PDA

View Full Version : Virtumonde issue



nfactor13
2008-10-13, 19:04
I recently detected Virtumonde on my computer. I'm running Spybot and an anti-virus program, ESET Smart Security.

I found an article here on repairs, and then ran the ComboFix program. I've copied the log file from it below. If you have any suggestions or help, I'd really appreciate it.

thanks

--

ComboFix 08-10-12.01 - KO 2008-10-13 8:57:11.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.624 [GMT -7:00]
Running from: C:\Documents and Settings\KO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KO\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\brastk.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-13 08:33 . 2008-10-13 08:33 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-13 08:14 . 2008-10-13 08:14 <DIR> d-------- C:\VundoFix Backups
2008-10-13 07:58 . 2008-10-13 07:58 <DIR> d--hs---- C:\FOUND.001
2008-10-13 00:19 . 2008-10-13 00:19 <DIR> d-------- C:\Program Files\sbpeywb
2008-10-10 19:58 . 2008-10-10 19:58 <DIR> d-------- C:\Program Files\hlirjmd
2008-10-10 19:16 . 2008-10-13 08:35 717 --a------ C:\WINDOWS\system32\wini10453.exe
2008-10-10 19:14 . 2008-10-13 07:55 144 --a------ C:\Documents and Settings\KO\delself.bat
2008-10-09 19:44 . 2008-10-09 19:44 <DIR> d-------- C:\Program Files\ExitReality
2008-10-09 01:49 . 2008-10-09 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\lorgbeha
2008-10-09 01:48 . 2008-10-09 01:48 <DIR> d-------- C:\Program Files\jbzvuyd
2008-10-09 01:48 . 2008-10-09 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fslubyvo
2008-10-07 20:39 . 2008-10-07 20:39 <DIR> d--hs---- C:\FOUND.000
2008-09-29 09:10 . 2008-09-29 09:10 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2008-09-29 09:09 . 2008-09-29 09:09 <DIR> d-------- C:\Program Files\Real
2008-09-29 09:09 . 2008-09-29 09:09 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-09-27 23:00 . 2008-09-27 23:00 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-27 22:59 . 2008-09-27 22:59 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-27 22:59 . 2008-09-27 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-27 13:34 . 2008-09-27 13:34 <DIR> d--h----- C:\Documents and Settings\KO\InstallAnywhere
2008-09-27 13:32 . 2008-09-27 13:32 <DIR> d-------- C:\Documents and Settings\KO\Application Data\WebRenderer
2008-09-27 13:32 . 2008-09-27 13:32 <DIR> d-------- C:\Documents and Settings\KO\.webrenderer
2008-09-22 23:19 . 2008-09-22 23:19 <DIR> d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 16:09 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-09-29 16:09 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-09-07 20:33 --------- d-----w C:\Documents and Settings\KO\Application Data\uTorrent
2008-08-14 08:09 --------- d-----w C:\Documents and Settings\KO\Application Data\OpenOffice.org2
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-02-21 06:15 21,648 ----a-w C:\Documents and Settings\KO\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"brastk"="C:\WINDOWS\system32\brastk.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"RAM Idle Professional"="D:\Program Files\RAM Idle\RAM_XP.exe" [2004-06-11 133632]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 86016]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2003-02-10 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2003-07-28 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2003-08-28 C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"ORdY0q0zSk"="C:\Documents and Settings\All Users\Application Data\fslubyvo\fkfgbota.exe" [2008-10-09 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Chatterbox.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Chatterbox.lnk
backup=C:\WINDOWS\pss\Chatterbox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^KO^Start Menu^Programs^Startup^FriendFinder Messenger.lnk]
path=C:\Documents and Settings\KO\Start Menu\Programs\Startup\FriendFinder Messenger.lnk
backup=C:\WINDOWS\pss\FriendFinder Messenger.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^KO^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=C:\Documents and Settings\KO\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-05-15 21:10 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2006-07-11 03:06 3144800 D:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 01:00 28672 D:\Program Files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 D:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-09-29 09:09 185872 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 16:02 36352 D:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2003-08-28 16:45 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Kazaa Lite\\clean.kmd"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\Program Files\\eMule\\emule.exe"=
"D:\\Station\\LaunchPad\\LaunchPad.exe"=
"D:\\Station\\LaunchPad\\_aunchPad.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 9728]
R1 MgTaki;MgTaki;C:\WINDOWS\system32\Drivers\mgtaki.sys [2005-11-30 33127]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\System32\Drivers\CVPNDRV.sys [2002-10-28 263751]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;D:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe runservice -w -N pgsql-8.3 -D D:\Program Files\PostgreSQL\8.3\data\ [ ]
S3 pohci13F;pohci13F;C:\DOCUME~1\KO\LOCALS~1\Temp\pohci13F.sys [ ]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\KO\Application Data\Mozilla\Firefox\Profiles\6pkx6vtm.default\
FF -: plugin - C:\PROGRA~1\YAHOO!\COMMON\npyaxmpb.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - D:\Program Files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - d:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - d:\Program Files\DivX\DivX Web Player\npdivx32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npagent.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPPGWrap.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin6.dll
FF -: plugin - D:\Program Files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-13 08:58:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????????U?A~??A~\???\?????????`??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-13 8:58:44
ComboFix-quarantined-files.txt 2008-10-13 15:58:44
ComboFix3.txt 2008-10-13 07:46:28
ComboFix2.txt 2008-10-13 08:09:16

Pre-Run: 665,264,128 bytes free
Post-Run: 662,646,784 bytes free

210 --- E O F --- 2008-09-29 07:37:48

ken545
2008-10-14, 01:00
Hello nfactor13

Welcome to Safer Networking.

You need to read this, I am surprised you missed it, its posted right above where you posted. Its posted there for a reason.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



If you run Combofix on your own, this forum, myself and sUbs will not be responsible if your disable your system, its a very powerful tool that should be run with supervision, its not a general all purpose cleaning tool


Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.

Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

nfactor13
2008-10-14, 07:57
Thanks for your help. This is the Hijackthis log file info:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:35 PM, on 10/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\fslubyvo\fkfgbota.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\RAM Idle\RAM_XP.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [RAM Idle Professional] D:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKLM\..\Policies\Explorer\Run: [ORdY0q0zSk] C:\Documents and Settings\All Users\Application Data\fslubyvo\fkfgbota.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - D:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 7158 bytes

ken545
2008-10-14, 12:03
Hello,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKLM\..\Run: C:\WINDOWS\system32\brastk.exe
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKLM\..\Policies\Explorer\Run: [ORdY0q0zSk] C:\Documents and Settings\All Users\Application Data\fslubyvo\fkfgbota.exe

Not sure what this is, if you use it and know it to be safe then keep it
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click [b]ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.