View Full Version : log file of Trend Micro HijackThis from another virtumonde victim
london_peter
2008-09-20, 16:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:58:49, on 20-09-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\ZTE Mobile Connection\datacard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\DkIcon.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [cc060860] rundll32.exe "C:\WINDOWS\system32\wfbkvcfd.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FlexType 2K.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4335719D-02AE-4337-9A76-A563814A74A8}: NameServer = 4.2.2.3 4.2.2.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E306ECBA-12C0-4D22-98DA-3D90C9A7B085}: NameServer = 193.200.15.156,193.200.15.155
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: rxutst.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 10455 bytes
london_peter
2008-09-20, 16:22
Spybot S&D wants me to reboot during every scan. Finds Virtumonde, and when i reboot I can only see the Spybot scan and in the middle of the process an alert appears offering me to "Work Offline" or to Try Again to connect to the internet. I made 3 full scans and then clicked on "Fix .." but then I re-scan and It finds virtumonde again. So now I did this logfile. Since this problem first appeared - with opening random webpages I stopped using IE and now use only Google Chrome.
Thank you for your help.
PS - Do I have to resend the logfile again, because copied and submitted it without unchecking word wrap in Notepad?
pskelley
2008-09-24, 03:46
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.
If you still need help, we will start like this:
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
london_peter
2008-09-24, 12:39
ComboFix 08-09-22.06 - Pierre and Miki 2008-09-24 10:27:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1521 [GMT 1:00]
Running from: C:\Documents and Settings\Pierre and Miki\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMcf353bfc.txt
C:\WINDOWS\BMcf353bfc.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dfcvkbfw.ini
C:\WINDOWS\system32\fccyxwxX.dll
C:\WINDOWS\system32\giyfujia.ini
C:\WINDOWS\system32\kiluywns.ini
C:\WINDOWS\system32\koxrotnq.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnOggHy.dll
C:\WINDOWS\system32\schbkxlp.ini
C:\WINDOWS\system32\ucqmbtoe.ini
C:\WINDOWS\system32\uhlfumsj.ini
C:\WINDOWS\system32\wamvqtbn.ini
C:\WINDOWS\system32\xmbfmshd.ini
C:\WINDOWS\system32\xokhjkvl.ini
C:\WINDOWS\system32\xqoqcyrc.ini
C:\WINDOWS\system32\Xxwxyccf.ini
C:\WINDOWS\system32\Xxwxyccf.ini2
I:\AUTORUN.INF
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-23 16:44 . 2008-09-23 16:44 <DIR> d-------- C:\Program Files\Sun
2008-09-23 16:43 . 2008-09-23 16:43 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-23 16:43 . 2008-09-23 16:43 89,600 --a------ C:\WINDOWS\system32\dhsmfbmx.dll
2008-09-23 16:40 . 2008-09-23 16:40 97,280 --a------ C:\WINDOWS\system32\brttaiig.dll_old
2008-09-23 12:40 . 2008-09-23 12:40 111,616 --a------ C:\WINDOWS\system32\utruuz.dll
2008-09-23 12:40 . 2008-09-23 12:40 111,616 --a------ C:\WINDOWS\system32\lgnpwtuv.dll
2008-09-23 12:37 . 2008-09-23 12:37 89,600 --a------ C:\WINDOWS\system32\lvkjhkox.dll
2008-09-22 12:23 . 2008-09-22 12:23 90,624 --a------ C:\WINDOWS\system32\myfjrcek.dll
2008-09-22 12:23 . 2008-09-22 12:23 294 --ahs---- C:\WINDOWS\system32\kecrjfym.ini
2008-09-20 15:17 . 2008-09-20 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-09-20 13:57 . 2008-09-20 13:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 12:42 . 2008-09-24 10:16 374 --a------ C:\WINDOWS\wininit.ini
2008-09-20 11:54 . 2008-09-20 12:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-20 11:54 . 2008-09-20 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 07:49 . 2008-09-19 07:49 112,640 --a------ C:\WINDOWS\system32\vwwnojpo.dll
2008-09-19 07:49 . 2008-09-19 07:49 112,640 --a------ C:\WINDOWS\system32\cghpfz.dll
2008-09-18 12:35 . 2008-09-18 12:35 112,640 --a------ C:\WINDOWS\system32\jvmyqsse.dll
2008-09-18 12:35 . 2008-09-18 12:35 112,640 --a------ C:\WINDOWS\system32\ikrncl.dll
2008-09-17 13:18 . 2008-09-17 13:18 113,152 --a------ C:\WINDOWS\system32\pexgxaye.dll
2008-09-17 13:18 . 2008-09-17 13:18 113,152 --a------ C:\WINDOWS\system32\mcjxnk.dll
2008-09-17 08:29 . 2008-09-17 08:31 74,240 --------- C:\Documents and Settings\Pierre and Miki\MediaTubeCodec_ver1.1502.0.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 09:24 --------- d-----w C:\Program Files\ZTE Mobile Connection
2008-09-23 15:44 --------- d-----w C:\Documents and Settings\Pierre and Miki\Application Data\Skype
2008-09-23 15:43 --------- d-----w C:\Program Files\Java
2008-09-23 15:42 --------- d-----w C:\Documents and Settings\Pierre and Miki\Application Data\skypePM
2008-09-20 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-20 13:45 --------- d-----r C:\Program Files\Ad-Aware 2007
2008-09-15 00:42 --------- d-----w C:\Program Files\Soulseek
2008-09-12 16:56 --------- d-----w C:\Program Files\ICQ6
2008-09-12 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-07 11:41 --------- d-----w C:\Documents and Settings\Pierre and Miki\Application Data\dvdcss
2008-08-30 12:29 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-18 19:55 112,640 ----a-w C:\WINDOWS\system32\ipsqcr.dll
2008-08-18 19:55 112,640 ----a-w C:\WINDOWS\system32\eqxerkih.dll
2008-08-18 11:46 112,640 ----a-w C:\WINDOWS\system32\lotvba.dll
2008-08-18 11:46 112,640 ----a-w C:\WINDOWS\system32\gtxbisia.dll
2008-08-18 08:34 90,624 ----a-w C:\WINDOWS\system32\eotbmqcu.dll
2008-08-18 08:31 97,792 ----a-w C:\WINDOWS\system32\ptqjgnke.dll
2008-08-18 08:31 113,152 ----a-w C:\WINDOWS\system32\tpvene.dll
2008-08-18 08:31 113,152 ----a-w C:\WINDOWS\system32\ksgqblkk.dll
2008-08-15 17:50 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-08-10 20:56 --------- d-----w C:\Documents and Settings\Pierre and Miki\Application Data\Likno
2008-07-26 11:28 --------- d-----w C:\Program Files\BSPlayer
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 17:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-03-01 22:35 8 --sh--r C:\Documents and Settings\All Users\Application Data\9BC0160D97.sys
2007-11-23 06:19 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-10-16 14:03 8 --sha-r C:\WINDOWS\system32\9BC0160D97.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 15360]
"Google Update"="C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-13 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-16 81920]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-09 917504]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-09-16 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FlexType 2K.lnk - C:\WINDOWS\Datecs\Flex2K.exe [2007-12-08 151552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=tpvene.dll utruuz.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudaxu.sys [2005-12-04 1390144]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05f704a1-7678-11dc-bd24-806d6172696f}]
\Shell\AutoRun\command - F:\Run.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{021BA8E8-0C51-4F6E-A79E-4FCDF7814DF0} - (no file)
BHO-{04ED7F57-54A1-44F5-B4E3-9960642B0021} - (no file)
BHO-{09249233-166B-4B6F-9C56-EDAC28238D4D} - C:\WINDOWS\system32\fccyxwxX.dll
BHO-{2F30D64D-663C-45B0-8CFF-781E97604E86} - (no file)
BHO-{3808166D-640F-4468-98E8-4E53AE1FF113} - C:\WINDOWS\system32\opnOggHy.dll
BHO-{6788A6D3-5D23-4CF9-9794-1A75CE6542F4} - (no file)
BHO-{CF196EB4-2549-49DE-B6B8-4A12EFC524A8} - (no file)
BHO-{E05C99AF-9938-463A-94F8-1A3CC5DA3DB8} - (no file)
HKCU-Run-MsnMsgr - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-SunJavaUpdateSched - C:\Program Files\Java\jre6\bin\jusched.exe
HKLM-Run-BMcf353bfc - C:\WINDOWS\system32\brttaiig.dll
ShellExecuteHooks-{3808166D-640F-4468-98E8-4E53AE1FF113} - C:\WINDOWS\system32\opnOggHy.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Pierre and Miki\Application Data\Mozilla\Firefox\Profiles\u4i8c7cl.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 10:31:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Program Files\Common Files\Adobe\Adobe PCD\cache\cache.db-journal 3608 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\DkService.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-09-24 10:35:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 09:34:56
Pre-Run: 61,826,674,688 bytes free
Post-Run: 61,737,078,784 bytes free
200 --- E O F --- 2008-09-12 16:49:04
london_peter
2008-09-24, 12:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:10, on 24-09-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FlexType 2K.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4335719D-02AE-4337-9A76-A563814A74A8}: NameServer = 4.2.2.3 4.2.2.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E306ECBA-12C0-4D22-98DA-3D90C9A7B085}: NameServer = 193.200.15.156,193.200.15.155
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: tpvene.dll utruuz.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 8508 bytes
pskelley
2008-09-24, 15:57
Thanks for returning your information, combofix removed a lot of the junk, but we have more work to do. You have left this infection a while and it has the ability to morph and recreate files.
C:\WINDOWS\Datecs\Flex2K.exe <<< not much information, can you assure me this is valid.
C:\Documents and Settings\Pierre and Miki\MediaTubeCodec_ver1.1502.0.exe <<< i do not like the looks of this:
http://www.google.com/search?hl=en&q=MediaTubeCodec_ver1.1502.0.exe&btnG=Search
http://forums.spybot.info/showthread.php?t=7344 <<< see this, unless you are positive that is safe, I suggest you delete it from the computer.
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Soulseek <<< uninstall all p2p programs
F:\Run.exe <<< see this information
http://www.bleepingcomputer.com/startups/run.exe-9916.html
http://www.google.com/search?hl=en&q=Run.exe&btnG=Search
I will remove the file and mountpoint, you will need to format that F:\ drive.
Pen drive/USB stick
http://www.scribd.com/doc/231100/Reformatting-a-USB-Drive
I caution you to take more care about where you stick your stick.
Read and follow the directions carefully and in the numbered order.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
Driver::
9BC0160D97
File::
F:\Run.exe
C:\WINDOWS\system32\dhsmfbmx.dll
C:\WINDOWS\system32\brttaiig.dll_old
C:\WINDOWS\system32\utruuz.dll
C:\WINDOWS\system32\lgnpwtuv.dll
C:\WINDOWS\system32\lvkjhkox.dll
C:\WINDOWS\system32\myfjrcek.dll
C:\WINDOWS\system32\kecrjfym.ini
C:\WINDOWS\system32\ipsqcr.dll
C:\WINDOWS\system32\eqxerkih.dll
C:\WINDOWS\system32\lotvba.dll
C:\WINDOWS\system32\gtxbisia.dll
C:\WINDOWS\system32\eotbmqcu.dll
C:\WINDOWS\system32\ptqjgnke.dll
C:\WINDOWS\system32\tpvene.dll
C:\WINDOWS\system32\ksgqblkk.dll
C:\WINDOWS\system32\9BC0160D97.sys
C:\Documents and Settings\All Users\Application Data\9BC0160D97.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05f704a1-7678-11dc-bd24-806d6172696f}]
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O20 - AppInit_DLLs: tpvene.dll utruuz.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
How is the computer running?
Thanks
london_peter
2008-09-24, 16:41
ComboFix 08-09-22.06 - Pierre and Miki 2008-09-24 14:27:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526 [GMT 1:00]
Running from: C:\Documents and Settings\Pierre and Miki\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pierre and Miki\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\All Users\Application Data\9BC0160D97.sys
C:\WINDOWS\system32\9BC0160D97.sys
C:\WINDOWS\system32\brttaiig.dll_old
C:\WINDOWS\system32\dhsmfbmx.dll
C:\WINDOWS\system32\eotbmqcu.dll
C:\WINDOWS\system32\eqxerkih.dll
C:\WINDOWS\system32\gtxbisia.dll
C:\WINDOWS\system32\ipsqcr.dll
C:\WINDOWS\system32\kecrjfym.ini
C:\WINDOWS\system32\ksgqblkk.dll
C:\WINDOWS\system32\lgnpwtuv.dll
C:\WINDOWS\system32\lotvba.dll
C:\WINDOWS\system32\lvkjhkox.dll
C:\WINDOWS\system32\myfjrcek.dll
C:\WINDOWS\system32\ptqjgnke.dll
C:\WINDOWS\system32\tpvene.dll
C:\WINDOWS\system32\utruuz.dll
F:\Run.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\9BC0160D97.sys
C:\WINDOWS\system32\9BC0160D97.sys
C:\WINDOWS\system32\brttaiig.dll_old
C:\WINDOWS\system32\dhsmfbmx.dll
C:\WINDOWS\system32\eotbmqcu.dll
C:\WINDOWS\system32\eqxerkih.dll
C:\WINDOWS\system32\gtxbisia.dll
C:\WINDOWS\system32\ipsqcr.dll
C:\WINDOWS\system32\kecrjfym.ini
C:\WINDOWS\system32\ksgqblkk.dll
C:\WINDOWS\system32\lgnpwtuv.dll
C:\WINDOWS\system32\lotvba.dll
C:\WINDOWS\system32\lvkjhkox.dll
C:\WINDOWS\system32\myfjrcek.dll
C:\WINDOWS\system32\ptqjgnke.dll
C:\WINDOWS\system32\tpvene.dll
C:\WINDOWS\system32\utruuz.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-23 16:44 . 2008-09-23 16:44 <DIR> d-------- C:\Program Files\Sun
2008-09-23 16:43 . 2008-09-23 16:43 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-20 15:17 . 2008-09-20 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-09-20 13:57 . 2008-09-20 13:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 12:42 . 2008-09-24 10:16 374 --a------ C:\WINDOWS\wininit.ini
2008-09-20 11:54 . 2008-09-20 12:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-20 11:54 . 2008-09-20 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 07:49 . 2008-09-19 07:49 112,640 --a------ C:\WINDOWS\system32\vwwnojpo.dll
2008-09-19 07:49 . 2008-09-19 07:49 112,640 --a------ C:\WINDOWS\system32\cghpfz.dll
2008-09-18 12:35 . 2008-09-18 12:35 112,640 --a------ C:\WINDOWS\system32\jvmyqsse.dll
2008-09-18 12:35 . 2008-09-18 12:35 112,640 --a------ C:\WINDOWS\system32\ikrncl.dll
2008-09-17 13:18 . 2008-09-17 13:18 113,152 --a------ C:\WINDOWS\system32\pexgxaye.dll
2008-09-17 13:18 . 2008-09-17 13:18 113,152 --a------ C:\WINDOWS\system32\mcjxnk.dll
2008-09-17 08:29 . 2008-09-17 08:31 74,240 --------- C:\Documents and Settings\Pierre and Miki\MediaTubeCodec_ver1.1502.0.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 12:04 --------- d-----w C:\Program Files\ICQ6
2008-09-24 11:56 --------- d-----w C:\Program Files\ZTE Mobile Connection
2008-09-23 15:44 --------- d-----w C:\Documents and Settings\Pierre and Miki\Application Data\Skype
2008-09-23 15:43 --------- d-----w C:\Program Files\Java
2008-09-23 15:42 --------- d-----w C:\Documents and Settings\Pierre and Miki\Application Data\skypePM
2008-09-20 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-20 13:45 --------- d-----r C:\Program Files\Ad-Aware 2007
2008-09-12 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-07 11:41 --------- d-----w C:\Documents and Settings\Pierre and Miki\Application Data\dvdcss
2008-08-30 12:29 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-15 17:50 2,828 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-08-10 20:56 --------- d-----w C:\Documents and Settings\Pierre and Miki\Application Data\Likno
2008-07-26 11:28 --------- d-----w C:\Program Files\BSPlayer
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 17:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2007-11-23 06:19 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((( snapshot@2008-09-24_10.34.44.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 13:30:15 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 15360]
"Google Update"="C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-13 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-16 81920]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-09 917504]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-09-16 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FlexType 2K.lnk - C:\WINDOWS\Datecs\Flex2K.exe [2007-12-08 151552]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudaxu.sys [2005-12-04 1390144]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 14:30:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\DkService.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-09-24 14:34:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 13:34:28
ComboFix2.txt 2008-09-24 09:35:17
Pre-Run: 61,558,493,184 bytes free
Post-Run: 61,551,403,008 bytes free
179 --- E O F --- 2008-09-12 16:49:04
london_peter
2008-09-24, 16:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:02, on 24-09-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ZTE Mobile Connection\datacard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FlexType 2K.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4335719D-02AE-4337-9A76-A563814A74A8}: NameServer = 4.2.2.3 4.2.2.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E306ECBA-12C0-4D22-98DA-3D90C9A7B085}: NameServer = 193.200.15.156,193.200.15.155
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 8518 bytes
london_peter
2008-09-24, 16:46
this is a program to use your latin keyboeard for cyrillic purposes (I'm born in bulgaria so it's my native language is in cyrillic) - it's not a problem to remove it, thow as noe i live and work in london
pskelley
2008-09-24, 17:22
Thanks for returning your information and the feedback, you said:
this is a program to use your latin keyboeard for cyrillic purposes
Not necessary that you remove it unless you want to, I just could not find enough information to vaidate it one way or another.
How is the computer running? <<< I did need this information however, hard to know what is happening on the computer from here.
Am I missing something?
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
refer to my last post for instructions.
Please make sure you can view all files and folders for your Operating System:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Navigate to the C:\WINDOWS\system32\ <<< folder and delete these files if there.
C:\WINDOWS\system32\vwwnojpo.dll
C:\WINDOWS\system32\cghpfz.dll
C:\WINDOWS\system32\jvmyqsse.dll
C:\WINDOWS\system32\ikrncl.dll
C:\WINDOWS\system32\pexgxaye.dll
C:\WINDOWS\system32\mcjxnk.dll
let me know you were successful.
I wait now for the results of the MBAM scan and any information I requested.
Thanks
london_peter
2008-09-24, 17:43
Performing scan with Malwarebytes - Ant-Malware.
I couldn not find
O20 - AppInit_DLLs: tpvene.dll utruuz.dll
in HJthis when performed Do a system scan only. It just wasn't in the list.
Is this a problem? I hope it's better that it wasn't there anymore.
Thank You for the help as soon as I finish this scan I will post the log files you
asked .
The CFScript that I copy - pasted from your post into Notepad dissappeared when i dragged it into ComboFix. Then Combofix asked me for permission to Run because I have checked the Always ask when open ... checkbox. Is this correct or something's wrong?
london_peter
2008-09-24, 18:05
Malwarebytes' Anti-Malware 1.28
Database version: 1201
Windows 5.1.2600 Service Pack 2
24-09-08 16:04:11
mbam-log-2008-09-24 (16-04-11).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 270058
Time elapsed: 52 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 60
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_0000d2 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\brttaiig.dll_old.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dhsmfbmx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\eotbmqcu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\eqxerkih.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gtxbisia.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tpvene.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\utruuz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ipsqcr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ksgqblkk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lgnpwtuv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lotvba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lvkjhkox.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\myfjrcek.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ptqjgnke.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP321\A0086922.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP322\A0086956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP322\A0086957.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP322\A0087096.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP322\A0087173.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP326\A0088361.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP328\A0088481.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP328\A0088526.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP328\A0088527.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP328\A0088528.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP328\A0088529.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP328\A0088530.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP328\A0088541.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP328\A0088548.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088784.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088778.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088779.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088780.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088781.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088782.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088783.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088785.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088786.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP330\A0088789.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088999.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088987.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088988.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088989.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088990.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088991.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088993.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088994.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088995.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088996.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088997.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0088998.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E005B1F1-5D9A-4920-9262-0AF89B739EB3}\RP332\A0089000.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cghpfz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pexgxaye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vwwnojpo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jvmyqsse.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ikrncl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcjxnk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{56B5EA21-DB42-4FF5-A3CF-4BB26C7D6D50}\RP33\A0009987.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pierre and Miki\MediaTubeCodec_ver1.1502.0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
london_peter
2008-09-24, 18:08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:06:33, on 24-09-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\ZTE Mobile Connection\datacard.exe
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pierre and Miki\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FlexType 2K.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4335719D-02AE-4337-9A76-A563814A74A8}: NameServer = 4.2.2.4 4.2.2.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{E306ECBA-12C0-4D22-98DA-3D90C9A7B085}: NameServer = 193.200.15.156,193.200.15.155
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 8738 bytes
london_peter
2008-09-24, 18:10
so now to delete the files you told me to in your last post.
the pc is running as normal - maybe a little slower.
london_peter
2008-09-24, 18:17
C:\WINDOWS\System32
None of the files are there?
I hope it is a good sign.
Thanks
pskelley
2008-09-24, 19:40
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
london_peter
2008-09-25, 01:49
I have my windows cd :
get genuine kit for windows xp professional sp2
that is what is needed right? and i do wish to proceed with installing the recovery console.
btw. the computer is doing fine now.
pskelley
2008-09-25, 02:43
Thanks for that feedback, here is information about Recovery Console.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
I understand you can boot to RC from the CD if you need the tool.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to make sure we missed none of the junk, no need to post a clean scan result.
Update Eset and scan your system to make sure it is running right and scanning clean. If all is well at this point, let me know and I will close your topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
london_peter
2008-09-25, 12:07
I'm writing this post because I feel this is something that If I'm now too carefull I coukd easily mess up:(
I have the CD - I don't need to do anything before removing Combo fix. I don't have to usr the Windows CD right now?
So now I will:
1) copy/paste Combofix /u and place it in Start>Run.. (the MS-DOS emulation it's called i suppose) to remove the program.
then continue with the next step:
2)Clean System Restore files
3)Reboot system restore
london_peter
2008-09-25, 12:31
I'm still performing the mbam scan and after 9 minutes it still looks good.
But the end of your last post is telling me that we're at the end of the whole operation.:) I'm working with this PC from home - it is my main source of income, so it's my most important possession.
I hope now I will be able to turn ON Automatic Updates, because the trojan had it disabled. And a message popped up on every reboot -
"Your computer might be at risk" - with the red firewall shield as an icon.
Since we started It hasn't shown up yes:)
15 minutes - OBJECTS INFECTED still at ground ZERO:)
I CAN'T TELL YOU HOW GRATEFUL I AM.
london_peter
2008-09-25, 13:07
Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 2
25-09-08 11:05:54
mbam-log-2008-09-25 (11-05-54).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 255432
Time elapsed: 50 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
london_peter
2008-09-25, 14:35
I have finished succesfully the scans - do i have to post something like a log from the ESET Nod32 scan?
What Should I do next with all the softwarwe we used for cleaning my PC:
1.Spybot S & D - (do I have to turn back ON the Tea Timer?)
2.HiJackThis
3.Malwarebytes - AntiMalware
4.ATF-Cleaner
and finally will we use the Recovery Console (from the Windows CD). I haven't done nothing with the CD so far.
...and Once again THANK YOU, SOLDIER :)
Regards: Peter Simeonov
pskelley
2008-09-25, 16:27
I don't have to usr the Windows CD right now?
No
So now I will:
Yes
pskelley
2008-09-25, 16:37
1.Spybot S & D - (do I have to turn back ON the Tea Timer?)
Yes
2.HiJackThis
Valuable tool, see all it does:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
I have had a copy for ten years, but you may do as you wish with it.
3.Malwarebytes - AntiMalware
Freeware? Keep it as a backup scanner if you wish.
4.ATF-Cleaner
No better free cleaner available anywhere, need I say more.
and finally will we use the Recovery Console (from the Windows CD). I haven't done nothing with the CD so far.
Let's hope you never need RECOVERY console
Thanks
london_peter
2008-09-27, 16:04
Hi again,
I have question about spybot:
I checked TeaTimer back and today I turned on the PC and Spybot started scanning before windows was completely loaded - the desktop icons and toolbars hadn't appeared, and in the middle of the scan the clock and the files scanned counter stopped. I restarted in safe mode (the brutal way) the pc and ran spybot again - tyhis time it didn't stopped, but while "running scan bot" it went through virtumonde.dll, virtumonde.sci and virtumonde.sdn. I'm sure there were more extensions of virtumonde. And also Zlob Downloader?
But at the end It said Congratulations No immediate threats found.
Should I be worried about that? Is it normal.
Thank You
pskelley
2008-09-27, 17:25
Have a look around the forum to orientate yourself:
http://forums.spybot.info/index.php and you will see the
Spybot-S&D <<< the forum where experts with the tool reside
http://forums.spybot.info/forumdisplay.php?f=4
I am not sure why it started when you booted the computer, but it may be set to scan at startup or it may have tried to remove something and needed to run at startup to complete the removal.
Understand also, when you are seeing those names at the bottom during the scan, those are items Spybot is looking for, not items on the computer (that is the database)
Here is a link to FAQ's that may be helpful:
http://www.safer-networking.org/en/faq/index.html
Thanks
london_peter
2008-09-30, 08:28
RUNDLL
Error loading C:\WINDOWS\system32\brttaiig.dll
The specified module could not be found
This alert appears on starting the windows every time since we did the malware removal. What can I do about it?
Thank You.
pskelley
2008-10-01, 13:46
Make sure you can see all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
C:\WINDOWS\system32\brttaiig.dll <<< navigate to that file and delete it.
If that does not take care of the issue, post a fresh HJT log so I can take a look.
Thanks
london_peter
2008-10-02, 17:45
I made the hidden files visible, but there isn't brttaiig.dll in WINDOWS/system32/ I'm posting you a new hjt log.
Thank You