View Full Version : Virtumonde.dll and Virtumonde.prx
Hi all! So I recently got a pretty bad virus on MSN Messenger, and it contained all types of spywares and viruses. I deleted all regular viruses with my anti-virus program (Avast), Ad-Aware does not detect any spywares, whereas Spybot detecs Virtumonde.dll and Virtumonde.prx.
I've tried fixing them with Spybot but it keeps telling me to reboot my pc and do a rescan on start up, but then it tells me to do the same thing all over again when the scan is half way through. Then the cycle just keeps on repeating without this spyware going away.
Here's a HijackThis logfile
Logfile of HijackThis v1.99.1
Scan saved at 00:44:37, on 2008-10-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Lavasoft\Ad-Aware\aawservice.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 91.185.193.200 l2authd.lineage2.com
O1 - Hosts: 91.185.193.200 l2patcher.lineage2.com
O1 - Hosts: 216.107.250.194 nProtect.lineage2.com
O2 - BHO: {3fcadc08-f5e6-6d99-9464-7339cc7ba271} - {172ab7cc-9337-4649-99d6-6e5f80cdacf3} - C:\WINDOWS\system32\ygjgcu.dll
O2 - BHO: (no name) - {65268300-9F68-455C-A63E-9A452EDB996F} - C:\WINDOWS\system32\efcCSKcD.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B39CB800-5902-43ED-B6FB-980550635435} - C:\WINDOWS\system32\jkkIYsqp.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {EC348313-53D3-4921-B206-9E33C7F2B4DB} - C:\WINDOWS\system32\hgGaxwxW.dll (file missing)
O2 - BHO: (no name) - {FBFD382A-AC6E-4EB7-8944-F97D358B378D} - C:\WINDOWS\system32\yaywwTLb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Messenger Service] service.exe
O4 - HKLM\..\RunServices: [Messenger Service] service.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8944] command /c del "C:\WINDOWS\system32\jkkIYsqp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6454] cmd /c del "C:\WINDOWS\system32\jkkIYsqp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8626] command /c del "C:\WINDOWS\system32\nubjdupm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8863] cmd /c del "C:\WINDOWS\system32\nubjdupm.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\RunOnce: [SpybotDeletingB34] command /c del "C:\WINDOWS\system32\jkkIYsqp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6221] cmd /c del "C:\WINDOWS\system32\jkkIYsqp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9222] command /c del "C:\WINDOWS\system32\nubjdupm.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3400] cmd /c del "C:\WINDOWS\system32\nubjdupm.dll_old"
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ygjgcu.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O20 - Winlogon Notify: yaywwTLb - C:\WINDOWS\SYSTEM32\yaywwTLb.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program\Java\jre6\bin\jqs.exe" -service -config "C:\Program\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi Martinx
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Hi Shaba. First of all I want to thank you so much since you've helped me with many problems before. I really appreciate that you guys take your time to help other people, you're awesome!
Anyways, I'm not sure wheather or not you want the ComboFix result log.txt, but just to be sure I'll add it.
Here's the log.txt that opened after the ComboFix scan was finnished
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.1289 [GMT 2:00]
Running from: C:\Documents and Settings\Martin\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Martin\Skrivbord\WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Martin\Application Data\.#
C:\Documents and Settings\Martin\Application Data\.#\MBX@BB4@3D41A8.###
C:\Documents and Settings\Martin\Application Data\.#\MBX@BB4@3D41D8.###
C:\Documents and Settings\Martin\Application Data\.#\MBX@BB4@3D4208.###
C:\install.exe
C:\WINDOWS\admintxt.txt
C:\WINDOWS\service.exe
C:\WINDOWS\system32\cltani.dll
C:\WINDOWS\system32\codygj.dll
C:\WINDOWS\system32\DcKSCcfe.ini
C:\WINDOWS\system32\DcKSCcfe.ini2
C:\WINDOWS\system32\eyqwwmkc.dll
C:\WINDOWS\system32\faodwp.dll
C:\WINDOWS\system32\gvdlyvko.dll
C:\WINDOWS\system32\hinhjgln.dll
C:\WINDOWS\system32\jhtgftqy.dll
C:\WINDOWS\system32\jkkIYsqp.dll_old
C:\WINDOWS\system32\kuxjexdu.exe
C:\WINDOWS\system32\mpudjbun.ini
C:\WINDOWS\system32\nlgjhnih.ini
C:\WINDOWS\system32\nubjdupm.dll_old
C:\WINDOWS\system32\pbupvsdx.exe
C:\WINDOWS\system32\pgohvsvb.dll
C:\WINDOWS\system32\pqsYIkkj.ini
C:\WINDOWS\system32\pqsYIkkj.ini2
C:\WINDOWS\system32\rqRKEWOi.dll
C:\WINDOWS\system32\sofwymwx.exe
C:\WINDOWS\system32\upkackvi.ini
C:\WINDOWS\system32\WxwxaGgh.ini
C:\WINDOWS\system32\WxwxaGgh.ini2
C:\WINDOWS\system32\yaywwTLb.dll
C:\WINDOWS\system32\ygjgcu.dll
.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.
2008-10-18 11:53 . 2008-10-19 00:42 327 --a------ C:\WINDOWS\wininit.ini
2008-10-17 19:04 . 2008-10-17 19:04 49,714 --a------ C:\Documents and Settings\Martin\javamon.exe
2008-10-15 23:40 . 2008-08-14 15:27 2,189,952 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 23:40 . 2008-08-14 15:27 2,146,304 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 23:40 . 2008-08-14 15:27 2,066,816 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 23:40 . 2008-08-14 15:27 2,024,960 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 23:40 . 2008-09-15 17:27 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 23:40 . 2008-09-08 12:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-12 13:04 . 2007-03-16 10:19 5,174 -ra------ C:\WINDOWS\system32\nppt9x.vxd
2008-10-12 13:04 . 2007-03-16 10:19 4,682 -ra------ C:\WINDOWS\system32\npptNT2.sys
2008-10-12 12:51 . 2008-10-12 12:51 <KAT> d-------- C:\Documents and Settings\Martin\Application Data\InstallShield
2008-10-12 11:36 . 2008-10-12 11:36 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-12 10:54 . 2008-10-12 10:54 <KAT> d-------- C:\Program\Sun
2008-10-12 10:42 . 2008-10-12 10:42 <KAT> d-------- C:\WINDOWS\system32\XPSViewer
2008-10-12 10:42 . 2008-10-12 10:42 <KAT> d-------- C:\Program\Reference Assemblies
2008-10-12 10:42 . 2008-10-12 10:42 <KAT> d-------- C:\Program\MSBuild
2008-10-11 01:56 . 2008-10-19 00:26 <KAT> d-------- C:\Program\Lineage II
2008-10-09 22:42 . 2008-10-09 22:43 <KAT> d-------- C:\8c2391b8554f21b2c2e0e308fd
2008-10-09 22:42 . 2008-07-06 14:06 1,676,288 --------- C:\WINDOWS\system32\xpssvcs.dll
2008-10-09 22:42 . 2008-07-06 14:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2008-10-09 22:42 . 2008-07-06 12:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2008-10-09 22:42 . 2008-07-06 14:06 575,488 --------- C:\WINDOWS\system32\xpsshhdr.dll
2008-10-09 22:42 . 2008-07-06 14:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2008-10-09 22:42 . 2008-07-06 14:06 117,760 --------- C:\WINDOWS\system32\prntvpt.dll
2008-10-09 22:42 . 2008-07-06 14:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2008-09-28 17:15 . 2008-09-28 17:15 <KAT> d-------- C:\Program\Microsoft Games
2008-09-27 01:08 . 2008-09-27 01:08 <KAT> d-------- C:\WINDOWS\nview
2008-09-27 01:08 . 2008-09-16 21:27 453,152 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-09-27 01:08 . 2008-09-17 09:55 453,152 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-09-27 01:08 . 2008-10-19 16:30 201,621 --a------ C:\WINDOWS\system32\nvapps.xml
2008-09-27 01:08 . 2008-09-17 09:55 18,394 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-09-27 01:07 . 2008-09-27 01:07 <KAT> d-------- C:\NVIDIA
2008-09-27 01:07 . 2008-09-17 09:55 6,132,576 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-09-27 01:07 . 2008-09-17 09:55 6,132,576 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2008-09-27 01:07 . 2008-09-17 09:55 6,057,472 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-09-27 01:07 . 2008-09-17 09:55 6,057,472 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-09-20 18:39 . 2008-10-12 11:36 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-20 12:47 . 2008-10-11 14:42 <KAT> d-------- C:\Warhammer Online - Age of Reckoning
2008-09-20 00:07 . 2008-09-20 00:07 <KAT> d-------- C:\Program\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 14:32 11,030,560 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-19 14:31 --------- d-----w C:\Program\Steam
2008-10-19 14:17 130,220 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-19 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 22:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-18 22:34 --------- d-----w C:\Program\SpywareBlaster
2008-10-12 10:51 --------- d--h--w C:\Program\InstallShield Installation Information
2008-10-12 09:36 --------- d-----w C:\Program\Java
2008-10-11 01:36 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2008-10-11 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-10-05 18:07 --------- d-----w C:\Program\Spybot - Search & Destroy
2008-09-28 17:11 --------- d-----w C:\Documents and Settings\Martin\Application Data\Microsoft Games
2008-09-27 16:19 137,480 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-26 23:09 --------- d-----w C:\Program\AGEIA Technologies
2008-09-19 23:07 --------- d-----w C:\Program\Winamp
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-07 10:08 --------- d-----w C:\Program\Diablo II
2008-09-06 19:37 64,815 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-09-06 19:37 6,114 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-09-05 17:26 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-09-04 20:49 --------- d-----w C:\Program\QuickTime
2008-09-04 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-24 13:24 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-08-24 13:24 --------- d-----w C:\Program\Microsoft Xbox 360 Accessories
2008-08-24 13:18 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-08-24 13:18 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb20_01001.Wdf
2008-06-22 00:00 22,328 ----a-w C:\Documents and Settings\Martin\Application Data\PnkBstrK.sys
2007-03-09 14:42 1 ----a-w C:\Documents and Settings\Martin\SI.bin
.
------- Sigcheck -------
2008-04-14 21:35 976384 bcda7a0bd489b6cf8427bd37026d7f0d C:\WINDOWS\explorer.exe
2007-06-13 15:12 1033728 75cf621935a2138bb0dd354bb72548fc C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 15:23 1033728 96d1dde74e550113d2fcb97c8a4c43cb C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:34 1032704 87a3c8ead27cf3591713d629d8bcb990 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-14 21:35 976384 bcda7a0bd489b6cf8427bd37026d7f0d C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="C:\Program\Steam\Steam.exe" [2008-10-08 1410296]
"LogitechSoftwareUpdate"="C:\Program\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="C:\Program\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="C:\Program\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-08-29 1966080]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ZoneAlarm Client"="C:\Program\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"XboxStat"="c:\Program\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"QuickTime Task"="C:\Program\QuickTime\QTTask.exe" [2008-05-27 413696]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="C:\Program\Java\jre6\bin\jusched.exe" [2008-10-12 140696]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\Martin\Start-meny\Program\Autostart\
Adobe Gamma.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=faodwp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\counter-strike\\hl.exe"=
"C:\\mIRC\\mirc.exe"=
"C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\dedicated server\\hlds.exe"=
"C:\\Program\\GameSpy Arcade\\Aphex.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"C:\\Program\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17305:TCP"= 17305:TCP:BitComet 17305 TCP
"17305:UDP"= 17305:UDP:BitComet 17305 UDP
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program\Java\jre6\bin\jqs.exe [2008-10-12 152984]
S3 GEST Service;GEST Service for program management.;C:\Program\GIGABYTE\GEST\GSvr.exe [2007-12-14 47624]
S3 npkycryp;npkycryp;C:\Program\Lineage II\system\npkycryp.sys [ ]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys [ ]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;C:\WINDOWS\system32\DRIVERS\xusb20.sys [2006-10-14 50048]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0f51460-08dd-11dd-ac0c-806d6172696f}]
\Shell\AutoRun\command - D:\AutoRunCD.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{60976a85-69d7-456e-b772-ad6ce84c3b79} - C:\WINDOWS\system32\faodwp.dll
BHO-{65268300-9F68-455C-A63E-9A452EDB996F} - C:\WINDOWS\system32\efcCSKcD.dll
BHO-{B39CB800-5902-43ED-B6FB-980550635435} - C:\WINDOWS\system32\jkkIYsqp.dll
BHO-{EC348313-53D3-4921-B206-9E33C7F2B4DB} - C:\WINDOWS\system32\hgGaxwxW.dll
BHO-{FBFD382A-AC6E-4EB7-8944-F97D358B378D} - C:\WINDOWS\system32\yaywwTLb.dll
ShellIconOverlayIdentifiers-{0DB27A62-5684-44F0-A8D3-8D6AEEB7ABD9} - (no file)
HKCU-Run-BitTorrent - C:\Program\BitTorrent\bittorrent.exe
HKCU-Run-NVIDIA nTune - C:\Program\NVIDIA Corporation\nTune\nTuneCmd.exe
HKLM-Run-Adobe Photo Downloader - C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
HKLM-Run-Messenger Service - service.exe
HKLM-RunServices-Messenger Service - service.exe
ShellExecuteHooks-{367BDF4B-04E5-46C9-9D83-D68307F659E3} - (no file)
ShellExecuteHooks-{A7B0163F-CC73-4E7C-9614-55D4C553ECE1} - (no file)
ShellExecuteHooks-{FBFD382A-AC6E-4EB7-8944-F97D358B378D} - C:\WINDOWS\system32\yaywwTLb.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://sv-SE.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:sv-SE:official
FF -: plugin - C:\Program\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program\Mozilla Firefox\plugins\NPZoneSB.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 16:30:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Lavasoft\Ad-Aware\aawservice.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2008-10-19 16:35:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-19 14:35:21
Pre-Run: 79*777*488*896 byte ledigt
Post-Run: 82,712,018,944 byte ledigt
WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
248 --- E O F --- 2008-10-16 12:26:33
Here's the ComboFix.txt
ComboFix 08-10-18.03 - Martin 2008-10-19 16:13:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.1289 [GMT 2:00]
Running from: C:\Documents and Settings\Martin\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Martin\Skrivbord\WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Martin\Application Data\.#
C:\Documents and Settings\Martin\Application Data\.#\MBX@BB4@3D41A8.###
C:\Documents and Settings\Martin\Application Data\.#\MBX@BB4@3D41D8.###
C:\Documents and Settings\Martin\Application Data\.#\MBX@BB4@3D4208.###
C:\install.exe
C:\WINDOWS\admintxt.txt
C:\WINDOWS\service.exe
C:\WINDOWS\system32\cltani.dll
C:\WINDOWS\system32\codygj.dll
C:\WINDOWS\system32\DcKSCcfe.ini
C:\WINDOWS\system32\DcKSCcfe.ini2
C:\WINDOWS\system32\eyqwwmkc.dll
C:\WINDOWS\system32\faodwp.dll
C:\WINDOWS\system32\gvdlyvko.dll
C:\WINDOWS\system32\hinhjgln.dll
C:\WINDOWS\system32\jhtgftqy.dll
C:\WINDOWS\system32\jkkIYsqp.dll_old
C:\WINDOWS\system32\kuxjexdu.exe
C:\WINDOWS\system32\mpudjbun.ini
C:\WINDOWS\system32\nlgjhnih.ini
C:\WINDOWS\system32\nubjdupm.dll_old
C:\WINDOWS\system32\pbupvsdx.exe
C:\WINDOWS\system32\pgohvsvb.dll
C:\WINDOWS\system32\pqsYIkkj.ini
C:\WINDOWS\system32\pqsYIkkj.ini2
C:\WINDOWS\system32\rqRKEWOi.dll
C:\WINDOWS\system32\sofwymwx.exe
C:\WINDOWS\system32\upkackvi.ini
C:\WINDOWS\system32\WxwxaGgh.ini
C:\WINDOWS\system32\WxwxaGgh.ini2
C:\WINDOWS\system32\yaywwTLb.dll
C:\WINDOWS\system32\ygjgcu.dll
.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.
2008-10-18 11:53 . 2008-10-19 00:42 327 --a------ C:\WINDOWS\wininit.ini
2008-10-17 19:04 . 2008-10-17 19:04 49,714 --a------ C:\Documents and Settings\Martin\javamon.exe
2008-10-15 23:40 . 2008-08-14 15:27 2,189,952 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 23:40 . 2008-08-14 15:27 2,146,304 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 23:40 . 2008-08-14 15:27 2,066,816 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 23:40 . 2008-08-14 15:27 2,024,960 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 23:40 . 2008-09-15 17:27 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 23:40 . 2008-09-08 12:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-12 13:04 . 2007-03-16 10:19 5,174 -ra------ C:\WINDOWS\system32\nppt9x.vxd
2008-10-12 13:04 . 2007-03-16 10:19 4,682 -ra------ C:\WINDOWS\system32\npptNT2.sys
2008-10-12 12:51 . 2008-10-12 12:51 <KAT> d-------- C:\Documents and Settings\Martin\Application Data\InstallShield
2008-10-12 11:36 . 2008-10-12 11:36 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-12 10:54 . 2008-10-12 10:54 <KAT> d-------- C:\Program\Sun
2008-10-12 10:42 . 2008-10-12 10:42 <KAT> d-------- C:\WINDOWS\system32\XPSViewer
2008-10-12 10:42 . 2008-10-12 10:42 <KAT> d-------- C:\Program\Reference Assemblies
2008-10-12 10:42 . 2008-10-12 10:42 <KAT> d-------- C:\Program\MSBuild
2008-10-11 01:56 . 2008-10-19 00:26 <KAT> d-------- C:\Program\Lineage II
2008-10-09 22:42 . 2008-10-09 22:43 <KAT> d-------- C:\8c2391b8554f21b2c2e0e308fd
2008-10-09 22:42 . 2008-07-06 14:06 1,676,288 --------- C:\WINDOWS\system32\xpssvcs.dll
2008-10-09 22:42 . 2008-07-06 14:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2008-10-09 22:42 . 2008-07-06 12:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2008-10-09 22:42 . 2008-07-06 14:06 575,488 --------- C:\WINDOWS\system32\xpsshhdr.dll
2008-10-09 22:42 . 2008-07-06 14:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2008-10-09 22:42 . 2008-07-06 14:06 117,760 --------- C:\WINDOWS\system32\prntvpt.dll
2008-10-09 22:42 . 2008-07-06 14:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2008-09-28 17:15 . 2008-09-28 17:15 <KAT> d-------- C:\Program\Microsoft Games
2008-09-27 01:08 . 2008-09-27 01:08 <KAT> d-------- C:\WINDOWS\nview
2008-09-27 01:08 . 2008-09-16 21:27 453,152 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-09-27 01:08 . 2008-09-17 09:55 453,152 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-09-27 01:08 . 2008-10-19 16:30 201,621 --a------ C:\WINDOWS\system32\nvapps.xml
2008-09-27 01:08 . 2008-09-17 09:55 18,394 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-09-27 01:07 . 2008-09-27 01:07 <KAT> d-------- C:\NVIDIA
2008-09-27 01:07 . 2008-09-17 09:55 6,132,576 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-09-27 01:07 . 2008-09-17 09:55 6,132,576 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2008-09-27 01:07 . 2008-09-17 09:55 6,057,472 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-09-27 01:07 . 2008-09-17 09:55 6,057,472 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-09-20 18:39 . 2008-10-12 11:36 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-09-20 12:47 . 2008-10-11 14:42 <KAT> d-------- C:\Warhammer Online - Age of Reckoning
2008-09-20 00:07 . 2008-09-20 00:07 <KAT> d-------- C:\Program\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 14:32 11,030,560 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-19 14:31 --------- d-----w C:\Program\Steam
2008-10-19 14:17 130,220 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-19 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 22:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-18 22:34 --------- d-----w C:\Program\SpywareBlaster
2008-10-12 10:51 --------- d--h--w C:\Program\InstallShield Installation Information
2008-10-12 09:36 --------- d-----w C:\Program\Java
2008-10-11 01:36 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2008-10-11 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-10-05 18:07 --------- d-----w C:\Program\Spybot - Search & Destroy
2008-09-28 17:11 --------- d-----w C:\Documents and Settings\Martin\Application Data\Microsoft Games
2008-09-27 16:19 137,480 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-26 23:09 --------- d-----w C:\Program\AGEIA Technologies
2008-09-19 23:07 --------- d-----w C:\Program\Winamp
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-07 10:08 --------- d-----w C:\Program\Diablo II
2008-09-06 19:37 64,815 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-09-06 19:37 6,114 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-09-05 17:26 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-09-04 20:49 --------- d-----w C:\Program\QuickTime
2008-09-04 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-24 13:24 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2008-08-24 13:24 --------- d-----w C:\Program\Microsoft Xbox 360 Accessories
2008-08-24 13:18 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_Coinstaller_Critical.Wdf
2008-08-24 13:18 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb20_01001.Wdf
2008-06-22 00:00 22,328 ----a-w C:\Documents and Settings\Martin\Application Data\PnkBstrK.sys
2007-03-09 14:42 1 ----a-w C:\Documents and Settings\Martin\SI.bin
.
------- Sigcheck -------
2008-04-14 21:35 976384 bcda7a0bd489b6cf8427bd37026d7f0d C:\WINDOWS\explorer.exe
2007-06-13 15:12 1033728 75cf621935a2138bb0dd354bb72548fc C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 15:23 1033728 96d1dde74e550113d2fcb97c8a4c43cb C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:34 1032704 87a3c8ead27cf3591713d629d8bcb990 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-14 21:35 976384 bcda7a0bd489b6cf8427bd37026d7f0d C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="C:\Program\Steam\Steam.exe" [2008-10-08 1410296]
"LogitechSoftwareUpdate"="C:\Program\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="C:\Program\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="C:\Program\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-08-29 1966080]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ZoneAlarm Client"="C:\Program\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"XboxStat"="c:\Program\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"QuickTime Task"="C:\Program\QuickTime\QTTask.exe" [2008-05-27 413696]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="C:\Program\Java\jre6\bin\jusched.exe" [2008-10-12 140696]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\Martin\Start-meny\Program\Autostart\
Adobe Gamma.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=faodwp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\counter-strike\\hl.exe"=
"C:\\mIRC\\mirc.exe"=
"C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\dedicated server\\hlds.exe"=
"C:\\Program\\GameSpy Arcade\\Aphex.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"C:\\Program\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17305:TCP"= 17305:TCP:BitComet 17305 TCP
"17305:UDP"= 17305:UDP:BitComet 17305 UDP
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program\Java\jre6\bin\jqs.exe [2008-10-12 152984]
S3 GEST Service;GEST Service for program management.;C:\Program\GIGABYTE\GEST\GSvr.exe [2007-12-14 47624]
S3 npkycryp;npkycryp;C:\Program\Lineage II\system\npkycryp.sys [ ]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\WINDOWS\system32\DRIVERS\wg111v3.sys [ ]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;C:\WINDOWS\system32\DRIVERS\xusb20.sys [2006-10-14 50048]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0f51460-08dd-11dd-ac0c-806d6172696f}]
\Shell\AutoRun\command - D:\AutoRunCD.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{60976a85-69d7-456e-b772-ad6ce84c3b79} - C:\WINDOWS\system32\faodwp.dll
BHO-{65268300-9F68-455C-A63E-9A452EDB996F} - C:\WINDOWS\system32\efcCSKcD.dll
BHO-{B39CB800-5902-43ED-B6FB-980550635435} - C:\WINDOWS\system32\jkkIYsqp.dll
BHO-{EC348313-53D3-4921-B206-9E33C7F2B4DB} - C:\WINDOWS\system32\hgGaxwxW.dll
BHO-{FBFD382A-AC6E-4EB7-8944-F97D358B378D} - C:\WINDOWS\system32\yaywwTLb.dll
ShellIconOverlayIdentifiers-{0DB27A62-5684-44F0-A8D3-8D6AEEB7ABD9} - (no file)
HKCU-Run-BitTorrent - C:\Program\BitTorrent\bittorrent.exe
HKCU-Run-NVIDIA nTune - C:\Program\NVIDIA Corporation\nTune\nTuneCmd.exe
HKLM-Run-Adobe Photo Downloader - C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
HKLM-Run-Messenger Service - service.exe
HKLM-RunServices-Messenger Service - service.exe
ShellExecuteHooks-{367BDF4B-04E5-46C9-9D83-D68307F659E3} - (no file)
ShellExecuteHooks-{A7B0163F-CC73-4E7C-9614-55D4C553ECE1} - (no file)
ShellExecuteHooks-{FBFD382A-AC6E-4EB7-8944-F97D358B378D} - C:\WINDOWS\system32\yaywwTLb.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://sv-SE.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:sv-SE:official
FF -: plugin - C:\Program\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program\Mozilla Firefox\plugins\NPZoneSB.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 16:30:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Lavasoft\Ad-Aware\aawservice.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2008-10-19 16:35:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-19 14:35:21
Pre-Run: 79*777*488*896 byte ledigt
Post-Run: 82,712,018,944 byte ledigt
WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
248 --- E O F --- 2008-10-16 12:26:33
Oh whoops didn't notice they were the same haha. Oh well.
Anyways, here's a HijackThis logfile.
Logfile of HijackThis v1.99.1
Scan saved at 16:41:31, on 2008-10-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Lavasoft\Ad-Aware\aawservice.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\WINDOWS\explorer.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: faodwp.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program\Java\jre6\bin\jqs.exe" -service -config "C:\Program\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
OH and by the way I re-enabled TeaTimer and accidently denied an entry called "SpybotDeletingB34". Did I do something wrong there?
^^PLEASE READ THE ABOVE
Just want to make sure you didn't miss the above post!
That was absolutely right thing to do :)
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
That was absolutely right thing to do :)
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Oh no!!! When I rebooted my computer I got new prompts from TeaTimer with like 4 new those thingys, and I allowed all of them!:( I thought that would be the right thing to do>.<
Oh well I'll follow your instructions
Oh and exactly which file are you talking about? I understood the steps, I just didn't understand which file you meant when you wrote "and specify where you would like to save this file"
I am talking about uninstall list file with HijackThis uninstall manager creates.
Got it!
Here it is
Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2 - Svenska
Adobe Stock Photos 1.0
AquaMark3
avast! Antivirus
BitComet 1.02
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
DEVIL MAY CRY 4
DH Driver Cleaner Professional Edition
Diablo II
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Drivrutiner till Logitech® Camera
Dynamic Energy Saver B7.1214.3
EverQuest II
EverQuest II: Rise of Kunark
Fraps (remove only)
GameSpy Arcade
Gigabyte Raid Configurer
Google Earth
Heroes of Might and Magic® III
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Java(TM) 6 Update 10
Kaspersky Online Scanner
Lineage II
Logitech QuickCam Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Xbox 360 Accessories 1.1
mIRC
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Lite 7.7.5.1
NVIDIA Drivers
NVIDIA PhysX v8.09.04
OpenOffice.org Installer 1.0
Pack Vista Inspirat 2 1.0
Panda ActiveScan
PunkBuster Services
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
SILENT HILL 3
Snabbkorrigering för Windows Internet Explorer 7 (KB947864)
Snabbkorrigering för Windows XP (KB952287)
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.1
Steam
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB942615)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB944533)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB950759)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB953838)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB956390)
Säkerhetsuppdatering för Windows Media Player 8 (KB917734)
Säkerhetsuppdatering för Windows Media Player 9 (KB911565)
Säkerhetsuppdatering för Windows Media Player 9 (KB917734)
Säkerhetsuppdatering för Windows XP (KB923789)
Säkerhetsuppdatering för Windows XP (KB938464)
Säkerhetsuppdatering för Windows XP (KB941569)
Säkerhetsuppdatering för Windows XP (KB946648)
Säkerhetsuppdatering för Windows XP (KB950760)
Säkerhetsuppdatering för Windows XP (KB950762)
Säkerhetsuppdatering för Windows XP (KB950974)
Säkerhetsuppdatering för Windows XP (KB951066)
Säkerhetsuppdatering för Windows XP (KB951376)
Säkerhetsuppdatering för Windows XP (KB951376-v2)
Säkerhetsuppdatering för Windows XP (KB951698)
Säkerhetsuppdatering för Windows XP (KB951748)
Säkerhetsuppdatering för Windows XP (KB952954)
Säkerhetsuppdatering för Windows XP (KB953839)
Säkerhetsuppdatering för Windows XP (KB954211)
Säkerhetsuppdatering för Windows XP (KB956391)
Säkerhetsuppdatering för Windows XP (KB956803)
Säkerhetsuppdatering för Windows XP (KB956841)
Säkerhetsuppdatering för Windows XP (KB957095)
TeamSpeak 2 RC2
Uppdatering för Windows XP (KB951072-v2)
Uppdatering för Windows XP (KB951978)
Warhammer Online: Age of Reckoning
VentriloMIX
VideoLAN VLC media player 0.8.6c
Winamp (remove only)
Windows Live inloggningsassistenten
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
ZoneAlarm
ZoneAlarm Spy Blocker
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
uTorrent
BitComet 1.02
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Uninstall also this:
ZoneAlarm SpyBlocker
Delete these afterwards:
C:\Program\BitComet
C:\Program\uTorrent
Please run a new uninstall list scan when finished and post the log back here.
Here ya go!
Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2 - Svenska
Adobe Stock Photos 1.0
AquaMark3
avast! Antivirus
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
DEVIL MAY CRY 4
DH Driver Cleaner Professional Edition
Diablo II
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Drivrutiner till Logitech® Camera
Dynamic Energy Saver B7.1214.3
EverQuest II
EverQuest II: Rise of Kunark
Fraps (remove only)
GameSpy Arcade
Gigabyte Raid Configurer
Google Earth
Heroes of Might and Magic® III
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Java(TM) 6 Update 10
Kaspersky Online Scanner
Lineage II
Logitech QuickCam Software
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Xbox 360 Accessories 1.1
mIRC
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Lite 7.7.5.1
NVIDIA Drivers
NVIDIA PhysX v8.09.04
OpenOffice.org Installer 1.0
Pack Vista Inspirat 2 1.0
Panda ActiveScan
PunkBuster Services
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
SILENT HILL 3
Snabbkorrigering för Windows Internet Explorer 7 (KB947864)
Snabbkorrigering för Windows XP (KB952287)
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.1
Steam
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB942615)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB944533)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB950759)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB953838)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB956390)
Säkerhetsuppdatering för Windows Media Player 8 (KB917734)
Säkerhetsuppdatering för Windows Media Player 9 (KB911565)
Säkerhetsuppdatering för Windows Media Player 9 (KB917734)
Säkerhetsuppdatering för Windows XP (KB923789)
Säkerhetsuppdatering för Windows XP (KB938464)
Säkerhetsuppdatering för Windows XP (KB941569)
Säkerhetsuppdatering för Windows XP (KB946648)
Säkerhetsuppdatering för Windows XP (KB950760)
Säkerhetsuppdatering för Windows XP (KB950762)
Säkerhetsuppdatering för Windows XP (KB950974)
Säkerhetsuppdatering för Windows XP (KB951066)
Säkerhetsuppdatering för Windows XP (KB951376)
Säkerhetsuppdatering för Windows XP (KB951376-v2)
Säkerhetsuppdatering för Windows XP (KB951698)
Säkerhetsuppdatering för Windows XP (KB951748)
Säkerhetsuppdatering för Windows XP (KB952954)
Säkerhetsuppdatering för Windows XP (KB953839)
Säkerhetsuppdatering för Windows XP (KB954211)
Säkerhetsuppdatering för Windows XP (KB956391)
Säkerhetsuppdatering för Windows XP (KB956803)
Säkerhetsuppdatering för Windows XP (KB956841)
Säkerhetsuppdatering för Windows XP (KB957095)
TeamSpeak 2 RC2
Uppdatering för Windows XP (KB951072-v2)
Uppdatering för Windows XP (KB951978)
Warhammer Online: Age of Reckoning
VentriloMIX
VideoLAN VLC media player 0.8.6c
Winamp (remove only)
Windows Live inloggningsassistenten
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
ZoneAlarm
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste the file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
C:\WINDOWS\explorer.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste the file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
C:\WINDOWS\explorer.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Which file exactly do you want me to upload on Jotti?
This file:
C:\WINDOWS\explorer.exe
Hmmm. The whole list says "Found Nothing", then nothing happens.
Does that mean I'm clean?
Oh and by the way. Before we started this whole process I was asked to disable my Avast antivirus on-access protection. Ever since I did that it hasn't been enabled again, and I've restarted my computer several times.
The on-access protection is like an Avast icon in the system tray that like spins around from time to time making sure I don't get attacked by any viruses.
Oh wait a second. In the "Statistics" list I found these
A-Squared Backdoor.Win32.FC.C!IK
Ikarus Backdoor.Win32.FC.C
I've been aware of the backdoor for a long time now though, and just haven't been bothered to do anything about it as it requires so much hassle>.<
Thanks for information.
Please scan also these three files in jotti and post back results:
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
I couldn't find a file called explorer.exe, but I did find a file called "KB938828"
Results for C:\WINDOWS\KB938828:
A-Squared Win32.SuspectCrc!IK
Ikarus Win32.SuspectCrc
The other files I can't find.
Please copy/paste file paths to jotti Upload a file box; they all should be there.
For example:
Copy/paste this to Upload a file box and click submit:
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
And redo same procedure with other files.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.
Please copy/paste file paths to jotti Upload a file box; they all should be there.
For example:
Copy/paste this to Upload a file box and click submit:
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
And redo same procedure with other files.
It won't work. When I try to paste this path into the upload box, the text won't appear. Nothing happens.
OK, let's try this:
Copy each of these files to some folder (not c:\windows, only one in each folder) and try to upload them again, please.
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
Thing is that I can't find any files in C:\WINDOWS with any of those three names.
Maybe I have an option to hide those files?
Yes, they are hidden by default.
See here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and let me know if you are now able to find them :)
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.
Results for C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe:
A-Squared Trojan.BAT.Delfiles.by!IK
AntiVir BDS/Delfiles.BY.1
Avast BV:Malware-gen
ClamAV Trojan.BAT.Delfiles-8
CPsecure Troj.BAT.DelFiles.by
F-Secure Anti-Virus Trojan.BAT.DelFiles.by
G DATA BV:Malware-gen
Ikarus Trojan.BAT.Delfiles.by
Kaspersky Anti-Virus Trojan.BAT.DelFiles.by
Results for C:\WINDOWS\$NtServicePackUninstall$\explorer.exe:
VBA32 Found Worm.Win32.Huhk.c
A-Squared Trojan.Dmservinf.A!IK
AntiVir TR/Patched.BU
BitDefender Trojan.Dmservinf.A
F-Prot Antivirus W32/Patched.F.gen!Eldorado
G DATA Trojan.Dmservinf.A
Ikarus Trojan.Dmservinf.A
NOD32 Win32/Patched.BU
Results for C:\WINDOWS\$NtUninstallKB938828$\explorer.exe :
Ikarus Trojan-Downloader.Agent.18432.E
A-Squared Trojan-Downloader.Agent.18432.E!IK
AntiVir TR/Dldr.Agent.18432.E
There ya go^^
So it looks like that they are all infected.
Go to start - run
Type sfc /scannow and click ok.
Insert windows CD on if asked.
Re-run combofix and post back a fresh combofix log, please.
I don't have a windows cd at the moment:(
Any specific reason why you don't have windows CD at the moment?
Is there no other way to do it?:(
Well pretty much because I've lost it since aaages ago...
Well as it looks like that all your copies of explorer.exe are infected we need a clean copy and clean copy can be found from CD.
Oh... and there's no other way of getting rid of these infections?
Oh well... I guess I'll have to search like crazy, but I'm 90% sure I won't find it:(
We need some windows XP CD.
If you can't find yours, you can borrow the one from your friend for example.
Yeah okay sure, I'll get ahold of an xp cd as soon as possible and get back to you. Just don't close this thread unless 5 days pass without a reply, which won't happen;p
Thanks for information :)
Once again, thanks a lot for your help! You rock!
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.