PDA

View Full Version : Virtumonde Virus Trouble



aounfather
2008-08-18, 20:51
I have the virus and am having issues with browsers and my computer continually going dark on me. Here is my HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15, on 2009-08-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Softex\Weblink\WebLink.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdhmk.exe] C:\WINDOWS\system32\kdhmk.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [WebLink] C:\Program Files\Softex\Weblink\WebLink.exe /boot
O4 - HKLM\..\Run: [34184758] rundll32.exe "C:\WINDOWS\system32\bmimjjnp.dll",b
O4 - HKLM\..\Run: [BM372b74c4] Rundll32.exe "C:\WINDOWS\system32\fagdupob.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5825] command /c del "C:\WINDOWS\system32\mlJAqppN.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9729] cmd /c del "C:\WINDOWS\system32\mlJAqppN.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6313] command /c del "C:\WINDOWS\system32\fagdupob.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7601] cmd /c del "C:\WINDOWS\system32\fagdupob.dll_old"
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_SA8.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7167] command /c del "C:\WINDOWS\system32\fagdupob.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9580] cmd /c del "C:\WINDOWS\system32\fagdupob.dll_old"
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8778 bytes


Thank You for any help.
Tom

pskelley
2008-08-19, 16:07
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

1We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

aounfather
2008-08-19, 17:57
Here is the Combofix log.

ComboFix 08-08-18.04 - Aounfather 2009-08-19 9:58:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1629 [GMT -4:00]
Running from: C:\Documents and Settings\Aounfather\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 09:56 . 2009-08-19 09:56 2,048 --a------ C:\WINDOWS\system32\igwxxvqk.exe
2009-08-19 09:53 . 2009-08-19 09:53 107,520 --a------ C:\WINDOWS\system32\qydtpduv.dll
2009-08-19 09:53 . 2009-08-19 09:53 107,520 --a------ C:\WINDOWS\system32\anidnq.dll
2009-08-19 09:51 . 2009-08-19 09:51 93,696 --a------ C:\WINDOWS\system32\pwcimaaf.dll
2009-08-18 13:37 . 2009-08-18 13:37 119,808 --a------ C:\WINDOWS\system32\vhpyaacw.dll
2009-08-18 13:37 . 2009-08-18 13:37 119,808 --a------ C:\WINDOWS\system32\rcswpqkk.dll
2009-08-18 13:34 . 2009-08-18 13:42 1,501,718 ---hs---- C:\WINDOWS\system32\bcvwskpe.ini
2009-08-18 13:34 . 2009-08-18 13:34 84,992 --a------ C:\WINDOWS\system32\epkswvcb.dll
2009-08-18 13:34 . 2009-08-18 13:34 2,048 --a------ C:\WINDOWS\system32\tpcfqgab.exe
2009-08-18 13:31 . 2009-08-18 13:31 106,496 --a------ C:\WINDOWS\system32\vgjwkwsl.dll
2009-08-18 13:31 . 2009-08-18 13:31 106,496 --a------ C:\WINDOWS\system32\ksldaf.dll
2009-08-18 13:30 . 2009-08-18 13:30 119,808 --a------ C:\WINDOWS\system32\ngxlihso.dll
2009-08-18 13:30 . 2009-08-18 13:30 119,808 --a------ C:\WINDOWS\system32\kqaywhqt.dll
2009-08-18 11:15 . 2009-08-18 11:15 119,808 --a------ C:\WINDOWS\system32\vsqktftp.dll
2009-08-18 11:15 . 2009-08-18 11:15 119,808 --a------ C:\WINDOWS\system32\jwpqwech.dll
2009-08-18 11:15 . 2009-08-18 11:15 119,808 --a------ C:\WINDOWS\system32\bswiddww.dll
2009-08-18 11:14 . 2009-08-18 11:14 119,808 --a------ C:\WINDOWS\system32\ueirpnqp.dll
2009-08-18 11:14 . 2009-08-18 11:14 119,808 --a------ C:\WINDOWS\system32\nsreipca.dll
2009-08-18 11:11 . 2009-08-18 11:11 106,496 --a------ C:\WINDOWS\system32\whykgj.dll
2009-08-18 11:11 . 2009-08-18 11:11 106,496 --a------ C:\WINDOWS\system32\agmifmsh.dll
2009-08-18 11:08 . 2009-08-18 11:08 2,048 --a------ C:\WINDOWS\system32\nqckgian.exe
2009-08-18 11:05 . 2009-08-18 11:21 6,403,975 ---hs---- C:\WINDOWS\system32\uwyjpenp.ini
2009-08-18 11:05 . 2009-08-18 11:05 84,992 --a------ C:\WINDOWS\system32\pnepjywu.dll
2009-08-18 11:00 . 2009-08-18 11:00 38,912 --a------ C:\WINDOWS\system32\vtUMFxWp.dll
2009-08-18 11:00 . 2009-08-18 11:00 38,912 --a------ C:\WINDOWS\system32\ddcCRlkH.dll
2009-08-18 11:00 . 2009-08-18 11:00 7,680 --a------ C:\WINDOWS\system32\f14rs.exe
2009-08-18 11:00 . 2009-08-18 11:00 7,680 --a------ C:\WINDOWS\system32\cliconfgs.exe
2009-08-15 23:38 . 2009-08-15 23:38 119,808 --a------ C:\WINDOWS\system32\ifsyvdjv.dll
2009-08-15 23:38 . 2009-08-15 23:38 2,048 --a------ C:\WINDOWS\system32\ememobnx.exe
2009-08-15 23:35 . 2009-08-15 23:35 92,672 --a------ C:\WINDOWS\system32\pybqlrlb.dll
2009-08-15 15:39 . 2009-08-18 11:00 6,405,819 ---hs---- C:\WINDOWS\system32\yimjnqly.ini
2009-08-15 15:36 . 2009-08-15 15:36 2,048 --a------ C:\WINDOWS\system32\dnontbto.exe
2009-08-15 15:33 . 2009-08-15 15:33 107,008 --a------ C:\WINDOWS\system32\pyleuu.dll
2009-08-15 15:33 . 2009-08-15 15:33 107,008 --a------ C:\WINDOWS\system32\dexungsd.dll
2009-08-15 15:30 . 2009-08-15 15:30 39,424 --a------ C:\WINDOWS\system32\rqRIBRlj.dll
2009-08-14 13:15 . 2009-08-14 13:15 <DIR> d-------- C:\Program Files\Trend Micro
2009-08-14 12:19 . 2009-08-14 12:19 2,048 --a------ C:\WINDOWS\system32\vwqalhqa.exe
2009-08-14 12:16 . 2009-08-14 12:16 98,304 --a------ C:\WINDOWS\system32\dopatc.dll
2009-08-14 12:16 . 2009-08-14 12:16 98,304 --a------ C:\WINDOWS\system32\aexifcnh.dll
2009-08-14 12:14 . 2009-08-15 15:30 6,405,519 ---hs---- C:\WINDOWS\system32\pnjjmimb.ini
2009-08-14 12:13 . 2009-08-19 09:58 822,969 --ahs---- C:\WINDOWS\system32\WFMpAyxx.ini2
2009-08-14 12:13 . 2009-08-19 09:58 822,969 --ahs---- C:\WINDOWS\system32\WFMpAyxx.ini
2009-08-14 12:13 . 2009-08-14 12:13 251,392 --a------ C:\WINDOWS\system32\xxyApMFW.dll
2009-08-14 10:45 . 2009-08-14 12:45 2 --a------ C:\Profile.cpf
2009-08-12 23:06 . 2009-08-12 23:06 2,048 --a------ C:\WINDOWS\system32\bjslnyit.exe
2009-08-12 23:04 . 2009-08-12 23:04 <DIR> d-------- C:\Documents and Settings\Aounfather\Application Data\rhc9w4j0eg2r
2009-08-12 23:04 . 2009-08-12 23:10 94,208 --a------ C:\WINDOWS\system32\27.tmp
2009-08-12 23:04 . 2009-08-12 23:09 94,208 --a------ C:\WINDOWS\system32\26.tmp
2009-08-12 23:04 . 2009-08-12 23:04 94,208 --a------ C:\WINDOWS\system32\16.tmp
2009-08-12 23:03 . 2009-08-12 23:03 130,048 --a------ C:\WINDOWS\system32\lphccw4j0eg2r.exe
2009-08-12 23:00 . 2009-08-12 23:00 95,744 --a------ C:\WINDOWS\system32\zwxddm.dll
2009-08-12 23:00 . 2009-08-12 23:00 95,744 --a------ C:\WINDOWS\system32\ttrijihi.dll
2009-08-12 22:57 . 2009-08-14 12:08 5,179,842 ---hs---- C:\WINDOWS\system32\fvcpeujp.ini
2009-08-12 21:18 . 2009-08-12 21:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2009-08-12 21:18 . 2009-08-12 21:27 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-08-12 12:20 . 2009-08-12 12:20 <DIR> d-------- C:\Diablo
2009-08-12 12:20 . 2009-08-12 12:20 86,528 --a------ C:\WINDOWS\bnetunin.exe
2009-08-12 12:20 . 2009-08-12 12:20 61,440 --a------ C:\WINDOWS\diabswun.exe
2009-08-12 10:28 . 2009-08-12 10:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2009-08-12 10:27 . 2009-08-14 10:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-12 10:25 . 2009-08-12 10:25 95,744 --a------ C:\WINDOWS\system32\wzvvrg.dll
2009-08-12 10:25 . 2009-08-12 10:25 95,744 --a------ C:\WINDOWS\system32\qxecdtrx.dll
2009-08-12 10:22 . 2009-08-12 22:51 3,960,146 --ahs---- C:\WINDOWS\system32\gvwgtcwi.ini
2009-08-12 10:19 . 2009-08-12 10:19 2,048 --a------ C:\WINDOWS\system32\rvspcjjd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 13:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2009-08-18 17:36 --------- d-----w C:\Program Files\Bonjour
2009-08-18 15:07 --------- d-----w C:\Documents and Settings\Aounfather\Application Data\Apple Computer
2009-08-18 15:00 367,104 ----a-w C:\WINDOWS\system32\ciadvss.exe
2009-08-14 17:08 --------- d-----w C:\Program Files\Ares
2009-08-13 17:52 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2009-08-13 17:51 860,800 --sha-w C:\WINDOWS\system32\orYcefii.ini2
2009-08-12 23:44 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2009-08-12 14:29 --------- d-----w C:\Program Files\Lavasoft
2009-08-12 14:29 --------- d-----w C:\Documents and Settings\Aounfather\Application Data\Lavasoft
2008-07-02 18:20 22,328 ----a-w C:\Documents and Settings\Aounfather\Application Data\PnkBstrK.sys
1999-04-30 20:00 98,304 -c--a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3393C10D-A61B-455F-80C5-9BE393BF14EB}]
2008-08-11 11:50 35840 --------- C:\WINDOWS\system32\mlJAqppN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3c37b396-ad99-460b-82b1-7461cbd48fbc}]
2009-08-19 09:53 107520 --a------ C:\WINDOWS\system32\anidnq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AA6C764-2818-4B2E-AF82-5E695AD05304}]
C:\WINDOWS\system32\iifecYro.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FBAF30C-94CD-4252-907C-C5EBE53C0A6E}]
2009-08-14 12:13 251392 --a------ C:\WINDOWS\system32\xxyApMFW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5906B33-2593-47E0-88F2-D3C564BD7DBB}]
C:\Documents and Settings\Aounfather\Local Settings\Temporary Internet Files\Content.IE5\6KZ5SC5I\3077htsbdjyf[1].dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="D:\Program Files\Steam\Steam.exe" [2008-06-17 12:23 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-20 10:11 68856]
"EPSON Stylus CX8400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE" [2007-02-15 06:00 179200]

Here is the Hijack this log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54, on 2009-08-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Softex\Weblink\WebLink.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdhmk.exe] C:\WINDOWS\system32\kdhmk.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [WebLink] C:\Program Files\Softex\Weblink\WebLink.exe /boot
O4 - HKLM\..\Run: [34184758] rundll32.exe "C:\WINDOWS\system32\ylqnjmiy.dll",b
O4 - HKLM\..\Run: [BM372b74c4] Rundll32.exe "C:\WINDOWS\system32\pwcimaaf.dll",s
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_SA8.tmp" /EF "HKCU"
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8006 bytes

Thank You.

pskelley
2008-08-19, 18:37
Well, something has occured to cause combofix to run like this:
REDUCED FUNCTIONALITY MODE
can you think of anything that happened during installation and running that may have cause this? This is not a good thing because almost every file created during this time frame:
Files Created from 2009-07-19 to 2009-08-19 is malware and had combofix run correctly it would have removed all of them for us. I have not had this happen before, though I am aware, it will not run on 100% of the computers.

We will try another tool but this will make the removal more difficult.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Thanks

aounfather
2008-08-19, 20:38
The combofix starts up with a message that reads,
Current date is 2009-08-19 Combofix has expired
Then it asks me if I want to run in reduced functionality mode. I will post the malware log shortly.

pskelley
2008-08-19, 20:56
The combofix starts up with a message that reads,
Current date is 2009-08-19 Combofix has expired
You deleted all old copies, right?
Perhaps sUBs was in the process of updating at the time, once you post the MBAM log, would would you delete combofix completely from your computer and download then try it again from that link I provided. Your computer is very infected and it would be so much easier if we can get combofix to do the removal for us. Otherwise I fear you will be doing it manually (not fun)

Let me know what happens exactly when you download and try to run it so I can inform sUBs if it still does not run. Post any messages you get from combofix.

Have a look at the starting and ending time on this run of combofix:
http://forums.spybot.info/showthread.php?p=225304#post225304
Perhaps it will run for you now if you download it again.

Thanks

aounfather
2008-08-19, 21:22
I think I know why it didn't work. Whatever is happening to my computer has changed the date and time settings so that Combofix thinks we are a year ahead. I changed it back and it seems to be running fine. I will post a log as soon as it finishes.

aounfather
2008-08-20, 08:53
Ok, heres the skinny on what happened with the combofix app.

I started it up after changing the date and it froze about 20 minutes in. I restarted my pc and tried again, froze 5 minutes in. I deleted every associated file with combofix and reinstalled it. It froze again so i gave up. Here are the HTJ and malwarebytes logs. For the malware I ran it and it restarted my computer and then ran again. I told it to do one drive at a time and it didn't find anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:47, on 2008-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Softex\Weblink\WebLink.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {4AA6C764-2818-4B2E-AF82-5E695AD05304} - C:\WINDOWS\system32\iifecYro.dll (file missing)
O2 - BHO: (no name) - {4F064A09-C7EF-48EA-B596-04F0D370B9B4} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63B66BA0-81C6-4867-9B1F-F25B90E5D7BC} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {DAD76FFA-445D-4EBA-AC0D-3BF0F2EF936A} - (no file)
O2 - BHO: (no name) - {E283C68F-4DF9-44E6-ABB7-008108318E40} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdhmk.exe] C:\WINDOWS\system32\kdhmk.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [WebLink] C:\Program Files\Softex\Weblink\WebLink.exe /boot
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_SA8.tmp" /EF "HKCU"
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8595 bytes

And here is the files from Malwarebytes

Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 2

00:09:32 2008-08-20
mbam-log-08-20-2008 (00-09-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 114706
Time elapsed: 44 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 2

01:46:43 2008-08-20
mbam-log-08-20-2008 (01-46-43).txt

Scan type: Full Scan (D:\|)
Objects scanned: 134598
Time elapsed: 1 hour(s), 36 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The first scan before the reboot found a crapload of malware and deleted it. I could post that file if you want it also.

Thank You very much.

pskelley
2008-08-20, 17:41
Thanks for the feedback, you said:

I started it up after changing the date and it froze about 20 minutes inIt is not unusual for combofix to take 20 minutes or so and it may appear it has stopped when it is simply scanning files for malware, you obviously had a very infected computer any many, many malware files.

The first scan before the reboot found a crapload of malware and deleted it. I could post that file if you want it also.I have a list of the Vundo files and would like to cross off all I know was removed by MBAM to see if any are left, so yes I would like to see that file. You may attach that file if you wish.

What can you tell me about this item?
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe
Google is not sure if it is good or bad.
http://www.google.com/search?hl=en&q=ftps.exe&btnG=Search
If you are not sure, scan it here: http://virusscan.jotti.org/
and post the results, you will need to show all files and folders to see it.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Download ResetTeaTimer.bat to the Desktophttp://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {4AA6C764-2818-4B2E-AF82-5E695AD05304} - C:\WINDOWS\system32\iifecYro.dll (file missing)
O2 - BHO: (no name) - {4F064A09-C7EF-48EA-B596-04F0D370B9B4} - (no file)
O2 - BHO: (no name) - {63B66BA0-81C6-4867-9B1F-F25B90E5D7BC} - (no file)
O2 - BHO: (no name) - {DAD76FFA-445D-4EBA-AC0D-3BF0F2EF936A} - (no file)
O2 - BHO: (no name) - {E283C68F-4DF9-44E6-ABB7-008108318E40} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdhmk.exe] C:\WINDOWS\system32\kdhmk.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\kdhmk.exe <<< delete that file

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Restart and post a new HJT log. Let me know how the computer is running.

Thanks

aounfather
2008-08-20, 18:05
What I meant was that it stalled and then I left it for several hours and then came back to it being in the same spot. Ok I will do those fixes when I get back to my computer (posting on a friends).

pskelley
2008-08-20, 18:38
Thanks for the feedback, looks like your computer is the one in a thousand that will not run combofix. We will do our best without it.

Phil

aounfather
2008-08-20, 22:52
Um... All I got from your link to reset teatimer was a html page and nothing to download. I have attached what I think is the logfile for the first malwarebytes scan. Not sure because it removed everything but says no action taken. Will follow directions and get back to you later tonight. once you upload a working link.

pskelley
2008-08-20, 23:16
All I got from your link to reset teatimer was a html page and nothing to download.
Funny that it works perfect for me? I just clicked it 1/2 dozen time in a row and it worked perfect each time:
Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

But I can also download combofix with no problems. Have you thought about updating your browser? Do not use other browsers.
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

That is just a simple batch files to clean TT memory and it happens in a flash, you won't see anything happen.

Thanks

pskelley
2008-08-20, 23:24
You posted an MBAM log where every items says "No Action Taken"?

These are the instructions:

* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.can I assume you deleted what MBAM found?

:mad:

aounfather
2008-08-21, 06:15
Alright. I did what you said, the problem was that I wasn't right clicking on the link and saving target. I was left clicking and seeing the source code. Yeah, the log says that no action was taken but in reality I deleted all the objects that were found. Here is the new highjack this log and my computer seems to be running fine now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:10, on 2008-08-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Softex\Weblink\WebLink.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [WebLink] C:\Program Files\Softex\Weblink\WebLink.exe /boot
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus CX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE /FU "C:\WINDOWS\TEMP\E_SA8.tmp" /EF "HKCU"
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8589 bytes


Thank You.

aounfather
2008-08-21, 06:29
I don't know what
HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe
is or where to find it in my comp.

pskelley
2008-08-21, 14:32
where to find it in my comp.
Start > Search > All Files and Folder > copy/paste ftps.exe into the white box then click "search". Allow some time, it will take a while. When you have the location (probably C:\Windows\System32\ftps.exe) if you want to look there first, but it may be elsewhere. When you know where it is, use the search tool I provided and post the result.

Run a new MBAM scan in Safe Mode and post the results please.
http://spyware-free.us/tutorials/safemode/

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

aounfather
2008-08-22, 09:19
Ok, Here is the malwarebytes report.
Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 2

10:32:09 PM 2008-08-21
mbam-log-08-21-2008 (22-32-09).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 211887
Time elapsed: 4 hour(s), 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And here is the Internet virus scan.

Friday, August 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 03:25:05
Records in database: 1122684
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
Scan statistics
Files scanned 141804
Threat name 15
Infected objects 28
Suspicious objects 1
Duration of the scan 02:58:20

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\021C0000.VBN Infected: Trojan-Downloader.Win32.Agent.acd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\021C0001.VBN Infected: Trojan-Downloader.Win32.Agent.acd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03D40000.VBN Infected: Virus.Win32.Hidrag.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08480000.VBN Infected: Trojan-Downloader.Win32.Agent.acd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09B80000.VBN Infected: Virus.Win32.Hidrag.a 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700000.VBN Infected: Trojan.Win32.Monder.eyb 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700001.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ckm 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700002.VBN Infected: Trojan.Win32.Monder.eyb 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700003.VBN Infected: Trojan.Win32.Monder.eyb 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700004.VBN Infected: Trojan.Win32.Monder.esu 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700005.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ckm 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700006.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ckm 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700007.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ckm 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700008.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ckm 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05700009.VBN Infected: Trojan.Win32.Monder.eyb 1
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06A40000.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ckm 1
C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i 1
C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lphccw4j0eg2r.exe.vir Infected: Trojan-Downloader.Win32.Small.abmc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\WinSecure.exe.vir Infected: P2P-Worm.Win32.Delf.by 1
C:\WINDOWS\system32\16.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\26.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\WINDOWS\system32\27.tmp Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
D:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
D:\Documents and Settings\Tom Tharp\Local Settings\Temporary Internet Files\Content.IE5\7PWQEHMK\deliver46860[1].htm Suspicious: Exploit.HTML.Mht 1
D:\Documents and Settings\Tom Tharp\Local Settings\Temporary Internet Files\Content.IE5\AXCWGVKU\sp2-rm-notitle[1].swf Infected: not-virus:Hoax.SWF.Alerter.a 1
D:\Documents and Settings\Tom Tharp\Local Settings\Temporary Internet Files\Content.IE5\LBZ9VDR8\mtrslib2[1].js Infected: Trojan-Downloader.JS.Small.ag 1
D:\Documents and Settings\Tom Tharp\Local Settings\Temporary Internet Files\Content.IE5\LBZ9VDR8\youngmodelgalleries[1].htm Infected: Trojan-Clicker.JS.Linker.j 1
The selected area was scanned.

Thank You.

pskelley
2008-08-22, 16:50
Thanks for returning this information, but as far as I can see I still do not have the information about this item, look at the google so you can see why I need it: ftps.exe
http://www.google.com/search?hl=en&q=ftps.exe+&btnG=Search
As you can see it can be valid or malware.

1) Search for the location using Search Companion, make sure you can see all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html <<< here

Once you know what it is, the click on this link: http://virusscan.jotti.org/
Near the top of the page see the words "File to upload and scan: now click the Browse button and navigate to the location of the file we want to scan. When you have it in the which box, click the "Submit" button. In a few minutes you will receive a report from jotti, copy and paste that information so I can see it.

Thanks

Kasperskky Online Scan (SOS)

1) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\ <<< delete the contents of the folder in RED

2) C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe ------> AdWare.Win32.SearchIt.t
(KOS says this file in RED is adware, I would delete it from my computer)

3) C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\ <<< delete the contents of that folder in red.
(I have no idea why you have Symantec quarantine folders in two places?)

4) C:\Program Files\MyWebSearchWB\ <<< delete that folder and contents

5) delete these foles
C:\WINDOWS\system32\16.tmp
C:\WINDOWS\system32\26.tmp
C:\WINDOWS\system32\27.tmp

6) D:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe <<< delete that file
(same adware as #2 located on a different drive?)

7) D:\Documents and Settings\Tom Tharp\Local Settings\Temporary Internet Files\ <<< delete the contents (NOT THE FOLDER)
A few old files may not delete, not to be concerned.

Restart the computer and run a new KOS to make sure you missed nothing, I do not need to see that scan.

***I just want to say, the more I work with this computer, the more I believe if it was mine, I would reformat and start over.

I am waiting now for the scan results on this file: O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe

Thanks

aounfather
2008-08-22, 19:20
I hear you, and according to that google search the ftps file is a Secure drop-in replacement for Microsoft's built-in "ftp.exe" FTP client. Supports passive mode transfers and resumption of transfers. Uses UTSecureLayer.dllg.

Anyway I'm going to get a removable hard drive and back up my videos and music and stuff and then wipe both of my hard drives and start over. I;m not sure how to make sure the virus doesn't migrate to the new drive or how to wipe my drives though.

Thanks.
PS the internet virus scan found 3 more threats.

aounfather
2008-08-22, 19:21
And the jotti scan stops at the uploading part and never gets to teling me what it is.

pskelley
2008-08-22, 19:29
and according to that google search the ftps file is a Secure drop-in replacement for Microsoft's built-in "ftp.exe" FTP client. Supports passive mode transfers and resumption of transfers. Uses UTSecureLayer.dllg.Looks like you only looked at one site, if it were that simple I would not have the issues of it being on your computer where I can not scan it, how about this one:
http://www.auditmypc.com/process/ftps.asp or this one:
http://www.incodesolutions.com/threats2/System32Rootftpsexe.php

Here are two more free online scans if you want them:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Thanks

aounfather
2008-08-22, 21:52
All three of those scans told me they either cant open the page or had an internal server error.

Thank You for all of your help and those links to help me reformat. WIll reformating get rid of the virus?

pskelley
2008-08-22, 21:55
Yes...as long as you don't save infected files and reinstall the infection.

aounfather
2008-08-22, 23:30
Oh well, I just scanned my comp again and it came up with the same stuff as at the beginning so I'm just gonna bite the bullet and wipe it. Thanks for all of your help and I'm sorry I took up so much of your time.

pskelley
2008-08-22, 23:37
Thanks what I would do were it my computer, when combofix would not run, I supected major issues. Here is some information that might help prevent situations like this in the future.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html