View Full Version : Smitfraud-C.CoreService virus on my computer. Please help!
Somehow I got this Trojan on my computer and i can't get rid of it. Everytime I scan with Spybot, the program tells me that it successfully got rid of the virus but when I do a scan immediately afterwards, it tells me that the Smitfraud-C.CoreService virus is still there. Attached is a log from my last scan with Spybot.
Some of the strange behavior I'm experiencing on my PC is I get strange pop ups and wav files running on my computer even if I don't have an internet browser on. My computer seems to be going slower than usual and according to the Spybot help message, this virus is collecting my personal information and transmitting it to unauthorized servers.
In addition, I have a file called "zemujaku" in my C:\WINDOWS\system32 folder. I keep trying to delete it and it keeps coming back. I know it's a bad file because when I noticed it for the first time it was date-stamped with the date and time I got the virus (yes, I actually know exactly when I got the virus). In addition, the following string is in my registry: "Rundll32.exe "C:\WINDOWS\system32\yaluwani.dll",s" - it's in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. When I go to msconfig it has that file in the startup tab but even when I uncheck it, the line is checked after I restart. I usually see a couple of black windows (like DOS) flash quickly as I boot up my computer. I'm assuming this is causing one of them to run.
I also read in a post about SDFix.exe and I tried to run it on my computer in SafeMode but it didn't actually do anything. After the DOS window got to the second line (which had something to do with checking something) - it stayed there for the entire day that I had it running. Finally I quit the batch file since it didn't seem to go anywhere. While the batch file was supposed to be running I kept looking at my When I looked at my windows task manager and it was showing my CPU usage at 0% (not sure if that meant that SDFix wasn't doing anything).
I realize this a little bit of an erratic post but I really need some help. I thought I could fight this on my own but I'm out of ideas. Any help would be greatly appreciated!
Thanks!
P.S. As I couldn't attach the log from SpyBot, I'm pasting it below:
--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Smitfraud-C.CoreService: [SBI $9C656B9A] Data (File, nothing done)
C:\WINDOWS\system32\drivers\core.cache.dsk
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-11-09 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-11-05 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-10-28 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-04 Includes\KeyloggersC.sbi (*)
2008-11-04 Includes\Malware.sbi (*)
2008-11-04 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-04 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-10-23 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-04 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-04 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
--- Startup entries list ---
Located: HK_LM:Run, MSConfig
command: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
file: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
size: 169984
MD5: A81135541C9D4EBCE43EFA8AD31395B4
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 140696
MD5: 9F73FA1CED41F95DEADE21649DF48DD2
Located: HK_LM:Run, zowiruzewa
command: Rundll32.exe "C:\WINDOWS\system32\yaluwani.dll",s
file: C:\WINDOWS\system32\yaluwani.dll
size: 59904
MD5: 70200DB63A0A9BE2EA238952385DD78B
Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-19...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, zowiruzewa
where: S-1-5-19...
command: Rundll32.exe "C:\WINDOWS\system32\yaluwani.dll",s
file: C:\WINDOWS\system32\yaluwani.dll
size: 59904
MD5: 70200DB63A0A9BE2EA238952385DD78B
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-20...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, zowiruzewa
where: S-1-5-20...
command: Rundll32.exe "C:\WINDOWS\system32\yaluwani.dll",s
file: C:\WINDOWS\system32\yaluwani.dll
size: 59904
MD5: 70200DB63A0A9BE2EA238952385DD78B
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-21-1177238915-1409082233-839522115-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, gadcom
where: S-1-5-21-1177238915-1409082233-839522115-1003...
command: "C:\Documents and Settings\Snezhi Nicodemus\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
file: C:\Documents and Settings\Snezhi Nicodemus\Application Data\gadcom\gadcom.exe
size: 56832
MD5: CE4DBC7F1D6330ECC0F76F4FD31C3AC5
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: Startup (common), VIA RAID TOOL.lnk
where: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup...
command: C:\Program Files\VIA\RAID\raid_tool.exe
file: C:\Program Files\VIA\RAID\raid_tool.exe
size: 585728
MD5: 31B573B93132BED784F6AB6D0E07CE69
Located: Startup (disabled), Deewoo (DISABLED)
command: C:\WINDOWS\system32\rcntptdl.exe DWmmm01
file: C:\WINDOWS\system32\rcntptdl.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: Startup (disabled), DW_Start (DISABLED)
command: C:\WINDOWS\system32\rjwnw64p.exe DWmmm01
file: C:\WINDOWS\system32\rjwnw64p.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, c009537D
command: c009537D.mat
file: c009537D.mat
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sys32
command: sys32.dll
file: sys32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/22/2006 10:08:42 PM
Date (last access): 11/17/2008 7:14:00 PM
Date (last write): 10/22/2006 10:08:42 PM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{6bc887e6-4461-44fc-b00f-ef530e53b552} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: wokisuvo.dll
Short name:
Date (created): 8/9/2008 3:00:08 AM
Date (last access): 11/17/2008 8:15:20 PM
Date (last write): 8/9/2008 3:00:08 AM
Filesize: 59904
Attributes: hidden sysfile archive
MD5: 70200DB63A0A9BE2EA238952385DD78B
CRC32: F19DAAF4
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (Java(tm) Plug-In SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: ssv.dll
Short name:
Date (created): 9/27/2008 6:08:32 PM
Date (last access): 11/17/2008 7:14:00 PM
Date (last write): 9/27/2008 6:08:34 PM
Filesize: 320920
Attributes: archive
MD5: A110C886F83F5A4616860D7D29966BD5
CRC32: 85AB59FA
Version: 6.0.100.32
{973fa154-f499-47f5-9e73-072c3243a783} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: wokisuvo.dll
Short name:
Date (created): 8/9/2008 3:00:08 AM
Date (last access): 11/17/2008 8:15:20 PM
Date (last write): 8/9/2008 3:00:08 AM
Filesize: 59904
Attributes: hidden sysfile archive
MD5: 70200DB63A0A9BE2EA238952385DD78B
CRC32: F19DAAF4
{bf721176-c29f-4e7f-ad24-a48816d5593b} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: wokisuvo.dll
Short name:
Date (created): 8/9/2008 3:00:08 AM
Date (last access): 11/17/2008 8:15:20 PM
Date (last write): 8/9/2008 3:00:08 AM
Filesize: 59904
Attributes: hidden sysfile archive
MD5: 70200DB63A0A9BE2EA238952385DD78B
CRC32: F19DAAF4
{c14e8727-a3a0-4140-8bbb-e407c27ea4e7} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: bapenuge.dll
Short name:
Date (created): 8/9/2008 3:00:08 AM
Date (last access): 11/17/2008 8:15:20 PM
Date (last write): 8/9/2008 3:00:08 AM
Filesize: 59904
Attributes: hidden sysfile archive
MD5: 70200DB63A0A9BE2EA238952385DD78B
CRC32: F19DAAF4
{d00f3eb5-d10e-416b-822e-5dd7e01ed11d} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: wokisuvo.dll
Short name:
Date (created): 8/9/2008 3:00:08 AM
Date (last access): 11/17/2008 8:15:20 PM
Date (last write): 8/9/2008 3:00:08 AM
Filesize: 59904
Attributes: hidden sysfile archive
MD5: 70200DB63A0A9BE2EA238952385DD78B
CRC32: F19DAAF4
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 9/27/2008 6:08:30 PM
Date (last access): 11/17/2008 7:14:00 PM
Date (last write): 9/27/2008 6:08:30 PM
Filesize: 34816
Attributes: archive
MD5: 5C417F67857D39C496553EC32D1A50C2
CRC32: 306E376B
Version: 6.0.100.32
{df29ca7a-b005-4483-86f2-a459ccc565c5} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: bapenuge.dll
Short name:
Date (created): 8/9/2008 3:00:08 AM
Date (last access): 11/17/2008 8:15:20 PM
Date (last write): 8/9/2008 3:00:08 AM
Filesize: 59904
Attributes: hidden sysfile archive
MD5: 70200DB63A0A9BE2EA238952385DD78B
CRC32: F19DAAF4
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 9/27/2008 6:08:36 PM
Date (last access): 11/17/2008 7:14:00 PM
Date (last write): 9/27/2008 6:08:36 PM
Filesize: 73728
Attributes: archive
MD5: F2ED9ACD3F6124B649DA5662FA282AC2
CRC32: 595723C2
Version: 6.0.100.32
--- ActiveX list ---
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_10
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_10.dll
Short name: NPJPI1~1.DLL
Date (created): 9/27/2008 6:08:32 PM
Date (last access): 10/16/2008 2:01:10 AM
Date (last write): 9/27/2008 6:08:32 PM
Filesize: 132504
Attributes: archive
MD5: F6E8A24F756619F8E61812589046E83C
CRC32: 50685769
Version: 6.0.100.32
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 1:32:34 AM
Date (last access): 10/16/2008 2:01:10 AM
Date (last write): 6/10/2008 3:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_10
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_10.dll
Short name: NPJPI1~1.DLL
Date (created): 9/27/2008 6:08:32 PM
Date (last access): 11/17/2008 8:16:22 PM
Date (last write): 9/27/2008 6:08:32 PM
Filesize: 132504
Attributes: archive
MD5: F6E8A24F756619F8E61812589046E83C
CRC32: 50685769
Version: 6.0.100.32
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_10
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_10.dll
Short name: NPJPI1~1.DLL
Date (created): 9/27/2008 6:08:32 PM
Date (last access): 11/17/2008 8:16:22 PM
Date (last write): 9/27/2008 6:08:32 PM
Filesize: 132504
Attributes: archive
MD5: F6E8A24F756619F8E61812589046E83C
CRC32: 50685769
Version: 6.0.100.32
--- Process list ---
PID: 0 ( 0) [System]
PID: 568 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 616 ( 568) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 640 ( 568) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 692 ( 640) C:\WINDOWS\system32\services.exe
size: 108544
MD5: 0E776ED5F7CC9F94299E70461B7B8185
PID: 704 ( 640) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 900 ( 692) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1016 ( 692) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1140 ( 692) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1224 ( 692) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1368 ( 692) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1460 ( 692) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1472 (1404) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 1776 (1472) C:\Documents and Settings\Snezhi Nicodemus\Application Data\Microsoft\Windows\lsass.exe
size: 65024
MD5: 18BD892D291F21F14E660537112BB81C
PID: 1784 (1472) C:\Program Files\Java\jre6\bin\jusched.exe
size: 140696
MD5: 9F73FA1CED41F95DEADE21649DF48DD2
PID: 1824 (1472) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 1860 (1472) C:\Program Files\VIA\RAID\raid_tool.exe
size: 585728
MD5: 31B573B93132BED784F6AB6D0E07CE69
PID: 2040 ( 692) C:\Program Files\Digidesign\Drivers\MMERefresh.exe
size: 45056
MD5: 758C75DD762970494D66D34DF1BEAB13
PID: 1412 (1472) C:\WINDOWS\regedit.exe
size: 146432
MD5: 058710B720282CA82B909912D3EF28DB
PID: 1380 (1472) C:\Program Files\Spybot\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 1504 (1472) C:\Program Files\Mozilla Firefox\firefox.exe
size: 307712
MD5: F18DEADD748D1F2C8BA4C1ECFEC7DB2C
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11/17/2008 8:16:22 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/ig?hl=en
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E4BD0A4E-6063-44FA-B568-3FE51DDEC560}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E4BD0A4E-6063-44FA-B568-3FE51DDEC560}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1B1306CB-7577-4402-9D2D-97E75CE31EEC}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1B1306CB-7577-4402-9D2D-97E75CE31EEC}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B2530E4-18AC-47F5-90ED-2F89EA865751}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B2530E4-18AC-47F5-90ED-2F89EA865751}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E2C92392-48A1-497F-AB94-9FF1B2678577}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E2C92392-48A1-497F-AB94-9FF1B2678577}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Step # 1: Download and Run HijackThis
Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Thank you for your help! I had a little bit of trouble installing HiJackThis but I've got it now. Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:03 AM, on 11/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Snezhi Nicodemus\Application Data\Microsoft\Windows\lsass.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Snezhi Nicodemus\Application Data\gadcom\gadcom.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6bc887e6-4461-44fc-b00f-ef530e53b552} - C:\WINDOWS\system32\sihowedo.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {973fa154-f499-47f5-9e73-072c3243a783} - C:\WINDOWS\system32\wokisuvo.dll (file missing)
O2 - BHO: (no name) - {bf721176-c29f-4e7f-ad24-a48816d5593b} - C:\WINDOWS\system32\wokisuvo.dll (file missing)
O2 - BHO: (no name) - {c14e8727-a3a0-4140-8bbb-e407c27ea4e7} - C:\WINDOWS\system32\bapenuge.dll (file missing)
O2 - BHO: (no name) - {d00f3eb5-d10e-416b-822e-5dd7e01ed11d} - C:\WINDOWS\system32\wokisuvo.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {df29ca7a-b005-4483-86f2-a459ccc565c5} - C:\WINDOWS\system32\bapenuge.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zowiruzewa] Rundll32.exe "C:\WINDOWS\system32\vizamemu.dll",s
O4 - HKLM\..\Run: [d8cf7cd3] rundll32.exe "C:\WINDOWS\system32\bozuneyi.dll",b
O4 - HKLM\..\Run: [CPMdbfc4f4f] Rundll32.exe "c:\windows\system32\buhedina.dll",a
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Snezhi Nicodemus\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Snezhi Nicodemus\Application Data\Microsoft\Windows\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-19\..\Run: [zowiruzewa] Rundll32.exe "C:\WINDOWS\system32\vizamemu.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1177238915-1409082233-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\jukasedo.dll c:\windows\system32\buhedina.dll
O20 - Winlogon Notify: c009537D - C:\WINDOWS\SYSTEM32\c009537D.mat
O20 - Winlogon Notify: sys32 - sys32.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\buhedina.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\buhedina.dll
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5771 bytes
Step # 1 Download CCleaner
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the ccsetup.exe file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location.
Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
Click Install then finish to complete installation.
Step # 2 Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
Step # 3: Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the CCleaner Install List,C:\ComboFix.txt and a fresh HiJackThis Log in your next reply.
Use multiple posts if you can't fit everything into one post.
Thank you for your help! I try to keep my computer off for the most part since these programs seem to be running in the background at all times. Every time I try to download something from your posts it tells me that my download has been blocked by my security zone policy - trendsecure.com. I am able to get around that by using Internet Explorer (as opposed to Firefox) and clicking 'run' versus 'save to desktop.' So far so good. I hope this doesn't cause problems in the future.
Here are the log files:
CCleaner Install Log:
ABITEQ
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AVI Movie Player
CCleaner (remove only)
Digidesign Pro ToolsŪ LE 6.4
Digidesign Shared Plug-Ins
Google Earth
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 10
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 10
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Midisport 1x1 1.0.1.0
ML-1430 Series
Mozilla Firefox (3.0.4)
NVIDIA Drivers
NVIDIA WDM Drivers
Realtek AC'97 Audio
Reason 3.0.4
ReCycle Demo 2.1
SecondLife (remove only)
Series II MIDI
Spybot - Search & Destroy
TextPad 5
Uno
VLC media player 0.9.4
VNC Free Edition 4.1.2
Windows Internet Explorer 7
Windows XP Service Pack 3
World of Warcraft
ComboFix Log:
ComboFix 08-11-19.08 - Snezhi Nicodemus 2008-11-20 22:37:49.1 - NTFSx86
Running from: c:\documents and settings\Snezhi Nicodemus\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Snezhi Nicodemus\Application Data\gadcom
c:\documents and settings\Snezhi Nicodemus\Application Data\gadcom\gadcom.exe
c:\documents and settings\Snezhi Nicodemus\Application Data\Microsoft\Windows\lsass.exe
c:\documents and settings\Snezhi Nicodemus\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\avoyoyiw.ini
c:\windows\system32\bozuneyi.dll
c:\windows\system32\buhedina.dll
c:\windows\system32\gudadamu.dll
c:\windows\system32\iyenuzob.ini
c:\windows\system32\jukasedo.dll
c:\windows\system32\kamujibi.dll
c:\windows\system32\MSINET.oca
c:\windows\system32\pac.txt
c:\windows\system32\sihowedo.dll
c:\windows\system32\sofigeda.dll
c:\windows\system32\u2
c:\windows\system32\u2\BMAE3ak.exe
c:\windows\system32\umadadug.ini
c:\windows\system32\vizamemu.dll
c:\windows\system32\wiyoyova.dll
c:\windows\system32\wowijohi.dll
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://kakoitodomen.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.
2008-11-20 22:41 . 2008-11-20 22:41 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-20 22:29 . 2008-11-20 22:29 <DIR> d-------- c:\program files\CCleaner
2008-11-20 07:30 . 2008-11-20 07:30 20,992 --ahs---- c:\windows\system32\c00E4906.mat
2008-11-19 20:01 . 2008-11-19 20:01 20,992 --ahs---- c:\windows\system32\c00FCE72.mat
2008-11-19 07:02 . 2008-11-19 07:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-18 07:33 . 2008-11-18 07:33 20,992 --ahs---- c:\windows\system32\c00BAC46.mat
2008-11-17 23:24 . 2008-11-17 23:24 2,126 --a------ c:\windows\system32\wpa.dbl
2008-11-17 19:16 . 2008-11-17 19:16 20,992 --ahs---- c:\windows\system32\c008BE59.mat
2008-11-12 22:49 . 2008-11-12 22:49 20,992 --ahs---- c:\windows\system32\c0068692.mat
2008-11-10 18:20 . 2008-11-10 18:20 20,992 --ahs---- c:\windows\system32\c0028A82.mat
2008-11-10 06:06 . 2008-11-10 06:06 6,537 ---hs---- c:\windows\system32\hemudapa.exe
2008-11-09 15:58 . 2008-11-09 15:58 <DIR> d-------- c:\windows\ERUNT
2008-11-09 15:56 . 2008-11-09 22:34 <DIR> d-------- C:\SDFix
2008-11-09 15:41 . 2008-11-17 20:25 549 --a------ c:\windows\wininit.ini
2008-11-09 14:41 . 2008-11-09 15:43 <DIR> d-------- c:\program files\Spybot
2008-11-09 14:41 . 2008-11-09 14:43 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-11-09 13:20 . 2008-11-09 13:20 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\IUpd721
2008-11-09 02:43 . 2008-11-09 02:43 20,992 --ahs---- c:\windows\system32\c009537D.mat
2008-11-09 02:37 . 2008-11-09 02:37 <DIR> d--hs---- c:\windows\U25lemhpIE5pY29kZW11cw
2008-11-09 02:37 . 2008-11-09 13:15 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\NI.GSCNS
2008-11-09 02:36 . 2008-11-09 02:36 <DIR> d-------- c:\windows\system32\sX3i19
2008-11-09 02:36 . 2008-11-09 02:36 <DIR> d-------- c:\windows\system32\svm
2008-11-09 02:36 . 2008-11-09 02:36 <DIR> d-------- c:\windows\system32\prt
2008-11-09 02:36 . 2008-11-09 02:37 <DIR> d-------- c:\windows\system32\db
2008-11-09 02:36 . 2008-11-09 02:36 86,400 --a------ c:\windows\system32\drivers\isapnpp.sys
2008-11-09 02:36 . 2008-11-09 02:36 60,928 --ahs---- c:\windows\system32\yayxywUL.dll
2008-11-03 01:11 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-10-28 22:49 . 2008-10-29 00:48 24 --a------ c:\windows\popcinfot.dat
2008-10-26 21:45 . 2008-10-26 21:45 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-26 21:45 . 2008-10-26 21:45 225,280 --a------ c:\windows\system32\ReWire.dll
2008-10-25 17:28 . 2008-10-25 19:43 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\vlc
2008-10-25 17:28 . 2008-10-25 21:54 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\dvdcss
2008-10-25 17:26 . 2008-10-25 17:26 <DIR> d-------- c:\program files\VideoLAN
2008-10-25 16:28 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 22:38 . 2007-11-13 11:31 204,288 --a------ c:\windows\system32\M-AudioTaskBarIcon.exe
2008-10-21 22:37 . 2008-10-21 22:37 <DIR> d-------- c:\program files\M-Audio
2008-10-21 22:37 . 2007-11-14 15:20 424,456 --a------ c:\windows\system32\ma_cmidn.dll
2008-10-21 22:37 . 2006-08-16 06:24 82,944 --a------ c:\windows\system32\USBMN1X1.DLL
2008-10-21 22:37 . 2007-11-14 15:20 31,752 --a------ c:\windows\system32\drivers\ma_cmidi.sys
2008-10-21 22:37 . 2006-08-16 06:24 22,208 --a------ c:\windows\system32\drivers\USBMN1X1.SYS
2008-10-21 22:37 . 2007-11-14 15:20 20,168 --a------ c:\windows\system32\drivers\USB11LDR.SYS
2008-10-21 22:37 . 2007-11-14 15:20 20,168 --a------ c:\windows\system32\drivers\uks11ldr.sys
2008-10-21 22:34 . 2008-10-21 22:34 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\InstallShield
2008-10-21 19:29 . 2004-10-20 15:50 85,504 --------- c:\windows\system32\evolusbn.dll
2008-10-21 19:24 . 2008-04-13 10:45 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-10-21 19:24 . 2008-04-13 10:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-10-21 19:03 . 2008-10-21 19:03 <DIR> d-------- c:\program files\M-Audio Midisport 1x1
2008-10-21 19:03 . 2008-10-21 19:02 724,992 --a------ c:\windows\iun6002.exe
2008-10-21 18:25 . 2008-10-29 14:01 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\Propellerhead Software
2008-10-21 18:23 . 2008-10-26 21:45 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Propellerhead Software
2008-10-21 17:56 . 2008-10-21 17:56 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\Digidesign
2008-10-21 17:55 . 2008-10-21 17:55 <DIR> d-------- C:\Digidesign Databases
2008-10-21 17:52 . 2008-10-21 17:52 <DIR> d-------- c:\program files\Common Files\PACE Anti-Piracy
2008-10-21 17:48 . 2008-10-21 17:48 <DIR> d-------- c:\program files\Common Files\Digidesign
2008-10-21 17:48 . 2004-03-31 02:00 573,440 --a------ c:\windows\system32\DSI.dll
2008-10-21 17:48 . 2001-06-27 09:13 217,088 --a------ c:\windows\system32\qtmlClient.dll
2008-10-21 17:48 . 2004-03-31 02:00 102,400 --a------ c:\windows\system32\Diomidi.dll
2008-10-21 17:48 . 2004-03-31 02:00 102,400 --a------ c:\windows\system32\Digi32.dll
2008-10-21 17:48 . 2004-03-31 02:00 90,112 --a------ c:\windows\system32\WinMMFix.dll
2008-10-21 17:48 . 2002-01-05 03:38 54,784 --a------ c:\windows\system32\msvci70.dll
2008-10-21 17:48 . 2004-03-31 02:00 20,992 --a------ c:\windows\system32\drivers\DigiFilter.sys
2008-10-21 17:48 . 2004-03-31 02:00 15,872 --a------ c:\windows\system32\KeyFilter.dll
2008-10-21 17:48 . 2002-10-31 15:33 3,478 --a------ c:\windows\system32\digicoin.dll
2008-10-21 17:47 . 2008-10-21 17:48 <DIR> d-------- c:\program files\Digidesign
2008-10-21 17:47 . 2004-03-31 02:00 888,832 --a------ c:\windows\system32\DirectIO.dll
2008-10-21 17:47 . 2004-03-31 02:00 73,216 --a------ c:\windows\system32\drivers\Dalwdm.sys
2008-10-21 17:43 . 2008-04-13 10:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-21 17:43 . 2008-04-13 10:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-10-21 14:47 . 2008-10-21 14:47 <DIR> d-------- c:\windows\Samsung
2008-10-21 14:47 . 2001-11-06 15:29 94,208 --a------ c:\windows\system32\getpntid.exe
2008-10-21 14:47 . 2002-02-16 12:48 34,720 --a------ c:\windows\Ssgw6su.HLP
2008-10-21 14:47 . 2001-03-20 15:10 3,262 --a------ c:\windows\reinstall.ico
2008-10-21 14:47 . 2001-03-20 13:52 766 --a------ c:\windows\Uninstall.ico
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 02:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 02:10 --------- d-----w c:\program files\PopCap Games
2008-11-10 02:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 02:05 --------- d-----w c:\program files\Google
2008-11-10 02:04 --------- d-----w c:\program files\ABIT
2008-10-19 02:28 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-19 02:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Blizzard
2008-10-16 18:56 --------- d-----w c:\program files\Common Files\Adobe
2008-10-06 03:45 --------- d-----w c:\program files\AVI Movie Player
2008-10-06 03:42 --------- d-----w c:\program files\Common Files\AVSMedia
2008-10-06 03:42 --------- d-----w c:\program files\AVS4YOU
2008-10-06 03:35 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AVS4YOU
2008-10-03 22:50 --------- d-----w c:\documents and settings\Snezhi Nicodemus\Application Data\Move Networks
2008-09-28 02:08 --------- d-----w c:\program files\Java
2008-09-28 01:51 --------- d-----w c:\program files\TextPad 5
2008-09-28 01:51 --------- d-----w c:\documents and settings\Snezhi Nicodemus\Application Data\Helios
2005-08-03 00:46 187,904 --sha-r c:\windows\U25lemhpIE5pY29kZW11cw\asappsrv.dll
2005-08-03 00:58 293,888 --sha-r c:\windows\U25lemhpIE5pY29kZW11cw\command.exe
2005-07-30 00:24 472 --sha-r c:\windows\U25lemhpIE5pY29kZW11cw\oZc5yA1DKHcDsZ64tqYYwT.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-27 140696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2007-11-18 585728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c009537D]
2008-11-09 02:43 20992 c:\windows\system32\c009537D.mat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"= Digi32.dll
"Midi1"= diomidi.dll
"Midi2"= evolusbn.dll
"midi3"= ma_cmidn.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Snezhi Nicodemus^Start Menu^Programs^Startup^Deewoo.lnk]
path=c:\documents and settings\Snezhi Nicodemus\Start Menu\Programs\Startup\Deewoo.lnk
backup=c:\windows\pss\Deewoo.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Snezhi Nicodemus^Start Menu^Programs^Startup^DW_Start.lnk]
path=c:\documents and settings\Snezhi Nicodemus\Start Menu\Programs\Startup\DW_Start.lnk
backup=c:\windows\pss\DW_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2004-03-31 02:00 45056 c:\program files\Digidesign\Drivers\MMERefresh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IUpd721]
--a------ 2008-11-09 13:15 403968 c:\documents and settings\Snezhi Nicodemus\Application Data\NI.GSCNS\IUpd721.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 17:14 8491008 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 17:14 81920 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 17:14 1626112 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-01 02:23 67584 c:\windows\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"UnoInstallerService"=2 (0x2)
"CryptSvc"=2 (0x2)
"BITS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\WOW\\World of Warcraft\\WoW-2.4.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"g:\\WOW\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFi~1.sys [2008-10-21 20992]
R1 isapnpp;isapnpp;c:\windows\system32\drivers\isapnpp.sys [2008-11-09 86400]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2008-10-21 73216]
S3 EVOLUSB;%EVOL_USB_SvcDesc%;c:\windows\system32\drivers\evolusb.sys []
S3 MA_CMIDI;M-Audio USB Driver;c:\windows\system32\drivers\ma_cmidi.sys [2008-10-21 31752]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2008-10-21 20168]
S4 UnoInstallerService;Uno Installer;c:\program files\M-Audio Uno\UnoInst.exe []
.
- - - - ORPHANS REMOVED - - - -
BHO-{6bc887e6-4461-44fc-b00f-ef530e53b552} - c:\windows\system32\sihowedo.dll
BHO-{973fa154-f499-47f5-9e73-072c3243a783} - c:\windows\system32\wokisuvo.dll
BHO-{bf721176-c29f-4e7f-ad24-a48816d5593b} - c:\windows\system32\wokisuvo.dll
BHO-{c14e8727-a3a0-4140-8bbb-e407c27ea4e7} - c:\windows\system32\bapenuge.dll
BHO-{d00f3eb5-d10e-416b-822e-5dd7e01ed11d} - c:\windows\system32\wokisuvo.dll
BHO-{df29ca7a-b005-4483-86f2-a459ccc565c5} - c:\windows\system32\bapenuge.dll
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\Snezhi Nicodemus\Application Data\Microsoft\Windows\lsass.exe
Notify-sys32 - sys32.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-ExploreUpdSched - c:\windows\system32\rcntptdl.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-zowiruzewa - c:\windows\system32\yaluwani.dll
MSConfigStartUp-{54826552-a581-43e8-d72c-932693290cc2} - c:\windows\system32\gwdozruvrcpiv.dll
MSConfigStartUp-{F7-7C-C7-7C-DW} - c:\windows\system32\rjwnw64p.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Snezhi Nicodemus\Application Data\Mozilla\Firefox\Profiles\i1u2tbd3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en&source=iglk
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 22:42:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = c:\documents and settings\Snezhi Nicodemus\Application Data\Microsoft\Windows\lsass.exe????????????????????????????????????????
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\c009537D.mat
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-11-20 22:50:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-21 06:49:54
Pre-Run: 6,112,481,280 bytes free
Post-Run: 6,152,708,096 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
277 --- E O F --- 2008-11-07 05:38:53
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:00 PM, on 11/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: c009537D - C:\WINDOWS\SYSTEM32\c009537D.mat
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 3377 bytes
Every time I try to download something from your posts it tells me that my download has been blocked by my security zone policy - trendsecure.com. I am able to get around that by using Internet Explorer (as opposed to Firefox) and clicking 'run' versus 'save to desktop.'
The following website can tell you how to get around this problem. The screenshot on the site looks familiar to what you are describing:
http://www.firefoxfacts.com/2008/07/23/security-zone-policy-errors-in-firefox-3/
Try what they suggested at the webpage and see if that allows you to download the tools/programs I have you download:
To change the setting, open Internet Options (via Control Panel or from Internet Explorer -> Tools) and click the Security tab. With the Internet zone icon highlighted, click the Custom level
button. A list of security settings for the Internet zone will appear. Find the Launching applications and unsafe files setting (under Miscellaneous) and select Prompt (recommended).
=================
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these vendors NOW:
1)Antivir PersonalEdition Classic (http://www.free-av.com/)
2)avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)
Download and install only one!
The next step needs to have ComboFix.exe on the Desktop. If you can't download files by clicking 'save to Desktop' and still have to use 'Run', then download ComboFix.exe onto a clean computer and transfer it via USB/Flash Drive to the infected computer. Once there put ComboFix.exe onto the infected computer's Desktop.
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://forums.spybot.info/showpost.php?p=255172&postcount=5
KILLALL::
Collect::
c:\windows\system32\drivers\isapnpp.sys
c:\windows\system32\yayxywUL.dll
c:\windows\system32\c0068692.mat
c:\windows\system32\c00BAC46.mat
File::
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\c00E4906.mat
c:\windows\system32\c00FCE72.mat
c:\windows\system32\c008BE59.mat
c:\windows\system32\c0028A82.mat
c:\windows\system32\hemudapa.exe
c:\windows\system32\c009537D.mat
Folder::
c:\windows\U25lemhpIE5pY29kZW11cw
c:\documents and settings\Snezhi Nicodemus\Application Data\NI.GSCNS
c:\windows\system32\sX3i19
c:\windows\system32\svm
c:\windows\system32\prt
c:\windows\system32\db
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c009537D]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IUpd721]
Driver::
isapnpp
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on Snezhi's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh HiJackThis Log taken after Step 1 has been completed.
I followed the instructions above. The anti-virus program I installed performed a scan automatically and told me that it had found a couple of viruses. It asked me what I wanted to do so I figured since I wasn't sure exactly what's going on, I shouldn't select 'delete files.' So I chose the quarantine option.
Later on when I was running the script you had sent me from ComboFix.exe, I got a pop-up window from ComboFix which said that a potentially unsafe file was found in C:\ComboFix (I didn't remember the name of the file). It again asked me what I wanted to do and I again said that I wanted to quarantine it. From that point on, ComboFix ran smoothly.
I wanted to mention this since you had specified that I should follow your instructions closely. Below are the two logs from ComboFix and HiJackThis:
ComboFix Log:
ComboFix 08-11-19.08 - Snezhi Nicodemus 2008-11-21 19:58:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1689 [GMT -8:00]
Running from: c:\documents and settings\Snezhi Nicodemus\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Snezhi Nicodemus\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\c0028A82.mat
c:\windows\system32\c008BE59.mat
c:\windows\system32\c009537D.mat
c:\windows\system32\c00E4906.mat
c:\windows\system32\c00FCE72.mat
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\hemudapa.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Snezhi Nicodemus\Application Data\NI.GSCNS
c:\documents and settings\Snezhi Nicodemus\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Snezhi Nicodemus\Application Data\NI.GSCNS\IUpd721.exe
c:\documents and settings\Snezhi Nicodemus\Application Data\NI.GSCNS\settings.ini
c:\windows\system32\c0028A82.mat
c:\windows\system32\c0068692.mat
c:\windows\system32\c008BE59.mat
c:\windows\system32\c009537D.mat
c:\windows\system32\c00BAC46.mat
c:\windows\system32\c00E4906.mat
c:\windows\system32\c00FCE72.mat
c:\windows\system32\db
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\isapnpp.sys
c:\windows\system32\hemudapa.exe
c:\windows\system32\prt
c:\windows\system32\prt\PDLWI40.exe
c:\windows\system32\svm
c:\windows\system32\sX3i19
c:\windows\system32\yayxywUL.dll
c:\windows\U25lemhpIE5pY29kZW11cw
c:\windows\U25lemhpIE5pY29kZW11cw\asappsrv.dll
c:\windows\U25lemhpIE5pY29kZW11cw\command.exe
c:\windows\U25lemhpIE5pY29kZW11cw\oZc5yA1DKHcDsZ64tqYYwT.vbs
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ISAPNPP
-------\Service_isapnpp
((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.
2008-11-21 19:49 . 2008-11-21 19:49 <DIR> d-------- c:\program files\Avira
2008-11-21 19:49 . 2008-11-21 19:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2008-11-20 22:29 . 2008-11-20 22:29 <DIR> d-------- c:\program files\CCleaner
2008-11-19 07:02 . 2008-11-19 07:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 23:24 . 2008-11-17 23:24 2,126 --a------ c:\windows\system32\wpa.dbl
2008-11-09 15:58 . 2008-11-09 15:58 <DIR> d-------- c:\windows\ERUNT
2008-11-09 15:56 . 2008-11-09 22:34 <DIR> d-------- C:\SDFix
2008-11-09 15:41 . 2008-11-17 20:25 549 --a------ c:\windows\wininit.ini
2008-11-09 14:41 . 2008-11-09 15:43 <DIR> d-------- c:\program files\Spybot
2008-11-09 14:41 . 2008-11-09 14:43 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-11-09 13:20 . 2008-11-09 13:20 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\IUpd721
2008-11-03 01:11 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-10-28 22:49 . 2008-10-29 00:48 24 --a------ c:\windows\popcinfot.dat
2008-10-26 21:45 . 2008-10-26 21:45 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-26 21:45 . 2008-10-26 21:45 225,280 --a------ c:\windows\system32\ReWire.dll
2008-10-25 17:28 . 2008-10-25 19:43 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\vlc
2008-10-25 17:28 . 2008-10-25 21:54 <DIR> d-------- c:\documents and settings\Snezhi Nicodemus\Application Data\dvdcss
2008-10-25 17:26 . 2008-10-25 17:26 <DIR> d-------- c:\program files\VideoLAN
2008-10-25 16:28 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 02:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 02:10 --------- d-----w c:\program files\PopCap Games
2008-11-10 02:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 02:05 --------- d-----w c:\program files\Google
2008-11-10 02:04 --------- d-----w c:\program files\ABIT
2008-10-29 22:01 --------- d-----w c:\documents and settings\Snezhi Nicodemus\Application Data\Propellerhead Software
2008-10-27 05:45 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Propellerhead Software
2008-10-22 06:37 --------- d-----w c:\program files\M-Audio
2008-10-22 06:34 --------- d-----w c:\documents and settings\Snezhi Nicodemus\Application Data\InstallShield
2008-10-22 03:03 --------- d-----w c:\program files\M-Audio Midisport 1x1
2008-10-22 03:02 724,992 ----a-w c:\windows\iun6002.exe
2008-10-22 01:56 --------- d-----w c:\documents and settings\Snezhi Nicodemus\Application Data\Digidesign
2008-10-22 01:52 --------- d-----w c:\program files\Common Files\PACE Anti-Piracy
2008-10-22 01:48 --------- d-----w c:\program files\Digidesign
2008-10-22 01:48 --------- d-----w c:\program files\Common Files\Digidesign
2008-10-19 02:28 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-19 02:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Blizzard
2008-10-16 18:56 --------- d-----w c:\program files\Common Files\Adobe
2008-10-06 03:45 --------- d-----w c:\program files\AVI Movie Player
2008-10-06 03:42 --------- d-----w c:\program files\Common Files\AVSMedia
2008-10-06 03:42 --------- d-----w c:\program files\AVS4YOU
2008-10-06 03:35 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AVS4YOU
2008-10-03 22:50 --------- d-----w c:\documents and settings\Snezhi Nicodemus\Application Data\Move Networks
2008-09-28 02:08 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-09-28 02:08 --------- d-----w c:\program files\Java
2008-09-28 01:51 --------- d-----w c:\program files\TextPad 5
2008-09-28 01:51 --------- d-----w c:\documents and settings\Snezhi Nicodemus\Application Data\Helios
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-11-20_22.49.17.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 21:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-22 02:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2008-06-27 23:03:55 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys
+ 2007-03-01 18:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys
+ 2008-11-22 04:03:13 16,384 ----atw c:\windows\temp\Perflib_Perfdata_b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-27 140696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2007-11-18 585728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"= Digi32.dll
"Midi1"= diomidi.dll
"Midi2"= evolusbn.dll
"midi3"= ma_cmidn.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Snezhi Nicodemus^Start Menu^Programs^Startup^Deewoo.lnk]
path=c:\documents and settings\Snezhi Nicodemus\Start Menu\Programs\Startup\Deewoo.lnk
backup=c:\windows\pss\Deewoo.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Snezhi Nicodemus^Start Menu^Programs^Startup^DW_Start.lnk]
path=c:\documents and settings\Snezhi Nicodemus\Start Menu\Programs\Startup\DW_Start.lnk
backup=c:\windows\pss\DW_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2004-03-31 02:00 45056 c:\program files\Digidesign\Drivers\MMERefresh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 17:14 8491008 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 17:14 81920 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 17:14 1626112 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-01 02:23 67584 c:\windows\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"UnoInstallerService"=2 (0x2)
"CryptSvc"=2 (0x2)
"BITS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\WOW\\World of Warcraft\\WoW-2.4.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"g:\\WOW\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFi~1.sys [2008-10-21 20992]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2008-10-21 73216]
S3 EVOLUSB;%EVOL_USB_SvcDesc%;c:\windows\system32\drivers\evolusb.sys []
S3 MA_CMIDI;M-Audio USB Driver;c:\windows\system32\drivers\ma_cmidi.sys [2008-10-21 31752]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2008-10-21 20168]
S4 UnoInstallerService;Uno Installer;c:\program files\M-Audio Uno\UnoInst.exe []
*Newly Created Service* - SSMDRV
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 20:03:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\windows\system32\sndvol32.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-11-21 20:12:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-22 04:11:41
Pre-Run: 6,153,850,880 bytes free
Post-Run: 6,151,888,896 bytes free
260 --- E O F --- 2008-11-07 05:38:53
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:52 PM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5797 bytes
Thank you!
You did fine with quaranting those files that Avira found. :)
As for this part:
Later on when I was running the script you had sent me from ComboFix.exe, I got a pop-up window from ComboFix which said that a potentially unsafe file was found in C:\ComboFix (I didn't remember the name of the file). It again asked me what I wanted to do and I again said that I wanted to quarantine it.
I've never heard/seen ComboFix doing what you described above. Are you sure it wasn't Avira that popped up with warning message and asked you to quarantine that file?
=================================
Step # 1 Upload Files
Go to Jotti (http://virusscan.jotti.org)
Copy the following line into the white textbox:
C:\WINDOWS\system32\SNDVOL32.EXE
Click Submit.
Please post the results of this scan to this thread.
If Jotti is busy, Go to VirusTotal (http://www.virustotal.com/en/indexf.html) and scan the file(s) there.
Step # 2 Download and Run OTMoveIt3
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe).
Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:files
c:\documents and settings\Snezhi Nicodemus\Application Data\IUpd721
Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
In your next post/reply, I need to see the following:
1. Jotti/VirusTotal results
2. OTMoveIt3 Log
3. A fresh HiJackThis Log
After I posted my last reply I started wondering whether ComboFix really asked me to quarantine the file or if it was Avira AntiVir. I think there's a pretty good chance it was Avira because the window prompting me to quarantine the file was very similar to the one earlier. The reason why I didn't post a second reply was because I had read in the instructions for this forum that you shouldn't try to bump your thread by posting on it a whole bunch of times. So I figured I'd add this to my next reply. :)
Also, when I turned on my computer, it asked me to install my Windows updates so I did (there were 3 security updates and a malicious software removal tool). I also installed a Java update after a prompt (I had read on your forum that older Java versions might have had a hole in the software that could be used by people to infiltrate your PC so I figured I should agree to the update prompt). That's pretty much all that's changed with my computer - at least on my end. I think that my virus buddy changes stuff around in my computer but then again, I think that's expected. :)
I've got a few logs for you. By the way, I haven't uninstalled any of the programs you have asked me to install so far (assuming you might have me use them again later). However, am I correct in assuming that other than Avira I could uninstall everything else later on? Of course, I understand that you are simply recommending stuff (like Avira) but I'm wondering if any of these programs would be of use to me long term or if this is just for the time being while "the fight" to clean my PC goes on.
Here are my logs:
Jotti:
0% 100%
File: SNDVOL32.EXE
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 7df33946b5911e75320cca9ac1a3492b
Packers detected: -
Scanner results
Scan taken on 23 Nov 2008 21:22:55 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
OTMoveIt3:
========== FILES ==========
c:\documents and settings\Snezhi Nicodemus\Application Data\IUpd721\Logs moved successfully.
c:\documents and settings\Snezhi Nicodemus\Application Data\IUpd721 moved successfully.
OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11232008_133324
HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:54 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 3979 bytes
I've had an interesting development and I wanted to touch base with you about it. I scanned my computer with Spybot S&D since this is the initial program that would always tell me that I had the Smitfraud Trojan. This time when the scan was complete, I got a message that I had Virtumondo (I think that's how it's spelled) but nothing about Smitfraud. I clicked on fix selected problems expecting it to really do nothing since I had clicked on that button previously with Smitfraud and it would say it fixed it but when i scanned again it would always be there. I disconnected my ethernet cable, had Spybot "fix" the problem and restarted my computer. After the PC booted up, I did another scan with Spybot and now it's telling me that my computer is clean. I almost find that hard to believe. I am attaching a new log from HiJackThis. Does it look better to you? Or is Spybot no longer recognizing my virus even though it's still there?
Thanks!
HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:34 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spybot\SpybotSD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4167 bytes
...but I'm wondering if any of these programs would be of use to me long term or if this is just for the time being while "the fight" to clean my PC goes on.
Some of the tools I had you download and use will be removed when I give you the "All-Clean" and some tools should be kept installed on your computer for future use. I'll let you know which ones are which when we get to it. :)
....I almost find that hard to believe. I am attaching a new log from HiJackThis. Does it look better to you? Or is Spybot no longer recognizing my virus even though it's still there?
Your newest HJT looks good, I don't see any signs of Virtumondo/Virtumonde/Vundo in it. Its possible Spybot could have picked up a leftover from the main infection and removed it.
===================================
Step # 1 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 2 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. A fresh HiJackThis Log
I ran CCleaner without anything major happening. Then when I was running Malwarebytes' Anti-Malware, I had a pop-up from Avira asking me whether I should quarantine TR/Thief.Magania.ajto (sys32.dll). I said 'yes.' Then when I was done with Malwarebytes, I ran the program again out of curiosity. It didn't find anything. Below is the first log from Malwarebytes and a HiJackThis log.
Malwarebytes' Anti-Malware Log:
Malwarebytes' Anti-Malware 1.30
Database version: 1421
Windows 5.1.2600 Service Pack 3
11/24/2008 8:41:19 PM
mbam-log-2008-11-24 (20-41-19).txt
Scan type: Quick Scan
Objects scanned: 43453
Time elapsed: 6 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\bapenuge.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wokisuvo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yaluwani.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Snezhi Nicodemus\Application Data\Microsoft\Windows\sys32.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:28 PM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4727 bytes
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall all previous versions.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 2.3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
I have not been able to post a thread as I have been out of town for Thanksgiving. I thought I'd be back in town sooner but it looks like I won't be back until tomorrow. I'll post a reply as soon as I'm back. I apologize for the delay. I read in the rules that if you don't post a reply within 4 days your thread gets closed so I figured I should update you why I haven't posted a reply yet. Like I said, I will be home tomorrow and I'll post the new logs.
Thanks! :)
Thanks for the update.
Hope you had a good Thanksgiving. :)
Hi. I started the Kaspersky scan last night but it was at 5% after 30 minutes so I figured that this might take all night. I let Kaspersky run overnight and it seems to have worked OK. Below are the logs you asked for.
The computer has been behaving. :) I'm hoping it's all under control at this point. Let me know what you think! By the way, VNC is something I have to use to log into my work computer. I don't think it's causing any problems.
Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 30, 2008 06:33:34
Records in database: 1428375
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
G:\
Scan statistics:
Files scanned: 74252
Threat name: 10
Infected objects: 25
Suspicious objects: 0
Duration of the scan: 01:33:41
File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Qoobox\Quarantine\C\Documents and Settings\Snezhi Nicodemus\Application Data\gadcom\gadcom.exe.vir Infected: Trojan.Win32.Agent.amus 1
C:\Qoobox\Quarantine\C\Documents and Settings\Snezhi Nicodemus\Application Data\Microsoft\Windows\lsass.exe.vir Infected: Trojan.Win32.Agent.amfx 1
C:\Qoobox\Quarantine\C\Documents and Settings\Snezhi Nicodemus\Application Data\NI.GSCNS\IUpd721.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.vdjv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\c0028A82.mat.vir Infected: Trojan-GameThief.Win32.Magania.ajto 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\c008BE59.mat.vir Infected: Trojan-GameThief.Win32.Magania.ajto 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\c009537D.mat.vir Infected: Trojan-GameThief.Win32.Magania.ajto 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\c00E4906.mat.vir Infected: Trojan-GameThief.Win32.Magania.ajto 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\c00FCE72.mat.vir Infected: Trojan-GameThief.Win32.Magania.ajto 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prt\PDLWI40.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.hja 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\u2\BMAE3ak.exe.vir Infected: Trojan-Downloader.Win32.Small.buy 1
C:\Qoobox\Quarantine\C\WINDOWS\U25lemhpIE5pY29kZW11cw\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\Qoobox\Quarantine\C\WINDOWS\U25lemhpIE5pY29kZW11cw\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\Qoobox\Quarantine\[4]-Submit_2008-11-21@19.58.zip Infected: Trojan-GameThief.Win32.Magania.ajto 2
C:\Qoobox\Quarantine\[4]-Submit_2008-11-21@19.58.zip Infected: Rootkit.Win32.Pakes.ar 1
C:\Qoobox\Quarantine\[4]-Submit_2008-11-21@19.58.zip Infected: Backdoor.Win32.Agent.tlr 1
G:\Gina's Documents\vnc-4_1_2-x86_win32\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
G:\Gina's Documents\vnc-4_1_2-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
G:\Gina's Documents\vnc-4_1_2-x86_win32_viewer\vnc-4_1_2-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
G:\Gina's Documents\vnc-4_1_2-x86_win32_viewer.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
The selected area was scanned.
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:42 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\TextPad 5\TextPad.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4321 bytes
Your latest HJT log looks good.
Besides finding VNC (which is fine), Kasperky found files in the Qoobox folder. That folder is where ComboFix keeps its quarantined files. I'll show you how to remove ComboFix and the Qoobox folder in this post.
If there are no more problems, you are good to go. :)
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /u & click OK
Please open OTMoveIt3.
Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
Answer Yes to the prompt.
The program will ask for a reboot. Answer Yes.
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
Thank you!!!
I followed all the steps. OT said something about being unable to delete a file but I didn't get to see exactly what file because it asked me to reboot and I had already clicked 'yes' when I noticed the message. Other than that, everything else went great. I read all the articles and followed all the steps to maintenance my PC.
Thanks again for all of your help! I really appreciate it!
You're welcome. I'm glad I was able to help you out. :)