View Full Version : virtumonde infection... =(
flyintyger
2008-09-16, 17:09
Hi,
i've run spybot in normal and safemode a few times now and even though it says ive fixed the problem, it shows virtumonde everytime i run spybot...
I've downloaded HijackThis and run it,
this is what i got:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:20 AM, on 17/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Datamonitor\Datamonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Optus Cable Data Monitor] C:\Program Files\Datamonitor\Datamonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [c8e55786] rundll32.exe "C:\WINDOWS\system32\lmijltph.dll",b
O4 - HKLM\..\Run: [BMcbd6641a] Rundll32.exe "C:\WINDOWS\system32\vcihpunb.dll",s
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: djclpg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 6562 bytes
THANKS!! =)
pskelley
2008-09-17, 03:35
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
flyintyger
2008-09-17, 14:47
ComboFix 08-09-16.03 - Gabriel Cheung 2008-09-17 20:27:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.806 [GMT 10:00]
Running from: C:\Documents and Settings\Gabriel Cheung\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMcbd6641a.txt
C:\WINDOWS\BMcbd6641a.xml
C:\WINDOWS\system32\djclpg.dll
C:\WINDOWS\system32\doofvfoq.ini
C:\WINDOWS\system32\GiQBHkkj.ini
C:\WINDOWS\system32\GiQBHkkj.ini2
C:\WINDOWS\system32\hptljiml.ini
C:\WINDOWS\system32\lmijltph.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\omwsir.dll
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\uuyxhsco.dll
C:\WINDOWS\system32\wyqmnvem.dll
C:\WINDOWS\system32\yglhrkfx.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.
2008-09-17 00:00 . 2008-09-17 00:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 22:26 . 2008-09-16 22:26 <DIR> d-------- C:\VundoFix Backups
2008-09-16 21:24 . 2008-09-16 21:24 95 --a------ C:\WINDOWS\wininit.ini
2008-09-16 20:26 . 2008-09-16 20:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-16 20:26 . 2008-09-16 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 23:23 . 2008-09-15 23:23 <DIR> d-------- C:\Program Files\Webteh
2008-09-15 20:59 . 2008-09-15 20:59 254,464 --a------ C:\WINDOWS\system32\jkkHBQiG.dll
2008-09-15 20:54 . 2008-09-15 20:54 43,008 --a------ C:\WINDOWS\system32\tULbaywW.dll
2008-09-15 20:54 . 2008-09-15 20:54 43,008 --a------ C:\WINDOWS\system32\ddCsRlkI.dll.vir
2008-09-11 00:56 . 2008-09-11 00:56 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\vlc
2008-09-11 00:55 . 2008-09-11 00:55 <DIR> d-------- C:\Program Files\VideoLAN
2008-09-07 20:24 . 2008-09-07 20:24 <DIR> d-------- C:\Program Files\Google
2008-09-07 00:00 . 2008-09-07 00:18 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\VMware
2008-09-06 23:49 . 2008-09-17 20:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-09-06 23:48 . 2008-08-08 16:25 150,064 --a------ C:\WINDOWS\system32\vmnat.exe
2008-09-06 23:48 . 2008-08-08 16:26 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-09-06 23:48 . 2008-08-08 16:27 25,264 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-09-06 23:48 . 2008-08-08 15:49 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-09-06 23:48 . 2008-08-08 15:49 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2008-09-06 23:47 . 2008-08-08 16:26 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-09-06 23:47 . 2008-08-08 15:49 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2008-09-06 23:47 . 2008-08-08 15:49 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-09-06 23:47 . 2008-08-08 15:49 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2008-09-06 23:46 . 2008-08-08 16:27 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2008-09-06 23:45 . 2008-09-06 23:45 <DIR> d-------- C:\Program Files\VMware
2008-09-06 23:45 . 2008-09-06 23:45 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-09-06 23:45 . 2008-09-17 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-09-06 21:02 . 2008-09-06 21:02 <DIR> d-------- C:\Program Files\Gabest
2008-09-04 19:59 . 2008-09-04 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-09-03 22:38 . 2008-09-03 22:50 <DIR> d-------- C:\Program Files\EditPlus 3
2008-09-03 22:38 . 2008-09-03 22:38 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\EditPlus 3
2008-09-03 22:31 . 2008-09-03 22:38 <DIR> d-------- C:\Program Files\EditPlus 2
2008-09-03 21:17 . 2008-09-03 21:17 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-09-03 20:09 . 2008-09-03 20:09 <DIR> d-------- C:\Program Files\EA Sports
2008-09-03 20:06 . 2002-12-12 00:14 1,294,336 --a--c--- C:\WINDOWS\system32\dllcache\dsound3d.dll
2008-09-03 20:05 . 2008-09-03 20:05 <DIR> dr-h----- C:\Documents and Settings\Gabriel Cheung\Application Data\SecuROM
2008-09-03 20:05 . 2008-09-03 20:05 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-09-03 07:45 . 2008-09-03 07:45 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-03 00:31 . 2008-09-11 00:52 <DIR> d-------- C:\Program Files\eMule
2008-09-03 00:26 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-09-03 00:26 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-09-03 00:24 . 2008-09-03 00:24 <DIR> d-------- C:\Program Files\Microsoft Works
2008-09-03 00:23 . 2008-09-03 00:23 <DIR> d-------- C:\Program Files\MSBuild
2008-09-03 00:21 . 2008-09-03 00:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-09-03 00:18 . 2008-09-03 00:18 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-09-03 00:17 . 2008-09-03 00:22 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-09-03 00:17 . 2008-09-10 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-03 00:16 . 2008-09-03 00:16 <DIR> dr-h----- C:\MSOCache
2008-09-02 23:42 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-02 23:42 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-09-02 23:42 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-02 21:34 . 2008-09-03 18:59 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Contacts
2008-09-02 21:33 . 2008-09-02 21:33 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-02 21:30 . 2008-09-02 21:30 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-02 21:28 . 2008-09-02 21:29 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-02 21:27 . 2008-09-02 21:32 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-02 21:26 . 2008-09-02 21:32 <DIR> d-------- C:\Program Files\Windows Live
2008-09-02 21:26 . 2008-09-02 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-01 23:55 . 2008-09-01 23:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-01 23:45 . 2008-06-24 02:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-01 23:45 . 2007-04-17 19:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-09-01 23:45 . 2007-03-08 15:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-09-01 23:45 . 2008-06-24 02:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-09-01 23:45 . 2008-06-24 02:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-09-01 23:45 . 2008-06-24 02:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-09-01 23:45 . 2008-06-24 02:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-09-01 23:45 . 2008-06-24 02:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-09-01 23:45 . 2008-06-23 19:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-01 23:11 . 2008-09-01 23:11 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\Windows Desktop Search
2008-09-01 23:10 . 2008-09-01 23:10 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-01 23:10 . 2008-03-08 03:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-01 23:10 . 2008-03-08 03:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-01 23:10 . 2008-03-08 03:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-01 23:03 . 2008-09-01 23:03 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-01 23:02 . 2008-09-01 23:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-01 23:02 . 2008-09-01 23:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-01 22:57 . 2008-09-01 22:57 <DIR> d-------- C:\WINDOWS\NV35803596.TMP
2008-09-01 22:57 . 2004-05-20 10:11 172,032 --a------ C:\WINDOWS\system32\nvuaudio.exe
2008-09-01 22:57 . 2004-04-23 01:30 3,787 --a------ C:\WINDOWS\system32\nvaudio.nvu
2008-09-01 22:56 . 2008-09-01 22:56 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-09-01 22:55 . 2008-07-23 00:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-01 22:55 . 2008-07-23 00:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-01 22:55 . 2008-07-23 00:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-01 22:41 . 2008-09-01 22:41 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-01 22:41 . 2008-09-01 22:41 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-01 22:41 . 2008-09-01 22:41 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-01 22:41 . 2008-09-01 22:41 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-01 22:38 . 2008-09-01 22:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-01 22:20 . 2008-09-01 22:20 <DIR> d-------- C:\Program Files\uTorrent
2008-09-01 22:20 . 2008-09-15 21:47 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\uTorrent
2008-09-01 21:38 . 2008-09-01 21:38 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-01 21:16 . 2008-04-14 10:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-09-01 21:15 . 2008-04-14 10:11 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2008-09-01 20:54 . 2008-09-01 20:54 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-09-01 20:44 . 2008-09-01 20:44 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\DAEMON Tools
2008-09-01 20:44 . 2008-09-01 20:44 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-09-01 20:42 . 2008-09-17 20:26 <DIR> d-------- C:\Program Files\Datamonitor
2008-09-01 20:35 . 2008-05-02 00:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-01 20:35 . 2008-06-13 21:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-01 20:35 . 2008-05-09 00:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-01 09:03 . 2008-04-14 10:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-09-01 09:02 . 2006-02-28 22:00 180,258 --a--c--- C:\WINDOWS\system32\dllcache\c_20000.nls
2008-09-01 09:01 . 2008-04-14 04:45 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-09-01 09:01 . 2008-04-14 05:17 83,072 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-09-01 09:01 . 2008-04-14 05:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-09-01 09:01 . 2008-04-14 04:40 57,600 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-09-01 09:01 . 2008-04-14 04:39 7,552 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2008-09-01 09:01 . 2008-04-14 04:39 5,376 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2008-09-01 09:01 . 2001-08-17 23:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-09-01 02:23 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-09-01 01:07 . 2008-09-01 01:07 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\Media Player Classic
2008-09-01 01:01 . 2008-09-01 01:01 <DIR> d-------- C:\Program Files\MozBackup
2008-09-01 01:01 . 2008-09-01 01:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-01 00:58 . 2008-09-01 00:58 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-09-01 00:57 . 2008-09-16 20:25 <DIR> d-------- C:\Downloads
2008-09-01 00:23 . 2008-09-01 00:23 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 13:58 --------- d-----w C:\Program Files\Kyocera
2008-08-31 13:49 --------- d-----w C:\Program Files\ESET
2008-08-31 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-08-31 13:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-31 13:12 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-08 06:27 926,000 ----a-w C:\WINDOWS\system32\drivers\vmx86.sys
2008-08-08 06:27 34,864 ----a-w C:\WINDOWS\system32\drivers\hcmon.sys
2008-08-08 06:26 15,920 ----a-w C:\WINDOWS\system32\drivers\vmparport.sys
2008-08-08 05:14 219,696 ----a-w C:\WINDOWS\system32\vmnc.dll
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 08:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23FBFAD0-6585-4FE2-8234-0DC682C31E7F}]
2008-09-15 20:59 254464 --a------ C:\WINDOWS\system32\jkkHBQiG.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"Optus Cable Data Monitor"="C:\Program Files\Datamonitor\Datamonitor.exe" [2007-12-11 233472]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [2008-08-08 55856]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 479232]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=djclpg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\eMule\\emule.exe"=
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2006-02-28 3584]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{7fff3cee-3361-40e0-9518-7dcabd6b225b} - C:\WINDOWS\system32\djclpg.dll
HKLM-Run-c8e55786 - C:\WINDOWS\system32\lmijltph.dll
HKLM-Run-BMcbd6641a - C:\WINDOWS\system32\vcihpunb.dll
ShellExecuteHooks-{19A58582-71CB-42EA-9DDA-0960CE5BAB37} - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Gabriel Cheung\Application Data\Mozilla\Firefox\Profiles\9gtvfad4.default\
FF -: plugin - C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 20:32:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-09-17 20:37:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-17 10:37:00
Pre-Run: 56,522,756,096 bytes free
Post-Run: 56,613,916,672 bytes free
257 --- E O F --- 2008-09-10 04:51:14
========================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:22 PM, on 17/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Datamonitor\Datamonitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {23FBFAD0-6585-4FE2-8234-0DC682C31E7F} - C:\WINDOWS\system32\jkkHBQiG.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Optus Cable Data Monitor] C:\Program Files\Datamonitor\Datamonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: djclpg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 6114 bytes
Thanks!
pskelley
2008-09-17, 16:41
Thanks for returning that information, read and follow the directions carefully and in the numbered order.
eMule and uTorrent <<< please see Safer Networking policy here:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Uninstall all p2p progams from the computer.
For your information, please see this:
C:\Program Files\Messenger Plus! Live
http://inetexplorer.mvps.org/answers/43.html
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\jkkHBQiG.dll
C:\WINDOWS\system32\tULbaywW.dll
C:\WINDOWS\system32\ddCsRlkI.dll.vir
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23FBFAD0-6585-4FE2-8234-0DC682C31E7F}]
Folder::
C:\VundoFix Backups
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(these may be gone)
O2 - BHO: (no name) - {23FBFAD0-6585-4FE2-8234-0DC682C31E7F} - C:\WINDOWS\system32\jkkHBQiG.dll
O20 - AppInit_DLLs: djclpg.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAm and a new HJT log.
How is the computer running now?
Thanks
flyintyger
2008-09-18, 15:25
ComboFix 08-09-16.05 - Gabriel Cheung 2008-09-18 2:53:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768 [GMT 10:00]
Running from: C:\Documents and Settings\Gabriel Cheung\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gabriel Cheung\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\WINDOWS\BMcbd6641a.txt
C:\WINDOWS\BMcbd6641a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ddCsRlkI.dll.vir
C:\WINDOWS\system32\GiQBHkkj.ini
C:\WINDOWS\system32\GiQBHkkj.ini2
C:\WINDOWS\system32\hihngety.dll
C:\WINDOWS\system32\jkkHBQiG.dll
C:\WINDOWS\system32\pbunoeaj.dll
C:\WINDOWS\system32\tULbaywW.dll
C:\WINDOWS\system32\ytegnhih.ini
.
((((((((((((((((((((((((( Files Created from 2008-08-17 to 2008-09-17 )))))))))))))))))))))))))))))))
.
2008-09-18 02:24 . 2008-09-18 02:24 113,152 --a------ C:\WINDOWS\system32\siknahpk.dll
2008-09-18 02:24 . 2008-09-18 02:24 113,152 --a------ C:\WINDOWS\system32\idbrzy.dll
2008-09-17 00:00 . 2008-09-17 00:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-16 21:24 . 2008-09-16 21:24 95 --a------ C:\WINDOWS\wininit.ini
2008-09-16 20:26 . 2008-09-16 20:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-16 20:26 . 2008-09-16 22:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 23:23 . 2008-09-15 23:23 <DIR> d-------- C:\Program Files\Webteh
2008-09-11 00:56 . 2008-09-11 00:56 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\vlc
2008-09-11 00:55 . 2008-09-11 00:55 <DIR> d-------- C:\Program Files\VideoLAN
2008-09-07 20:24 . 2008-09-07 20:24 <DIR> d-------- C:\Program Files\Google
2008-09-07 00:00 . 2008-09-07 00:18 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\VMware
2008-09-06 23:49 . 2008-09-18 02:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-09-06 23:48 . 2008-08-08 16:25 150,064 --a------ C:\WINDOWS\system32\vmnat.exe
2008-09-06 23:48 . 2008-08-08 16:26 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-09-06 23:48 . 2008-08-08 16:27 25,264 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-09-06 23:48 . 2008-08-08 15:49 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-09-06 23:48 . 2008-08-08 15:49 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2008-09-06 23:47 . 2008-08-08 16:26 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-09-06 23:47 . 2008-08-08 15:49 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2008-09-06 23:47 . 2008-08-08 15:49 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-09-06 23:47 . 2008-08-08 15:49 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2008-09-06 23:46 . 2008-08-08 16:27 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2008-09-06 23:45 . 2008-09-06 23:45 <DIR> d-------- C:\Program Files\VMware
2008-09-06 23:45 . 2008-09-06 23:45 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-09-06 23:45 . 2008-09-18 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-09-06 21:02 . 2008-09-06 21:02 <DIR> d-------- C:\Program Files\Gabest
2008-09-04 19:59 . 2008-09-04 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-09-03 22:38 . 2008-09-03 22:50 <DIR> d-------- C:\Program Files\EditPlus 3
2008-09-03 22:38 . 2008-09-03 22:38 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\EditPlus 3
2008-09-03 22:31 . 2008-09-03 22:38 <DIR> d-------- C:\Program Files\EditPlus 2
2008-09-03 21:17 . 2008-09-03 21:17 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-09-03 20:09 . 2008-09-03 20:09 <DIR> d-------- C:\Program Files\EA Sports
2008-09-03 20:06 . 2002-12-12 00:14 1,294,336 --a--c--- C:\WINDOWS\system32\dllcache\dsound3d.dll
2008-09-03 20:05 . 2008-09-03 20:05 <DIR> dr-h----- C:\Documents and Settings\Gabriel Cheung\Application Data\SecuROM
2008-09-03 20:05 . 2008-09-03 20:05 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-09-03 07:45 . 2008-09-03 07:45 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-09-03 00:26 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-09-03 00:26 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-09-03 00:24 . 2008-09-03 00:24 <DIR> d-------- C:\Program Files\Microsoft Works
2008-09-03 00:23 . 2008-09-03 00:23 <DIR> d-------- C:\Program Files\MSBuild
2008-09-03 00:21 . 2008-09-03 00:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-09-03 00:18 . 2008-09-03 00:18 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-09-03 00:17 . 2008-09-03 00:22 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-09-03 00:17 . 2008-09-10 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-03 00:16 . 2008-09-03 00:16 <DIR> dr-h----- C:\MSOCache
2008-09-02 23:42 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-09-02 23:42 . 2008-07-18 22:07 210,976 --a------ C:\WINDOWS\system32\muweb.dll
2008-09-02 23:42 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-09-02 21:34 . 2008-09-03 18:59 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Contacts
2008-09-02 21:33 . 2008-09-02 21:33 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-02 21:30 . 2008-09-02 21:30 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-02 21:28 . 2008-09-02 21:29 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-02 21:27 . 2008-09-02 21:32 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-02 21:26 . 2008-09-02 21:32 <DIR> d-------- C:\Program Files\Windows Live
2008-09-02 21:26 . 2008-09-02 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-01 23:55 . 2008-09-01 23:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-01 23:45 . 2008-06-24 02:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-01 23:45 . 2007-04-17 19:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-09-01 23:45 . 2007-03-08 15:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-09-01 23:45 . 2008-06-24 02:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-09-01 23:45 . 2008-06-24 02:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-09-01 23:45 . 2008-06-24 02:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-09-01 23:45 . 2008-06-24 02:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-09-01 23:45 . 2008-06-24 02:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-09-01 23:45 . 2008-06-23 19:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-01 23:11 . 2008-09-01 23:11 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\Windows Desktop Search
2008-09-01 23:10 . 2008-09-01 23:10 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-01 23:10 . 2008-03-08 03:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-01 23:10 . 2008-03-08 03:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-01 23:10 . 2008-03-08 03:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-01 23:03 . 2008-09-01 23:03 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-01 23:02 . 2008-09-01 23:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-01 23:02 . 2008-09-01 23:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-01 22:57 . 2008-09-01 22:57 <DIR> d-------- C:\WINDOWS\NV35803596.TMP
2008-09-01 22:57 . 2004-05-20 10:11 172,032 --a------ C:\WINDOWS\system32\nvuaudio.exe
2008-09-01 22:57 . 2004-04-23 01:30 3,787 --a------ C:\WINDOWS\system32\nvaudio.nvu
2008-09-01 22:56 . 2008-09-01 22:56 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-09-01 22:55 . 2008-07-23 00:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-01 22:55 . 2008-07-23 00:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-01 22:55 . 2008-07-23 00:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-01 22:41 . 2008-09-01 22:41 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-01 22:41 . 2008-09-01 22:41 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-01 22:41 . 2008-09-01 22:41 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-01 22:41 . 2008-09-01 22:41 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-01 22:38 . 2008-09-01 22:38 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-01 22:20 . 2008-09-18 02:06 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\uTorrent
2008-09-01 21:38 . 2008-09-01 21:38 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-01 21:16 . 2008-04-14 10:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-09-01 21:15 . 2008-04-14 10:11 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2008-09-01 20:54 . 2008-09-01 20:54 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-09-01 20:44 . 2008-09-01 20:44 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\DAEMON Tools
2008-09-01 20:44 . 2008-09-01 20:44 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-09-01 20:42 . 2008-09-18 02:49 <DIR> d-------- C:\Program Files\Datamonitor
2008-09-01 20:35 . 2008-05-02 00:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-01 20:35 . 2008-06-13 21:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-01 20:35 . 2008-05-09 00:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-01 09:03 . 2008-04-14 10:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-09-01 09:02 . 2006-02-28 22:00 180,258 --a--c--- C:\WINDOWS\system32\dllcache\c_20000.nls
2008-09-01 09:01 . 2008-04-14 04:45 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-09-01 09:01 . 2008-04-14 05:17 83,072 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-09-01 09:01 . 2008-04-14 05:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-09-01 09:01 . 2008-04-14 04:40 57,600 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-09-01 09:01 . 2008-04-14 04:39 7,552 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2008-09-01 09:01 . 2008-04-14 04:39 5,376 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2008-09-01 09:01 . 2001-08-17 23:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-09-01 02:23 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-09-01 01:07 . 2008-09-01 01:07 <DIR> d-------- C:\Documents and Settings\Gabriel Cheung\Application Data\Media Player Classic
2008-09-01 01:01 . 2008-09-01 01:01 <DIR> d-------- C:\Program Files\MozBackup
2008-09-01 01:01 . 2008-09-01 01:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-01 00:58 . 2008-09-01 00:58 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-09-01 00:57 . 2008-09-16 20:25 <DIR> d-------- C:\Downloads
2008-09-01 00:23 . 2008-09-01 00:23 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 13:58 --------- d-----w C:\Program Files\Kyocera
2008-08-31 13:49 --------- d-----w C:\Program Files\ESET
2008-08-31 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-08-31 13:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-31 13:12 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-08 06:27 926,000 ----a-w C:\WINDOWS\system32\drivers\vmx86.sys
2008-08-08 06:27 34,864 ----a-w C:\WINDOWS\system32\drivers\hcmon.sys
2008-08-08 06:26 15,920 ----a-w C:\WINDOWS\system32\drivers\vmparport.sys
2008-08-08 05:14 219,696 ----a-w C:\WINDOWS\system32\vmnc.dll
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 08:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-17_20.36.28.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-17 16:57:06 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_c44.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86b1eacc-ca72-4f57-b650-e2618c35ae14}]
2008-09-18 02:24 113152 --a------ C:\WINDOWS\system32\idbrzy.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"Optus Cable Data Monitor"="C:\Program Files\Datamonitor\Datamonitor.exe" [2007-12-11 233472]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [2008-08-08 55856]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 479232]
"BMcbd6641a"="C:\WINDOWS\system32\pbunoeaj.dll" [BU]
"c8e55786"="C:\WINDOWS\system32\hihngety.dll" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2006-02-28 3584]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{20B3B234-9511-454D-A889-3C560A9CBAB3} - C:\WINDOWS\system32\jkkHBQiG.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 02:56:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-18 3:00:48 - machine was rebooted [Gabriel Cheung]
ComboFix-quarantined-files.txt 2008-09-17 17:00:42
ComboFix2.txt 2008-09-17 10:37:11
Pre-Run: 57,473,441,792 bytes free
Post-Run: 57,463,410,688 bytes free
246 --- E O F --- 2008-09-10 04:51:14
=============================================================================================
Malwarebytes' Anti-Malware 1.28
Database version: 1164
Windows 5.1.2600 Service Pack 3
18/09/2008 10:23:36 PM
mbam-log-2008-09-18 (22-23-36).txt
Scan type: Full Scan (C:\|D:\|G:\|J:\|)
Objects scanned: 97737
Time elapsed: 55 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{86b1eacc-ca72-4f57-b650-e2618c35ae14} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{86b1eacc-ca72-4f57-b650-e2618c35ae14} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmcbd6641a (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8e55786 (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\idbrzy.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gabriel Cheung\My Documents\Downloads\BS.Player_Pro_v2.31.974\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ddCsRlkI.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\djclpg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkHBQiG.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lmijltph.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\omwsir.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tULbaywW.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\uuyxhsco.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wyqmnvem.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yglhrkfx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP31\A0006284.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP31\A0006336.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP33\A0006386.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP33\A0006387.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP33\A0006388.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP33\A0006389.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP33\A0006390.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP33\A0006391.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP35\A0006587.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6BFC205E-AA42-4BA5-8A57-F112DD5CDF0D}\RP35\A0006588.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\siknahpk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
=====================================================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:41 PM, on 18/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Datamonitor\Datamonitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Optus Cable Data Monitor] C:\Program Files\Datamonitor\Datamonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Gabriel Cheung\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 6063 bytes
Thanks for your help
comp seems to be ok at the moment =)
pskelley
2008-09-18, 16:25
Thanks for returning your information and the feedback, it appears you may be formatting the HJT log, and my scanners can not work with that. At the top of NOTEPAD, click on Format and uncheck "Word Wrap" until we are finish.
The HJT log looks to be clean of malware, most of what MBAM located is either in combofix quarantine, or infected System Restore files, we will address those soon.
There are two files I am concerned about:
2008-09-18 02:24 . 2008-09-18 02:24 113,152 --a------ C:\WINDOWS\system32\siknahpk.dll
2008-09-18 02:24 . 2008-09-18 02:24 113,152 --a------ C:\WINDOWS\system32\idbrzy.dll
These were just created as you can see, you are keeping this computer offline...the junk can and will download more!
Make sure you can view all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Use on or more of these free scanners to find out what ther are:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
Delete them if they scan bad, here are the files to scan:
C:\WINDOWS\system32\siknahpk.dll
C:\WINDOWS\system32\idbrzy.dll
also post an uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Thanks
flyintyger
2008-09-18, 17:36
hi, thanks for all your help!
umm...
i cant seem to find those 2 files you want me to scan... when i browse to the system32 folder, neither of the files are in there. I have changed the folder such that there are no hidden files or protected OS files =\
Here is the uninstall list:
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Adobe Shockwave Player
ATI Display Driver
BS.Player PRO
Burnsies OptusNet DataMonitor
Combined Community Codec Pack 2008-01-24
EditPlus 3
ESET NOD32 Antivirus
FIFA 08
Google Gears
Google Gmail Notifier
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.1)
NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up
NVIDIA Drivers
NVIDIA Windows 2000/XP nForce Drivers
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Spybot - Search & Destroy
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb956080)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
VideoLAN VLC media player 0.8.6i
VMware Player
VobSub v2.23 (Remove Only)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
pskelley
2008-09-18, 17:45
You can see when combofix says those files were created: 2008-09-18 02:24
Use Search Companion, they may be running from Temp or TIF folders, it is important that we locate them, and find out what they are, unless you installed something at that time.
Messenger Plus! Live <<< see this: http://inetexplorer.mvps.org/answers/43.html
Any malware symptoms?
Thanks
flyintyger
2008-09-18, 17:57
Hi,
i've tried using the windows search function... but neither of those files seem to appear...
I didnt i install anything at that time
should i maybe run combofix again to see if theyre still there?
I've uninstalled Messenger Plus!
Computer seems to be running fine at the moment with no obvious signs of malware
pskelley
2008-09-18, 19:44
Thanks for the feedback, let's do this...
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update and scan with MBAM to make sure we missed nothing, no need to post a clean scan result.
Update ESET NOD32 Antivirus and scan the System to make sure it is running right and scanning clean.
Let me know how the computer is running at this point. If there are no issues, I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
flyintyger
2008-09-20, 12:01
I just ran a scan and everything seems fine...
thanks a lot for your help!! =D