View Full Version : Virtumonde
Damn, this is a nasty beast.
I went into safe mode and did a spybot check and cleaned everything off before doing this HJT scan. I have disconnected my internet on the infected computer for all the scans as well.
Here's the HJT. Any help is appreciated.
-------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:38 AM, on 20/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Video\PowerDVD\PDVDServ.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: {8d263719-5e0b-4479-3cc4-c48b8e4b4831} - {1384b4e8-b84c-4cc3-9744-b0e5917362d8} - C:\WINDOWS\system32\kgruwd.dll
O2 - BHO: (no name) - {1AAB6AB0-E660-48E8-B2E9-39BA7CC900B1} - C:\WINDOWS\system32\mlJBRJCU.dll (file missing)
O2 - BHO: (no name) - {36FA6360-F53A-47C9-9CB6-82FD16C3207B} - C:\WINDOWS\system32\urqOFxVo.dll (file missing)
O2 - BHO: (no name) - {6978308C-2282-4879-96F9-F0D8E048F12C} - C:\WINDOWS\system32\ssqNHbBq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {81EA3F36-357A-435A-8741-52C27CCC9F21} - C:\WINDOWS\system32\opnnlmjH.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F286447D-65CD-49F7-BAEA-46A5170CE774} - C:\WINDOWS\system32\awtrQJaW.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\Video\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\Video\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [103be614] rundll32.exe "C:\WINDOWS\system32\ehkvufcw.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - AppInit_DLLs: kgruwd.dll
O20 - Winlogon Notify: opnnlmjH - C:\WINDOWS\SYSTEM32\opnnlmjH.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\AVG7\avgupsvc.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
--
End of file - 9325 bytes
pskelley
2008-09-21, 23:09
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Let's be realistic, there is no antivirus program running on the computer and it is a waste of my time and yours to clean a computer without one. I see a couple of services from AVG 7, what are your intentions. If you need a link to AVG 8 free, here it is:
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
If you can use this information:
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
Once installed, update and scan the system removing what it finds, post a new HJT log showing it is installed and running and I will be glad to do all I can to help rid you of any infections left.
Thanks
Howdy
Thanks for responding. I used to use AVG, but last time my computer got something, it hooked onto the winlogon.exe file, so when AVG scanned my computer, it deleted/moved that file thinking it was a virus, and totally f-ed over my computer.
I did a scan with the new one, and it found some tracking cookies and a couple virtumonde .dll's, but it also brought up explorer.exe and winlogon.exe, saying they were possible infections. I tried searching through AVG's help file and online FAQ's, but nowhere that I could find explained how it would clean these files. If I continue with healing those two files, will my computer crash and burn? Or will it actually just remove the connections to the virtumonde .dll's?
I've tried putting my windows xp install cd back into the drive to see if I can reinstall windows in case of something like what happened last time, but after it boots through that blue screen where it loads and asks you if you want to install or repair xp, it says that I don't have a hard drive installed on the computer, which is obviously untrue.
I really appreciate the help, I am just a bit apprehensive about those two files.
pskelley
2008-09-23, 02:55
Adware.VirtuMonde <<< you have evidence of this infection.
http://www.symantec.com/security_response/writeup.jsp?docid=2003-120914-4108-99
http://www.google.com/search?hl=en&q=virtumonde&btnG=Search
Even though technically it is adware, it is probably the hardest adware program there is to remove. I am not about to waste my time (which I steal from my real life and family) to help you remove this infection from a computer that is not running an active antivirus program.
If you get one installed, updated, and running on the computer, then post a new HJT log showing that and I will take another look at your infection.
I ran another AVG 8 (fully updated) scan on my computer and it said it found no infections. Here's the new HijackThis
----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:04 PM, on 22/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Video\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {1AAB6AB0-E660-48E8-B2E9-39BA7CC900B1} - C:\WINDOWS\system32\mlJBRJCU.dll (file missing)
O2 - BHO: (no name) - {36FA6360-F53A-47C9-9CB6-82FD16C3207B} - C:\WINDOWS\system32\urqOFxVo.dll (file missing)
O2 - BHO: {61085311-801b-5739-9a54-e78f34480c05} - {50c08443-f87e-45a9-9375-b10811358016} - C:\WINDOWS\system32\rogaei.dll
O2 - BHO: (no name) - {6978308C-2282-4879-96F9-F0D8E048F12C} - C:\WINDOWS\system32\ssqNHbBq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {81EA3F36-357A-435A-8741-52C27CCC9F21} - C:\WINDOWS\system32\opnnlmjH.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {96C6FE02-5BE4-436E-BBAC-874EA0E4F014} - C:\WINDOWS\system32\efcCUOhi.dll (file missing)
O2 - BHO: (no name) - {F286447D-65CD-49F7-BAEA-46A5170CE774} - C:\WINDOWS\system32\awtrQJaW.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\Video\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\Video\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [103be614] rundll32.exe "C:\WINDOWS\system32\mwnpssst.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM1308d588] Rundll32.exe "C:\WINDOWS\system32\ychikmmc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - AppInit_DLLs: ,avgrsstx.dll rogaei.dll
O20 - Winlogon Notify: opnnlmjH - opnnlmjH.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
--
End of file - 9530 bytes
pskelley
2008-09-23, 05:17
Thanks for returning your information, I see enough indications in the HJT log that the Vundo infection is still present. I suggest you follow these directions.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
ComboFix 08-09-22.06 - Natetron 2008-09-23 19:49:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1586 [GMT -6:00]
Running from: C:\Documents and Settings\Natetron\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM1308d588.txt
C:\WINDOWS\BM1308d588.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cjdxdesc.ini
C:\WINDOWS\system32\ihOUCcfe.ini
C:\WINDOWS\system32\kubosjui.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oVxFOqru.ini
C:\WINDOWS\system32\tssspnwm.ini
C:\WINDOWS\system32\tyiglyfv.ini
C:\WINDOWS\system32\WaJQrtwa.ini
C:\WINDOWS\system32\wcfuvkhe.ini
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-21 15:11 . 2008-09-23 19:43 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-21 15:10 . 2008-09-23 19:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-21 15:10 . 2008-09-21 15:10 <DIR> d-------- C:\Program Files\AVG
2008-09-21 15:10 . 2008-09-21 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-21 15:10 . 2008-09-21 15:10 113,152 --a------ C:\WINDOWS\system32\xqmppgfm.dll
2008-09-21 15:10 . 2008-09-21 15:10 113,152 --a------ C:\WINDOWS\system32\rogaei.dll
2008-09-21 15:10 . 2008-09-21 15:10 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-21 15:10 . 2008-09-21 15:10 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-21 15:05 . 2008-09-21 15:05 97,792 --a------ C:\WINDOWS\system32\ychikmmc.dll
2008-09-21 15:04 . 2008-09-21 16:17 607,350 --ahs---- C:\WINDOWS\system32\ihOUCcfe.ini2
2008-09-20 11:29 . 2008-09-20 11:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 09:48 . 2008-09-20 09:48 268 --ah----- C:\sqmdata01.sqm
2008-09-20 09:48 . 2008-09-20 09:48 244 --ah----- C:\sqmnoopt01.sqm
2008-09-19 18:19 . 2008-09-19 18:19 112,640 --a------ C:\WINDOWS\system32\qjkhlsen.dll
2008-09-19 18:19 . 2008-09-19 18:19 112,640 --a------ C:\WINDOWS\system32\kgruwd.dll
2008-09-19 18:17 . 2008-09-19 18:17 97,280 --a------ C:\WINDOWS\system32\symlslky.dll
2008-09-18 16:18 . 2008-09-18 16:18 112,640 --a------ C:\WINDOWS\system32\wahpxh.dll
2008-09-18 16:18 . 2008-09-18 16:18 112,640 --a------ C:\WINDOWS\system32\hoyqdfge.dll
2008-09-18 16:15 . 2008-09-20 09:47 619,171 --ahs---- C:\WINDOWS\system32\WaJQrtwa.ini2
2008-09-17 18:53 . 2008-09-17 22:57 579,324 --ahs---- C:\WINDOWS\system32\oVxFOqru.ini2
2008-09-15 22:03 . 2008-09-15 22:03 <DIR> d-------- C:\Documents and Settings\Natetron\Application Data\SolidWorks
2008-09-15 22:02 . 2008-09-15 22:02 <DIR> d-------- C:\Documents and Settings\Natetron\Application Data\DWGeditor
2008-09-15 22:01 . 2008-09-15 22:01 <DIR> d-------- C:\Program Files\DWGeditor
2008-09-15 22:01 . 2008-09-15 22:01 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-09-15 21:57 . 2008-09-15 21:57 42 --a------ C:\WINDOWS\trailer.xws
2008-09-15 21:57 . 2008-09-15 21:57 23 --ah----- C:\WINDOWS\yacht.xws
2008-09-15 21:50 . 2008-09-15 21:56 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-09-15 21:50 . 2008-09-15 22:00 <DIR> d-------- C:\Program Files\Common Files\eDrawings2007
2008-09-15 21:48 . 2008-09-15 21:48 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-09-15 21:48 . 2008-09-15 21:56 <DIR> d-------- C:\Program Files\SolidWorks
2008-09-15 21:48 . 2008-09-15 21:48 <DIR> d-------- C:\Program Files\Common Files\Solidworks Data
2008-09-15 19:31 . 2008-09-15 19:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-15 19:06 . 2008-09-15 19:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-15 19:05 . 2008-09-15 19:12 <DIR> d-------- C:\Documents and Settings\Natetron\.housecall6.6
2008-09-15 18:19 . 2008-09-15 22:30 10,226 --ahs---- C:\WINDOWS\system32\qBbHNqss.ini2
2008-09-15 18:19 . 2008-09-15 22:30 10,226 --ahs---- C:\WINDOWS\system32\qBbHNqss.ini
2008-09-15 16:10 . 2008-09-15 17:11 2,164 --ahs---- C:\WINDOWS\system32\UCJRBJlm.ini2
2008-09-15 16:10 . 2008-09-15 17:13 2,164 --ahs---- C:\WINDOWS\system32\UCJRBJlm.ini
2008-09-15 16:03 . 2008-09-21 15:10 <DIR> d-------- C:\Documents and Settings\Backup Man!
2008-09-10 16:30 . 2008-09-15 21:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-10 16:30 . 2008-09-10 16:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-07 16:43 . 2008-09-07 16:43 <DIR> d-------- C:\Program Files\Sony
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-27 05:52 . 2008-08-27 05:52 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-27 05:49 . 2008-08-27 05:49 <DIR> d-------- C:\WINDOWS\EHome
2008-08-26 19:44 . 2008-04-13 18:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-08-26 19:43 . 2004-08-03 22:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-26 19:42 . 2008-04-13 18:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 20:59 --------- d-----w C:\Program Files\Video
2008-09-20 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-20 17:29 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-09-20 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-09-20 05:28 --------- d-----w C:\Documents and Settings\Natetron\Application Data\Azureus
2008-09-18 04:12 --------- d-----w C:\Program Files\Utilities
2008-09-15 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 22:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-13 01:02 --------- d-----w C:\Documents and Settings\Natetron\Application Data\foobar2000
2008-09-12 01:07 --------- d-----w C:\Documents and Settings\Natetron\Application Data\LimeWire
2008-08-27 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-07-11 05:09 81,920 ----a-w C:\Documents and Settings\Natetron\Application Data\ezpinst.exe
2007-07-11 05:09 47,360 ----a-w C:\Documents and Settings\Natetron\Application Data\pcouffin.sys
2004-03-01 20:25 114,688 ----a-w C:\Program Files\internet explorer\plugins\ChimeShim.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 794,713 2006-06-17 00:22:46 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 794,713 2006-06-16 23:22:46 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50c08443-f87e-45a9-9375-b10811358016}]
2008-09-21 15:10 113152 --a------ C:\WINDOWS\system32\rogaei.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"Google Update"="C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-22 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-14 98304]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-08-14 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"RemoteControl"="C:\Program Files\Video\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"LanguageShortcut"="C:\Program Files\Video\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"103be614"="C:\WINDOWS\system32\mwnpssst.dll" [N/A]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-21 1235736]
"BM1308d588"="C:\WINDOWS\system32\ychikmmc.dll" [2008-09-21 97792]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=,avgrsstx.dll rogaei.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.l3codec"= l3codecp.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Video\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:6881
"6882:TCP"= 6882:TCP:6882
"6883:TCP"= 6883:TCP:6883
"6884:TCP"= 6884:TCP:6884
"6885:TCP"= 6885:TCP:6885
"6886:TCP"= 6886:TCP:6886
"6887:TCP"= 6887:TCP:6887
"6888:TCP"= 6888:TCP:6888
"6889:TCP"= 6889:TCP:6889
"63207:TCP"= 63207:TCP:63207tcp
"63206:TCP"= 63206:TCP:63206
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-21 97928]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\Video\PowerDVD\000.fcl [2006-11-02 16:51 13560]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-21 231704]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39efa72b-6bb0-11dd-974b-0013026063b3}]
\Shell\Shell00\Command - E:\Start.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{481f1388-db1c-11db-9595-9e7264e88310}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
BHO-{1AAB6AB0-E660-48E8-B2E9-39BA7CC900B1} - C:\WINDOWS\system32\mlJBRJCU.dll
BHO-{36FA6360-F53A-47C9-9CB6-82FD16C3207B} - C:\WINDOWS\system32\urqOFxVo.dll
BHO-{6978308C-2282-4879-96F9-F0D8E048F12C} - C:\WINDOWS\system32\ssqNHbBq.dll
BHO-{96C6FE02-5BE4-436E-BBAC-874EA0E4F014} - C:\WINDOWS\system32\efcCUOhi.dll
BHO-{F286447D-65CD-49F7-BAEA-46A5170CE774} - C:\WINDOWS\system32\awtrQJaW.dll
Notify-opnnlmjH - opnnlmjH.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Natetron\Application Data\Mozilla\Firefox\Profiles\x7ldfe9f.default\
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Video\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Video\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Video\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Video\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Video\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Video\QuickTime\Plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Video\QuickTime\Plugins\npqtplugin7.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 20:02:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\BM1308d588.txt
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\Video\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\ComboFix\pv.cfexe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-09-23 20:06:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-24 02:06:41
Pre-Run: 62,716,284,928 bytes free
Post-Run: 62,766,972,928 bytes free
234 --- E O F --- 2008-09-12 20:53:24
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:05 PM, on 23/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Video\PowerDVD\PDVDServ.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: {61085311-801b-5739-9a54-e78f34480c05} - {50c08443-f87e-45a9-9375-b10811358016} - C:\WINDOWS\system32\rogaei.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\Video\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\Video\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [103be614] rundll32.exe "C:\WINDOWS\system32\mwnpssst.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM1308d588] Rundll32.exe "C:\WINDOWS\system32\ychikmmc.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - AppInit_DLLs: ,avgrsstx.dll rogaei.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
--
End of file - 9373 bytes
================================================
For the ComboFix log, I don't know what the Recovery Console is or why it isn't installed. I don't know if this matters or not...
pskelley
2008-09-24, 13:38
I knew when I say no antivirus program that I should have left this mess alone!
I don't know what the Recovery Console is or why it isn't installed. I don't know if this matters or not...
If you had read the turorial, you would have that information:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix <<< tutorial
How to install and use the Windows XP Recovery Console <<< click there
If you use Windows XP and do not have the Windows CD
The combofix log is showing you have a very bad infection called AWF, read about it here:
http://vil.nai.com/vil/content/v_139503.htm
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Agent.AWF&threatid=134083
combfox, which identified the hidden infection will usually remove it, if not it has to be done manually and the procedd is slow and complicated.
http://forums.spybot.info/showthread.php?t=282 <<< please read
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
LimeWire <<< uninstall all p2p programs
E:\Start.exe <<< according to this information:
http://www.liutilities.com/products/wintaskspro/processlibrary/start/
http://www.processlibrary.com/directory/files/start
You need to format that infected USB stick or you will reinfect when you use it. Pen drive/USB stick
http://www.scribd.com/doc/231100/Reformatting-a-USB-Drive
Please read and follow the directions carefully and in the numbered order.
1) C:\Program Files\Java\jre1.5.0_11\ <<< Java is out of date, see information:
http://forums.spybot.info/showthread.php?t=34433
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
AWF::
C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
C:\WINDOWS\system32\bak\ctfmon.exe
File::
E:\Start.exe
C:\WINDOWS\system32\mwnpssst.dll
C:\WINDOWS\system32\rogaei.dll
C:\WINDOWS\system32\ychikmmc.dll
C:\WINDOWS\system32\xqmppgfm.dll
C:\WINDOWS\system32\ihOUCcfe.ini2
C:\WINDOWS\system32\qjkhlsen.dll
C:\WINDOWS\system32\kgruwd.dll
C:\WINDOWS\system32\symlslky.dll
C:\WINDOWS\system32\wahpxh.dll
C:\WINDOWS\system32\hoyqdfge.dll
C:\WINDOWS\system32\WaJQrtwa.ini2
C:\WINDOWS\system32\oVxFOqru.ini2
C:\WINDOWS\system32\qBbHNqss.ini2
C:\WINDOWS\system32\qBbHNqss.ini
C:\WINDOWS\system32\UCJRBJlm.ini2
C:\WINDOWS\system32\UCJRBJlm.ini
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50c08443-f87e-45a9-9375-b10811358016}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{481f1388-db1c-11db-9595-9e7264e88310}]
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some may be missing)
O2 - BHO: {61085311-801b-5739-9a54-e78f34480c05} - {50c08443-f87e-45a9-9375-b10811358016} - C:\WINDOWS\system32\rogaei.dll
O4 - HKLM\..\Run: [103be614] rundll32.exe "C:\WINDOWS\system32\mwnpssst.dll",b
O4 - HKLM\..\Run: [BM1308d588] Rundll32.exe "C:\WINDOWS\system32\ychikmmc.dll",s
O20 - AppInit_DLLs: ,avgrsstx.dll rogaei.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAB and a new HJT log
How is the computer running?
Thanks
ComboFix 08-09-22.06 - Natetron 2008-09-24 17:51:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1542 [GMT -6:00]
Running from: C:\Documents and Settings\Natetron\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Natetron\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\hoyqdfge.dll
C:\WINDOWS\system32\ihOUCcfe.ini2
C:\WINDOWS\system32\kgruwd.dll
C:\WINDOWS\system32\mwnpssst.dll
C:\WINDOWS\system32\oVxFOqru.ini2
C:\WINDOWS\system32\qBbHNqss.ini
C:\WINDOWS\system32\qBbHNqss.ini2
C:\WINDOWS\system32\qjkhlsen.dll
C:\WINDOWS\system32\rogaei.dll
C:\WINDOWS\system32\symlslky.dll
C:\WINDOWS\system32\UCJRBJlm.ini
C:\WINDOWS\system32\UCJRBJlm.ini2
C:\WINDOWS\system32\wahpxh.dll
C:\WINDOWS\system32\WaJQrtwa.ini2
C:\WINDOWS\system32\xqmppgfm.dll
C:\WINDOWS\system32\ychikmmc.dll
E:\Start.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM1308d588.txt
C:\WINDOWS\BM1308d588.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\hoyqdfge.dll
C:\WINDOWS\system32\ihOUCcfe.ini2
C:\WINDOWS\system32\kgruwd.dll
C:\WINDOWS\system32\oVxFOqru.ini2
C:\WINDOWS\system32\qBbHNqss.ini
C:\WINDOWS\system32\qBbHNqss.ini2
C:\WINDOWS\system32\qjkhlsen.dll
C:\WINDOWS\system32\rogaei.dll
C:\WINDOWS\system32\symlslky.dll
C:\WINDOWS\system32\UCJRBJlm.ini
C:\WINDOWS\system32\UCJRBJlm.ini2
C:\WINDOWS\system32\wahpxh.dll
C:\WINDOWS\system32\WaJQrtwa.ini2
C:\WINDOWS\system32\xqmppgfm.dll
C:\WINDOWS\system32\ychikmmc.dll
.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.
2008-09-24 17:47 . 2008-09-24 17:47 <DIR> d-------- C:\Program Files\Java
2008-09-24 17:47 . 2008-09-24 17:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-24 17:47 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-21 15:11 . 2008-09-23 19:43 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-21 15:10 . 2008-09-24 17:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-21 15:10 . 2008-09-21 15:10 <DIR> d-------- C:\Program Files\AVG
2008-09-21 15:10 . 2008-09-21 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-21 15:10 . 2008-09-21 15:10 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-21 15:10 . 2008-09-21 15:10 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-20 11:29 . 2008-09-20 11:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 09:48 . 2008-09-20 09:48 268 --ah----- C:\sqmdata01.sqm
2008-09-20 09:48 . 2008-09-20 09:48 244 --ah----- C:\sqmnoopt01.sqm
2008-09-15 22:03 . 2008-09-15 22:03 <DIR> d-------- C:\Documents and Settings\Natetron\Application Data\SolidWorks
2008-09-15 22:02 . 2008-09-15 22:02 <DIR> d-------- C:\Documents and Settings\Natetron\Application Data\DWGeditor
2008-09-15 22:01 . 2008-09-15 22:01 <DIR> d-------- C:\Program Files\DWGeditor
2008-09-15 22:01 . 2008-09-15 22:01 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-09-15 21:57 . 2008-09-15 21:57 42 --a------ C:\WINDOWS\trailer.xws
2008-09-15 21:57 . 2008-09-15 21:57 23 --ah----- C:\WINDOWS\yacht.xws
2008-09-15 21:50 . 2008-09-15 21:56 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-09-15 21:50 . 2008-09-15 22:00 <DIR> d-------- C:\Program Files\Common Files\eDrawings2007
2008-09-15 21:48 . 2008-09-15 21:48 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-09-15 21:48 . 2008-09-15 21:56 <DIR> d-------- C:\Program Files\SolidWorks
2008-09-15 21:48 . 2008-09-15 21:48 <DIR> d-------- C:\Program Files\Common Files\Solidworks Data
2008-09-15 19:31 . 2008-09-15 19:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-15 19:06 . 2008-09-15 19:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-15 19:05 . 2008-09-15 19:12 <DIR> d-------- C:\Documents and Settings\Natetron\.housecall6.6
2008-09-15 16:03 . 2008-09-21 15:10 <DIR> d-------- C:\Documents and Settings\Backup Man!
2008-09-10 16:30 . 2008-09-15 21:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-10 16:30 . 2008-09-10 16:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-07 16:43 . 2008-09-07 16:43 <DIR> d-------- C:\Program Files\Sony
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-27 05:52 . 2008-08-27 05:52 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-27 05:49 . 2008-08-27 05:49 <DIR> d-------- C:\WINDOWS\EHome
2008-08-26 19:44 . 2008-04-13 18:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-08-26 19:43 . 2004-08-03 22:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-26 19:42 . 2008-04-13 18:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 20:59 --------- d-----w C:\Program Files\Video
2008-09-20 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-20 17:29 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-09-20 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-09-18 04:12 --------- d-----w C:\Program Files\Utilities
2008-09-15 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 22:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-13 01:02 --------- d-----w C:\Documents and Settings\Natetron\Application Data\foobar2000
2008-08-27 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-07-11 05:09 81,920 ----a-w C:\Documents and Settings\Natetron\Application Data\ezpinst.exe
2007-07-11 05:09 47,360 ----a-w C:\Documents and Settings\Natetron\Application Data\pcouffin.sys
2004-03-01 20:25 114,688 ----a-w C:\Program Files\internet explorer\plugins\ChimeShim.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-23_20.06.20.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-15 08:30:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 07:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-12-15 08:31:06 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 07:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-12-15 10:09:14 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 08:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-09-24 01:47:40 68,316 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-24 23:19:02 68,316 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-24 01:47:40 416,600 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-24 23:19:03 416,600 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 794,713 2006-06-17 00:22:46 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 794,713 2006-06-16 23:22:46 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"Google Update"="C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-22 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-14 98304]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-08-14 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"RemoteControl"="C:\Program Files\Video\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"LanguageShortcut"="C:\Program Files\Video\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"103be614"="C:\WINDOWS\system32\mwnpssst.dll" [N/A]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-21 1235736]
"BM1308d588"="C:\WINDOWS\system32\ychikmmc.dll" [N/A]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.l3codec"= l3codecp.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Video\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:6881
"6882:TCP"= 6882:TCP:6882
"6883:TCP"= 6883:TCP:6883
"6884:TCP"= 6884:TCP:6884
"6885:TCP"= 6885:TCP:6885
"6886:TCP"= 6886:TCP:6886
"6887:TCP"= 6887:TCP:6887
"6888:TCP"= 6888:TCP:6888
"6889:TCP"= 6889:TCP:6889
"63207:TCP"= 63207:TCP:63207tcp
"63206:TCP"= 63206:TCP:63206
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-21 97928]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\Video\PowerDVD\000.fcl [2006-11-02 16:51 13560]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-21 231704]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39efa72b-6bb0-11dd-974b-0013026063b3}]
\Shell\Shell00\Command - E:\Start.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 18:06:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\Video\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\ComboFix\pv.cfexe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-09-24 18:10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 00:10:25
ComboFix2.txt 2008-09-24 02:06:47
Pre-Run: 62,685,401,088 bytes free
Post-Run: 62,669,811,712 bytes free
229 --- E O F --- 2008-09-12 20:53:24
Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 3
24/09/2008 7:45:42 PM
mbam-log-2008-09-24 (19-45-42).txt
Scan type: Full Scan (C:\|)
Objects scanned: 124397
Time elapsed: 48 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\hoyqdfge.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kgruwd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qjkhlsen.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rogaei.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\symlslky.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wahpxh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xqmppgfm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ychikmmc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP580\A0074180.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP582\A0079577.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP584\A0080695.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP584\A0080696.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP584\A0080697.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP584\A0080702.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP584\A0080704.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP584\A0080705.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP585\A0080807.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP589\A0081069.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP589\A0081070.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP589\A0081072.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP589\A0081073.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP589\A0081074.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP589\A0081076.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP589\A0081077.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5D53717-887F-414C-BF1E-5416139473EA}\RP589\A0081078.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:13 PM, on 24/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Video\PowerDVD\PDVDServ.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\Video\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\Video\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
--
End of file - 8907 bytes
Things seem to be running good. No more rundll32.exe's or anything like that. I'm going to avoid Internet Explorer cause i'm really enjoying this Google Chrome.
Thanks for all the help. I really appreciate it. I don't know how you know what you know, but i'm glad there are people like you willing to share it.
pskelley
2008-09-25, 13:56
AWF was not removed by CFScript, (((( AWF )))) <<< in the CFScript log, let's try it one more time.
Open notepad and copy/paste the text in the codebox below into it:
AWF::
C:\WINDOWS\system32\bak\ctfmon.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
If it does not work this time, we will have to clean it manually:sad:
ComboFix 08-09-25.03 - Natetron 2008-09-25 15:57:58.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1607 [GMT -6:00]
Running from: C:\Documents and Settings\Natetron\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Natetron\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.
2008-09-24 18:28 . 2008-09-24 18:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-24 18:28 . 2008-09-24 18:28 <DIR> d-------- C:\Documents and Settings\Natetron\Application Data\Malwarebytes
2008-09-24 18:28 . 2008-09-24 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-24 18:28 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-24 18:28 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-24 17:47 . 2008-09-24 17:47 <DIR> d-------- C:\Program Files\Java
2008-09-24 17:47 . 2008-09-24 17:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-24 17:47 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-21 15:11 . 2008-09-23 19:43 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-21 15:10 . 2008-09-25 15:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-21 15:10 . 2008-09-21 15:10 <DIR> d-------- C:\Program Files\AVG
2008-09-21 15:10 . 2008-09-21 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-21 15:10 . 2008-09-21 15:10 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-21 15:10 . 2008-09-21 15:10 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-20 11:29 . 2008-09-20 11:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 09:48 . 2008-09-20 09:48 268 --ah----- C:\sqmdata01.sqm
2008-09-20 09:48 . 2008-09-20 09:48 244 --ah----- C:\sqmnoopt01.sqm
2008-09-15 22:03 . 2008-09-15 22:03 <DIR> d-------- C:\Documents and Settings\Natetron\Application Data\SolidWorks
2008-09-15 22:02 . 2008-09-15 22:02 <DIR> d-------- C:\Documents and Settings\Natetron\Application Data\DWGeditor
2008-09-15 22:01 . 2008-09-15 22:01 <DIR> d-------- C:\Program Files\DWGeditor
2008-09-15 22:01 . 2008-09-15 22:01 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-09-15 21:57 . 2008-09-15 21:57 42 --a------ C:\WINDOWS\trailer.xws
2008-09-15 21:57 . 2008-09-15 21:57 23 --ah----- C:\WINDOWS\yacht.xws
2008-09-15 21:50 . 2008-09-15 21:56 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-09-15 21:50 . 2008-09-15 22:00 <DIR> d-------- C:\Program Files\Common Files\eDrawings2007
2008-09-15 21:48 . 2008-09-15 21:48 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-09-15 21:48 . 2008-09-15 21:56 <DIR> d-------- C:\Program Files\SolidWorks
2008-09-15 21:48 . 2008-09-15 21:48 <DIR> d-------- C:\Program Files\Common Files\Solidworks Data
2008-09-15 19:31 . 2008-09-15 19:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-15 19:06 . 2008-09-15 19:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-15 19:05 . 2008-09-15 19:12 <DIR> d-------- C:\Documents and Settings\Natetron\.housecall6.6
2008-09-15 16:03 . 2008-09-21 15:10 <DIR> d-------- C:\Documents and Settings\Backup Man!
2008-09-10 16:30 . 2008-09-15 21:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-10 16:30 . 2008-09-10 16:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-07 16:43 . 2008-09-07 16:43 <DIR> d-------- C:\Program Files\Sony
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-27 05:53 . 2008-08-27 05:53 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-27 05:52 . 2008-08-27 05:52 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-27 05:49 . 2008-08-27 05:49 <DIR> d-------- C:\WINDOWS\EHome
2008-08-26 19:44 . 2008-04-13 18:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-08-26 19:43 . 2004-08-03 22:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-26 19:42 . 2008-04-13 18:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 20:59 --------- d-----w C:\Program Files\Video
2008-09-20 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-20 17:29 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-09-20 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-09-18 04:12 --------- d-----w C:\Program Files\Utilities
2008-09-15 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 22:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-13 01:02 --------- d-----w C:\Documents and Settings\Natetron\Application Data\foobar2000
2008-08-27 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 04:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 04:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 00:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2007-07-11 05:09 81,920 ----a-w C:\Documents and Settings\Natetron\Application Data\ezpinst.exe
2007-07-11 05:09 47,360 ----a-w C:\Documents and Settings\Natetron\Application Data\pcouffin.sys
2004-03-01 20:25 114,688 ----a-w C:\Program Files\internet explorer\plugins\ChimeShim.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-23_20.06.20.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 00:12:16 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2004-08-04 12:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2004-08-04 12:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
- 2006-12-15 08:30:58 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 07:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-12-15 08:31:06 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 07:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-12-15 10:09:14 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 08:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-09-24 01:47:40 68,316 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-25 03:26:04 68,316 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-24 01:47:40 416,600 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-25 03:26:04 416,600 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"Google Update"="C:\Documents and Settings\Natetron\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-22 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-14 98304]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-08-14 94208]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"RemoteControl"="C:\Program Files\Video\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"LanguageShortcut"="C:\Program Files\Video\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-21 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.l3codec"= l3codecp.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Video\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:6881
"6882:TCP"= 6882:TCP:6882
"6883:TCP"= 6883:TCP:6883
"6884:TCP"= 6884:TCP:6884
"6885:TCP"= 6885:TCP:6885
"6886:TCP"= 6886:TCP:6886
"6887:TCP"= 6887:TCP:6887
"6888:TCP"= 6888:TCP:6888
"6889:TCP"= 6889:TCP:6889
"63207:TCP"= 63207:TCP:63207tcp
"63206:TCP"= 63206:TCP:63206
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-21 97928]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\Video\PowerDVD\000.fcl [2006-11-02 16:51 13560]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-21 231704]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39efa72b-6bb0-11dd-974b-0013026063b3}]
\Shell\Shell00\Command - E:\Start.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 16:00:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\Video\PowerDVD\000.fcl"
.
Completion time: 2008-09-25 16:01:01
ComboFix-quarantined-files.txt 2008-09-25 22:00:52
ComboFix2.txt 2008-09-25 00:10:32
ComboFix3.txt 2008-09-24 02:06:47
Pre-Run: 62,556,758,016 bytes free
Post-Run: 62,543,589,376 bytes free
183 --- E O F --- 2008-09-12 20:53:24
=================================================
I don't see the AWF in this file, so hopefully all is good now...
pskelley
2008-09-26, 02:21
Yep...got the junk that time, let's see where we were...
Time to install Recovery Console, understand if you have a Windows XP Operating System CD, you do not need to install it. Please read the directions carefully, then if you do not understand something, let me know.
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
I just installed the recovery console
===============================
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=C:\$WIN_NT$.~BT\BOOTSECT.DAT
[Operating Systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\$WIN_NT$.~BT\BOOTSECT.DAT="Microsoft Windows XP Setup"
pskelley
2008-09-26, 13:21
Good job installing Recovery Console:bigthumb: here is a little information for you.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update and scan with MBAM to be sure we got all of the junk, no need to post a clean scan result.
Update AVG and scan the system to be sure it is working right and scanning clean. Here are helpful links:
FAQ
http://www.grisoft.com/ww.faq.num-773
AVG Free Forum
http://freeforum.avg.com/
Let me know all is well at this point and I will close your topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
MBAM and AVG find no results.
Thanks again for all the help!