:43 69632 C:\W\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
S3 NPF;NetGroup Packet Filter Driver;C:\W\system32\drivers\npf.sys [2007-11-06 22:22]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{397a75f4-3eb5-11dd-87b1-cab105524245}]
\Shell\AutoRun\command - E:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb034041-2280-11dd-b3d6-806d6172696f}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{7F8A5D98-E320-43FA-BDE7-DB3D4C7238DE} - C:\W\system32\tuvVNDvw.dll
BHO-{BCD12850-2080-4D78-AD4D-C1807F8A4D7F} - C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\Content.IE5\0X63C5YV\3077ahntdksr[1].dll
HKCU-Run-Chsr - C:\W\DOBE~1\cmd.exe
HKLM-Run-BM935349dd - C:\W\system32\hmpvxrwp.dll
HKLM-Run-90607a41 - C:\W\system32\yfevfnpw.dll
MSConfigStartUp-90607a41 - C:\W\system32\sgwadjpy.dll
MSConfigStartUp-BM935349dd - C:\W\system32\yarogmjx.dll
MSConfigStartUp-Steam - C:\Program Files\Steam\Steam.exe
MSConfigStartUp-Svconr - C:\Program Files\Svconr\Svconr.exe
MSConfigStartUp-userinit - C:\W\system32\ntos.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\Mozilla\Firefox\Profiles\fzwohwse.default\
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 17:23:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\W\explorer.exe [1512] 0x863FFB10
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\W\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-08-03 17:28:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 15:28:29
Pre-Run: 55,194,734,592 bytes free
Post-Run: 55,084,552,192 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\W
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\W="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
256 --- E O F --- 2008-05-17 00:04:31
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:49 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\W\system32\svchost.exe
C:\W\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\W\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\W\explorer.exe
C:\W\system32\notepad.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\Cristi\Cristi.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 4425 bytes
Looks much better :)
* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
Thanx you verry much,the computer it feels like new:cool:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-03 18:02:06
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT sptd.sys ZwCreateKey [0xF73EEAC8]
SSDT sptd.sys ZwEnumerateKey [0xF73EEC22]
SSDT sptd.sys ZwEnumerateValueKey [0xF73EEF9A]
SSDT sptd.sys ZwOpenKey [0xF73EE98E]
SSDT sptd.sys ZwQueryKey [0xF73EF064]
SSDT sptd.sys ZwQueryValueKey [0xF73EEEFC]
SSDT sptd.sys ZwSetValueKey [0xF73EF0EC]
---- Kernel code sections - GMER 1.0.14 ----
? C:\W\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\W\System32\Drivers\SPTD7453.SYS The process cannot access the file because it is being used by another process.
? Combo-Fix.sys The system cannot find the file specified. !
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F69F94F0 16 Bytes [ BC, 78, 1E, C9, 5F, 8D, 25, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F69F9501 31 Bytes [ 80, 9F, F6, 18, EC, 6A, 32, ... ]
? C:\W\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\W\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.14 ----
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetSysColor 7E418E68 5 Bytes JMP 10021170 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetSysColorBrush 7E418E9B 5 Bytes JMP 100211E0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!SetScrollInfo 7E419046 7 Bytes JMP 10021060 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetScrollInfo 7E4217D8 7 Bytes JMP 10020FB0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!ShowScrollBar 7E42F2E7 5 Bytes JMP 10021130 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetScrollPos 7E42F6F4 5 Bytes JMP 10020FF0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!SetScrollPos 7E42F740 5 Bytes JMP 100210A0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetScrollRange 7E42F777 5 Bytes JMP 10021020 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!SetScrollRange 7E42F98B 5 Bytes JMP 100210E0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!EnableScrollBar 7E467F55 7 Bytes JMP 10020F70 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73EAAD2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73EAC0E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73EAB96] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73EB76C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73EB642] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F740D056] sptd.sys
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\W\explorer.exe[3844] @ C:\W\explorer.exe [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 865C75D0
Device \Driver\00000056 \Device\00000047 sptd.sys
Device \Driver\00000056 \Device\00000047 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 865C7C78
Device \Driver\Cdrom \Device\CdRom0 863BC6B8
Device \FileSystem\Rdbss \Device\FsWrap 861C40E8
Device \Driver\Cdrom \Device\CdRom1 863BC6B8
Device \Driver\Cdrom \Device\CdRom2 863BC6B8
Device \Driver\Cdrom \Device\CdRom3 863BC6B8
Device \Driver\Cdrom \Device\CdRom4 863BC6B8
Device \Driver\NetBT \Device\NetBt_Wins_Export 863A54F0
Device \Driver\NetBT \Device\NetbiosSmb 863A54F0
Device \Driver\usbstor \Device\00000094 86376280
Device \Driver\NetBT \Device\NetBT_Tcpip_{23A26924-2A04-480F-A671-90E1950485AF} 863A54F0
Device \Driver\usbstor \Device\00000096 86376280
Device \Driver\Disk \Device\Harddisk0\DR0 865C7808
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 861BD0E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 861BD0E8
Device \FileSystem\Npfs \Device\NamedPipe 861FB0E8
Device \Driver\Ftdisk \Device\FtControl 865C7C78
Device \FileSystem\Msfs \Device\Mailslot 862050E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target1Lun0 862EB9B0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 862EB9B0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target2Lun0 862EB9B0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 862EB9B0
Device \FileSystem\Cdfs \Cdfs 861B60E8
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 49410658
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1983241070
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 191877387
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3D 0x3C 0x98 0x49 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8F 0xEF 0xF7 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x77 0x88 0x89 0xFE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x17 0xA9 0x5B 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0jf42@khjeh 0xDF 0xE2 0xE4 0x82 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3D 0x3C 0x98 0x49 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8F 0xEF 0xF7 0x07 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x77 0x88 0x89 0xFE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x17 0xA9 0x5B 0xB7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0jf42@khjeh 0xDF 0xE2 0xE4 0x82 ...
---- EOF - GMER 1.0.14 ----
OK, that seemed to be catchme bug.
Still problems with explorer.exe?
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
No,no more explorer.exe problems or virtumonde
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 3, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 03, 2008 17:03:02
Records in database: 1048675
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Files scanned: 67415
Threat name: 14
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 01:29:47
File name / Threat name / Threats count
C:\Downloads2\eMule\Incoming\Download Rosetta Stone v3 spain Faster with BitTorrent downloader.zip Infected: Trojan.Win32.Obfuscated.iwf 1
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.c 1
C:\QooBox\Quarantine\C\W\system32\axngzo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aegv 1
C:\QooBox\Quarantine\C\W\system32\ftnuqhcj.dll.vir Infected: Trojan.Win32.Monder.awi 1
C:\QooBox\Quarantine\C\W\system32\huvjfy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\QooBox\Quarantine\C\W\system32\imdrgute.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aeuc 1
C:\QooBox\Quarantine\C\W\system32\meujoenj.dll.vir Infected: Trojan.Win32.Monder.cbv 1
C:\QooBox\Quarantine\C\W\system32\mpmevjol.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aeuf 1
C:\QooBox\Quarantine\C\W\system32\muubjm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aeuf 1
C:\QooBox\Quarantine\C\W\system32\nnnoLdcd.dll.vir Infected: Trojan-Downloader.Win32.Agent.xxa 1
C:\QooBox\Quarantine\C\W\system32\qesyer.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aeuc 1
C:\QooBox\Quarantine\C\W\system32\qfetdwek.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aeud 1
C:\QooBox\Quarantine\C\W\system32\qkamoqqd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aegv 1
C:\QooBox\Quarantine\C\W\system32\rtyqwcut.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.cat 1
C:\QooBox\Quarantine\C\W\system32\synxrbxj.dll.vir Infected: Trojan.Win32.Monder.bbv 1
C:\QooBox\Quarantine\C\W\system32\yarogmjx.dll.vir Infected: Trojan.Win32.Monder.cbv 1
C:\QooBox\Quarantine\C\W\system32\yfevfnpw.dll.vir Infected: Trojan.Win32.Monder.cep 1
C:\QooBox\Quarantine\C\W\system32\yyjlad.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aeud 1
C:\W\b152.exe_old Infected: not-a-virus:AdWare.Win32.Insider.c 1
C:\W\b156.exe_old Infected: not-a-virus:AdWare.Win32.Insider.j 1
The selected area was scanned.
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:47 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\W\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\W\system32\svchost.exe
C:\W\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\W\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Deluxe Pacman\Deluxe_Pacman.exe
C:\W\system32\NOTEPAD.EXE
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\Cristi\Cristi.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 4360 bytes
That's nice to hear.
This is next step.
Open HijackThis, click do a system scan only and checkmark this:
O20 - AppInit_DLLs: biccwu.dll
Close all windows including browser and press fix checked.
Reboot
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Post:
- a fresh HijackThis log
- uninstall list
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.0
Avira AntiVir Personal - Free Antivirus
Empire Earth
HijackThis 2.0.2
Home Media Server 4.1.4.0067
Hotfix for Windows XP (KB935448)
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 7
Mozilla Firefox (2.0.0.16)
MSN
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.5
Nokia NSeries Application Installer
Nokia NSeries Content Copier
Nokia NSeries Multimedia Player
Nokia NSeries Music Manager
Nokia NSeries One Touch Access
Nokia NSeries System Utilities
Nokia PC Suite
Nokia PC Suite
Nokia Software Launcher
Nokia Software Updater
PC Connectivity Solution
Realtek High Definition Audio Driver
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Spybot - Search & Destroy
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Vodafone Mobile Connect Modem
Winamp
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
WinPcap 4.0.2
WinRAR archiver
Xvid 1.1.3 final uninstall
Yahoo! Messenger
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:45 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\W\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\W\system32\svchost.exe
C:\W\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\W\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\W\system32\wuauclt.exe
C:\W\system32\notepad.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\Cristi\Cristi.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 4319 bytes
Empty this folder:
C:\QooBox\Quarantine
Delete these:
C:\W\b152.exe_old
C:\W\b156.exe_old
C:\Downloads2\eMule\Incoming\Download Rosetta Stone v3 spain Faster with BitTorrent downloader.zip
C:\Program Files\DAEMON Tools\SetupDTSB.exe
Empty Recycle Bin.
Still problems?
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)
Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean! :bigthumb:
Thank you verry much for your effort and help!:angel:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.