View Full Version : Virtumonde
Eversharpe
2008-08-13, 03:53
Ran S&D in every mode possible and it always comes up with Virtumonde, some help would be truely appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:14 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tools\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [4cf2ef28] rundll32.exe "C:\WINDOWS\system32\yttxwysj.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [17613318310290687592816982818091] C:\Program Files\AV9\av2009.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {07BC6C45-2189-4760-AC59-03BDCC051481} (ImportCtl Class) - http://www.wayn.com/activex/WAYNImportOutlook.cab
O16 - DPF: {083DB4B1-8108-42E3-AC45-A042C1631CA3} (ImportCtl Class) - http://www.wayn.com/activex/WAYNImportOE.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198887244909
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lolais16forever.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Tools\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
pskelley
2008-08-15, 00:31
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
This one can be tough, keep the computer offline so the junk cannot download more except when troubleshooting the problem.
You have a rouge program onboard also:
http://www.prevx.com/filenames/X247819073405186550-X1/AV2009.EXE.html
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
Eversharpe
2008-08-15, 02:34
I had read the post and ran S&D in safe mode but virtumonde still came up. now I wasn't sure if you wanted me to run the prevx thing or just see info on that file. I can't afford to run it anyway.
ComboFix 08-08-14.01 - Boss 2008-08-14 19:08:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.237 [GMT -4:00]
Running from: C:\Documents and Settings\Boss\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Boss\Application Data\macromedia\Flash Player\#SharedObjects\J8NVDJYB\interclick.com
C:\Documents and Settings\Boss\Application Data\macromedia\Flash Player\#SharedObjects\J8NVDJYB\interclick.com\ud.sol
C:\Documents and Settings\Boss\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Boss\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Boss\Cookies.\boss@cleanuptool[1].txt
C:\Documents and Settings\Boss\Cookies.\boss@safepctool[1].txt
C:\Documents and Settings\Boss\Cookies.\boss@slingo[2].txt
C:\Documents and Settings\Boss\Cookies.\boss@slingo[3].txt
C:\Documents and Settings\Boss\Cookies.\boss@trafficmp[2].txt
C:\Documents and Settings\Boss\Cookies.\boss@yahoo[1].txt
C:\WINDOWS\BM4fc1dcb4.txt
C:\WINDOWS\BM4fc1dcb4.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atokjsnv.dll
C:\WINDOWS\system32\awhkypir.dll
C:\WINDOWS\system32\bbbncabc.exe
C:\WINDOWS\system32\cbXNGaYr.dll
C:\WINDOWS\system32\hntcavmi.exe
C:\WINDOWS\system32\htlwjd.dll
C:\WINDOWS\system32\hviayajq.dll
C:\WINDOWS\system32\jkrnjurl.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\njpnpfhg.dll
C:\WINDOWS\system32\noeeypoa.dll
C:\WINDOWS\system32\qyyela.dll
C:\WINDOWS\system32\rmblug.dll
C:\WINDOWS\system32\rYaGNXbc.ini
C:\WINDOWS\system32\rYaGNXbc.ini2
C:\WINDOWS\system32\tkimclbs.exe
C:\WINDOWS\system32\urqNFvWn.dll
C:\WINDOWS\system32\vuaicdvk.dll
C:\WINDOWS\system32\wkidwkwo.dll
C:\WINDOWS\system32\wxgowy.dll
C:\WINDOWS\system32\xvsoxqxq.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.
2008-08-14 18:49 . 2008-08-14 18:49 <DIR> d-------- C:\Program Files\PrevxCSI
2008-08-14 18:49 . 2008-08-14 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-14 18:49 . 2008-08-14 18:49 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-08-14 06:26 . 2008-08-14 19:08 1,500,947 --ahs---- C:\WINDOWS\system32\ghfpnpjn.ini
2008-08-13 06:29 . 2008-08-14 03:08 1,532,030 --ahs---- C:\WINDOWS\system32\qxqxosvx.ini
2008-08-12 20:39 . 2008-08-12 20:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-12 17:46 . 2008-08-12 18:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-12 08:18 . 2008-08-12 14:19 <DIR> d-------- C:\Program Files\AV9
2008-08-12 06:22 . 2008-08-13 06:25 1,531,626 --ahs---- C:\WINDOWS\system32\jsywxtty.ini
2008-08-11 18:15 . 2008-08-12 20:32 145 --a------ C:\WINDOWS\wininit.ini
2008-08-11 06:20 . 2008-08-11 12:09 1,491,051 --ahs---- C:\WINDOWS\system32\vnsjkota.ini
2008-08-09 21:18 . 2008-08-09 21:18 244 --ah----- C:\sqmnoopt03.sqm
2008-08-09 21:18 . 2008-08-09 21:18 232 --ah----- C:\sqmdata03.sqm
2008-07-24 16:56 . 2008-07-24 16:56 244 --ah----- C:\sqmnoopt02.sqm
2008-07-24 16:56 . 2008-07-24 16:56 232 --ah----- C:\sqmdata02.sqm
2008-07-16 14:47 . 2008-07-16 14:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{29504223-5D4F-495C-BAC6-1C6DB2EEF1C8}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 09:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-12 22:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-12 22:59 --------- d-----w C:\Program Files\NewSoft
2008-08-12 22:58 --------- d-----w C:\Program Files\Google
2008-08-12 22:57 --------- d-----w C:\Program Files\Azureus
2008-08-12 22:40 --------- d-----w C:\Program Files\Java
2008-08-11 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-28 00:12 --------- d-----w C:\Documents and Settings\Boss\Application Data\Azureus
2008-07-16 18:47 --------- d-----w C:\Program Files\Games
2008-07-10 20:51 --------- d-----w C:\Documents and Settings\Boss\Application Data\dvdcss
2008-06-29 18:59 --------- d-----w C:\Program Files\DivX
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-29 00:53 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"17613318310290687592816982818091"="C:\Program Files\AV9\av2009.exe" [2008-08-12 14:19 1013760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 02:00 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 18:54 37376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 01:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 08:00 44032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-29 00:53:48 125624]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Smart Start UP"=C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Capitalism II\\cap2.exe"=
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-08-14 18:49]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-08-14 18:49]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-4cf2ef28 - C:\WINDOWS\system32\njpnpfhg.dll
HKLM-Run-BM4fc1dcb4 - C:\WINDOWS\system32\jkrnjurl.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/
O8 -: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 -: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {07BC6C45-2189-4760-AC59-03BDCC051481} - hxxp://www.wayn.com/activex/WAYNImportOutlook.cab
C:\WINDOWS\Downloaded Program Files\WAYNImportOutlook.dll
O16 -: {083DB4B1-8108-42E3-AC45-A042C1631CA3} - hxxp://www.wayn.com/activex/WAYNImportOE.cab
C:\WINDOWS\Downloaded Program Files\WAYNImportOE.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 19:22:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h?????????w??w???????w??w4??????.??w4???????4???TA?s4???????\'7??A~??~????????\??\????????U?A~?A~\??\???????a?????@?\??\????s????\?????s\??@'7?A??s@'7??@?x???`|?w\???@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\conime.exe
C:\Program Files\Tools\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-08-14 19:30:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 23:30:06
Pre-Run: 9,754,333,184 bytes free
Post-Run: 9,809,092,608 bytes free
169 --- E O F --- 2007-12-29 22:21:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:25 PM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Tools\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [17613318310290687592816982818091] C:\Program Files\AV9\av2009.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {07BC6C45-2189-4760-AC59-03BDCC051481} (ImportCtl Class) - http://www.wayn.com/activex/WAYNImportOutlook.cab
O16 - DPF: {083DB4B1-8108-42E3-AC45-A042C1631CA3} (ImportCtl Class) - http://www.wayn.com/activex/WAYNImportOE.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198887244909
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lolais16forever.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Tools\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5774 bytes
pskelley
2008-08-15, 02:54
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Thanks for returning your information. PrevxCSI is a good program but it will slow your computer. Unless you purchased it, my suggestion would be to uninstall it in Add Remove programs. I posted the link to provide you with information and the rouge program which someone installed on the computer.
Let's proceed carefully like this:
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\ghfpnpjn.ini
C:\WINDOWS\system32\qxqxosvx.ini
C:\WINDOWS\system32\jsywxtty.ini
C:\WINDOWS\system32\vnsjkota.ini
Folder::
C:\Program Files\AV9
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the combofix log from CFScript, the log from MBAM and a new HJT log in your next reply. Tell me how the computer is running.
Thanks
Eversharpe
2008-08-15, 23:37
I really want to thank you for your help. so far everything is running well and no pop-ups or slow-downs.
ComboFix 08-08-14.01 - Boss 2008-08-15 14:33:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.215 [GMT -4:00]
Running from: C:\Documents and Settings\Boss\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Boss\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\ghfpnpjn.ini
C:\WINDOWS\system32\jsywxtty.ini
C:\WINDOWS\system32\qxqxosvx.ini
C:\WINDOWS\system32\vnsjkota.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Boss\Cookies.\boss@slingo[1].txt
C:\WINDOWS\system32\ghfpnpjn.ini
C:\WINDOWS\system32\jsywxtty.ini
C:\WINDOWS\system32\qxqxosvx.ini
C:\WINDOWS\system32\vnsjkota.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.
2008-08-14 18:49 . 2008-08-14 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-12 20:39 . 2008-08-12 20:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-12 17:46 . 2008-08-12 18:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-11 18:15 . 2008-08-12 20:32 145 --a------ C:\WINDOWS\wininit.ini
2008-08-09 21:18 . 2008-08-09 21:18 244 --ah----- C:\sqmnoopt03.sqm
2008-08-09 21:18 . 2008-08-09 21:18 232 --ah----- C:\sqmdata03.sqm
2008-07-24 16:56 . 2008-07-24 16:56 244 --ah----- C:\sqmnoopt02.sqm
2008-07-24 16:56 . 2008-07-24 16:56 232 --ah----- C:\sqmdata02.sqm
2008-07-16 14:47 . 2008-07-16 14:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{29504223-5D4F-495C-BAC6-1C6DB2EEF1C8}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 10:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-12 22:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-12 22:59 --------- d-----w C:\Program Files\NewSoft
2008-08-12 22:58 --------- d-----w C:\Program Files\Google
2008-08-12 22:57 --------- d-----w C:\Program Files\Azureus
2008-08-12 22:40 --------- d-----w C:\Program Files\Java
2008-08-11 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-28 00:12 --------- d-----w C:\Documents and Settings\Boss\Application Data\Azureus
2008-07-16 18:47 --------- d-----w C:\Program Files\Games
2008-07-10 20:51 --------- d-----w C:\Documents and Settings\Boss\Application Data\dvdcss
2008-06-29 18:59 --------- d-----w C:\Program Files\DivX
2008-06-09 17:34 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-06-09 17:34 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-29 00:53 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 02:00 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 18:54 37376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 01:31 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 08:00 44032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"WINDVDPatch"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-29 00:53:48 125624]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Smart Start UP"=C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Capitalism II\\cap2.exe"=
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-17613318310290687592816982818091 - C:\Program Files\AV9\av2009.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 14:38:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h?????????w??w???????w??w4??????.??w4???????4???TA?s4???????\'7??A~??~????????\??\????????U?A~?A~\??\???????a?????@?\??\????s????\?????s\??@'7?A??s@'7??@?x???`|?w\???@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-15 14:41:12
ComboFix-quarantined-files.txt 2008-08-15 18:40:28
ComboFix2.txt 2008-08-14 23:30:11
Pre-Run: 9,735,999,488 bytes free
Post-Run: 9,774,637,056 bytes free
131 --- E O F --- 2007-12-29 22:21:45
Malwarebytes' Anti-Malware 1.24
Database version: 1054
Windows 5.1.2600 Service Pack 2
4:30:31 PM 8/15/2008
mbam-log-8-15-2008 (16-30-31).txt
Scan type: Full Scan (C:\|)
Objects scanned: 144747
Time elapsed: 1 hour(s), 44 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bbbncabc.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hntcavmi.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tkimclbs.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{95938C51-C09F-4586-99CF-CB1CDB035F31}\RP344\A0031918.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{95938C51-C09F-4586-99CF-CB1CDB035F31}\RP344\A0031920.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{95938C51-C09F-4586-99CF-CB1CDB035F31}\RP344\A0031921.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:12 PM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Tools\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {07BC6C45-2189-4760-AC59-03BDCC051481} (ImportCtl Class) - http://www.wayn.com/activex/WAYNImportOutlook.cab
O16 - DPF: {083DB4B1-8108-42E3-AC45-A042C1631CA3} (ImportCtl Class) - http://www.wayn.com/activex/WAYNImportOE.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198887244909
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lolais16forever.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Tools\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5456 bytes
pskelley
2008-08-16, 00:05
Thanks for returning your information and the feedback, just a bit more before we finish, this is the next bridge we have toi cross.
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
Eversharpe
2008-08-16, 01:04
Yes I had noticed, and I've installed it. here the log.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
pskelley
2008-08-21, 23:37
I must apologize, I am helping a lot of people and I depend on notifications to tell me when folks post. In your case I was not notified:sad:
We do have a little more to finish. If all is running as it should, remove combofix like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I am not seeing an antivirus program running? If you need a free one, here are three to choose from, install no more than one.
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
If I can do anything else, let me know and once again I am sorry for this delay.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
Eversharpe
2008-08-22, 23:32
It's not a problem, I understand and I want to thank you very much. Everything is working as it should now.
I've run the combofix /u and gone through turning off and on the system restore.
Again Thanks.