View Full Version : Virtumonde Malware Infection
FilthyOstrich
2008-11-28, 01:08
To whom ever it may concern. I have recently become infected with this infamous Virtumonde. I have used spy bot which mangaed to remove to majority of the infection but I'm still left with around 6 infections. Im a university student and I have a lot of deadlines approaching. I have backed all my work up but I really w be in trouble if I have NO COMPUTER :( Really want to rectify this problem asap! Whoever you are, your help and time is eternally appreciated!
Here is the Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:03:04, on 27/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Hercules\Audio\Hercules DJ Console\DJConsoleMixer.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [DJ Console] C:\Program Files\Hercules\Audio\Hercules DJ Console\DJConsoleMixer.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.beatport.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1221368020458&h=4f2d35faa83357f812d9d9b75e540cc9/&filename=jinstall-6u7-windows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wfdykm.dll covlee.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6114 bytes
pskelley
2008-11-28, 16:02
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
1) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
2) Please DO NOT enable TeaTimer while we are working together.
3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
FilthyOstrich
2008-11-28, 20:23
Thank you for your time :) Its good to know theres a place you can go with help with this kind of issue!
Ok the hijack this uninstall log was copy pasted by hand as when i clicked save file, hijack this simply closed and nothing more happened:
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Alt WAV MP3 WMA OGG Converter 7.2
AMP WinOFF
Apple Mobile Device Support
Apple Software Update
Aturia Minimoog V v1.0
Arturia Moog Modular V v1.1
Assassin's Creed
BBC iPlayer Download Manager
BeatportDownloader
BeatportDownloader
Bonjour
Broken Sword - The Angel of Death
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
CCleaner
CDMaster32
Championship Manager 2008
CS-80V
Dawn Of War
Dawn Of War - Dark Crusade
Dawn Of War - Winter Assault
db audioware Sidechain Compressor VST v1.1.0
Diablo II
ESET NOD32 Antivirus
GameShadow
GForce - Oddity
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Groovecube Exciton VSTi v1.2.2
Half-Life(R) 2
Hercules DJ Console drivers
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 7
Lennar Digital Sylenth VSTi v1.2.1
Live 7.0.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mixed In Key 2.5
MobileMe Control Panel
Nero 7 Demo
NETGEAR WN111 wireless USB 2.0 adapter
NOD32 v3.0.642
NVIDIA Drivers
O2 Broadband Assistant
OpenOffice.org Installer 1.0
PerfectDisk 2008 Professional
Pro Evolution Soccer 2008
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype™ Beta 4.0
Spybot - Search & Destroy
Starcraft
Steam(TM)
TBL BassLine v1.2 VSTi
The Battle for Middle-earth (tm)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Virtual DJ - Atomix Productions
VLC
Warcraft III
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Internet Explorer 7
Windows Live Messenger
Windows XP Service Pack 3
WinRAR archiver
Xfire (remove only)
XviD 1.1 final uninstall
ZoneAlarm
ZoneAlarm Spy Blocker
Here is the ComboFix log:
ComboFix 08-11-27.07 - Scott 2008-11-28 18:05:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2496 [GMT 0:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\BaHjlnnn.ini
c:\windows\system32\BaHjlnnn.ini2
c:\windows\system32\egwllt.dll
c:\windows\system32\eyponmyw.ini
c:\windows\system32\fwjwkg.dll
c:\windows\system32\jrexkbsy.dll
c:\windows\system32\nnnljHaB.dll
c:\windows\system32\okruffra.dll
c:\windows\system32\rmqjurvk.dll
c:\windows\system32\rqRKCuTL.dll
c:\windows\system32\wymnopye.dll
c:\windows\system32\xhiyyv.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.
2008-11-27 23:02 . 2008-11-27 23:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-27 21:11 . 2008-11-27 21:11 <DIR> d-------- C:\VundoFix Backups
2008-11-27 17:09 . 2008-11-27 19:21 <DIR> d-------- c:\documents and settings\Scott\.housecall6.6
2008-11-16 20:53 . 2008-11-16 20:53 <DIR> d-------- c:\documents and settings\Scott\Application Data\NI.GSCNS
2008-11-12 10:20 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 10:20 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d-------- c:\program files\iTunes
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d-------- c:\program files\iPod
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-01 19:14 . 2008-11-01 19:14 <DIR> d-------- c:\program files\Bonjour
2008-11-01 19:13 . 2008-11-01 19:14 <DIR> d-------- c:\program files\QuickTime
2008-11-01 19:12 . 2008-11-01 19:12 <DIR> d-------- c:\program files\Apple Software Update
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 18:09 54,974,496 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-28 18:07 646,160 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-28 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-28 08:27 --------- d-----w c:\program files\Vuze
2008-11-28 00:11 --------- d-----w c:\program files\Diablo II
2008-11-27 22:49 --------- d-----w c:\documents and settings\Scott\Application Data\Azureus
2008-11-27 19:24 2,153,034 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-27 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-08 14:32 410,624 ----a-w c:\windows\Internet Logs\xDB12.tmp
2008-11-08 14:32 1,639,936 ----a-w c:\windows\Internet Logs\xDB13.tmp
2008-11-03 19:32 152,089 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_11_03_19_25_04_small.dmp.zip
2008-11-03 14:09 610,304 ----a-w c:\windows\Internet Logs\xDB10.tmp
2008-11-03 14:09 1,636,352 ----a-w c:\windows\Internet Logs\xDB11.tmp
2008-11-02 16:40 --------- d-----w c:\documents and settings\Scott\Application Data\Skype
2008-11-02 16:32 1,633,792 ----a-w c:\windows\Internet Logs\xDBF.tmp
2008-11-02 16:24 --------- d-----w c:\documents and settings\Scott\Application Data\skypePM
2008-11-01 19:13 --------- d-----w c:\program files\Common Files\Apple
2008-10-30 12:17 606,720 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-10-30 12:17 1,617,920 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-10-27 15:01 155,097 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_27_14_48_24_small.dmp.zip
2008-10-26 01:53 --------- d-----w c:\program files\Warcraft III
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 09:22 152,677 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_24_10_12_30_small.dmp.zip
2008-10-24 09:12 967,168 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-10-24 09:12 1,608,192 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-10-23 12:42 156,015 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_23_13_29_38_small.dmp.zip
2008-10-21 20:46 1,606,144 ----a-w c:\windows\Internet Logs\xDBA.tmp
2008-10-21 20:32 --------- d-----w c:\program files\Common Files\Skype
2008-10-21 20:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-21 20:32 --------- d-----r c:\program files\Skype
2008-10-16 21:20 1,598,976 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-10-16 20:48 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-16 19:31 152,375 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_16_20_22_41_small.dmp.zip
2008-10-16 19:22 1,732,608 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-10-16 19:22 1,595,392 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-10-09 23:50 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-09 23:50 --------- d-----w c:\program files\BeatportDownloader
2008-10-09 23:50 --------- d-----w c:\documents and settings\Scott\Application Data\BeatportDownloader.EE670286545758FAB4A69D4439CF6054F83E0AC2.1
2008-10-06 21:22 --------- d-----w c:\program files\Alt WAV MP3 WMA OGG Converter
2008-10-05 22:23 --------- d-----w c:\documents and settings\Scott\Application Data\My Battle for Middle-earth Files
2008-09-30 21:47 552,960 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-09-30 21:47 1,533,952 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-09-29 21:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-29 21:42 --------- d-----w c:\program files\NETGEAR
2008-09-25 11:06 764,416 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-09-20 15:34 2,941,440 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-09-20 15:34 1,464,832 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-09-18 21:28 21,840 ----atw c:\windows\system32\SIntfNT.dll
2008-09-18 21:28 17,212 ----atw c:\windows\system32\SIntf32.dll
2008-09-18 21:28 12,067 ----atw c:\windows\system32\SIntf16.dll
2008-09-18 21:22 94,208 ----a-w c:\windows\DIIUnin.exe
2008-09-18 21:22 2,829 ----a-w c:\windows\DIIUnin.pif
2008-09-17 02:42 70,656 ----a-w c:\windows\ScUnin.exe
2008-09-16 01:53 18 ----a-w c:\documents and settings\Scott\ambt.dat
2008-09-16 01:48 0 ----a-w c:\documents and settings\Scott\session.dat
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 00:19 436,224 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-09-12 15:26 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-02 17:37 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-08-29 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 09:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2007-08-21 03:25 460,928 ----a-w c:\windows\inf\WN111\Mrvw245.sys
2007-05-24 13:58 249,856 ----a-w c:\windows\inf\WN111\InsDrv2k.exe
2006-07-05 10:21 212,992 ----a-w c:\windows\inf\WN111\CopyWHQLDriver.exe
2005-11-17 14:46 845,736 ----a-w c:\windows\inf\WN111\DPInst.exe
2003-10-22 10:36 9,592,832 ----a-w c:\program files\CS-80V.dll
2003-10-17 16:20 524,288 ----a-w c:\program files\CS-80V.dpm
2003-09-25 08:57 765,815 ----a-w c:\program files\CS-80V.dpm.rsr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"DJ Console"="c:\program files\Hercules\Audio\Hercules DJ Console\DJConsoleMixer.exe" [2004-10-22 278528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2007-08-27 1343488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wfdykm.dll covlee.dll xhiyyv.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^Registration Assassin's Creed.LNK]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\Registration Assassin's Creed.LNK
backup=c:\windows\pss\Registration Assassin's Creed.LNKStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 11:57 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-29 12:05 486856 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-03-24 11:52 13524992 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-03-24 11:52 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-10-10 14:56 25798440 c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-08 16:55 1410296 c:\program files\Valve\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 02:43 69632 c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-03-24 11:52 1626112 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-10-30 03:49 16269312 c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 02:04 2879488 c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 664840]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);"c:\program files\O2\bin\sprtsvc.exe" /service /p O2 [2007-06-07 202280]
R3 Bulk;HDJBulk;c:\windows\system32\Drivers\HDJBulk.sys [2008-08-03 34176]
R3 HDJAsioK;HDJAsioK;c:\windows\system32\Drivers\HDJAsioK.sys [2008-08-03 81536]
R3 HDJMidi;Hercules DJ Console MIDI;c:\windows\system32\DRIVERS\HDJMidi.sys [2008-08-03 32384]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2004-08-04 3584]
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 894216]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebb3026c-88b6-11dd-8f5f-001d7dd4059e}]
\Shell\AutoRun\command - E:\wdsync.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{600548BF-F629-4056-AD0C-CEB0F63CADFF} - c:\windows\system32\nnnljHaB.dll
BHO-{9b5c13a3-35b2-4fdf-a3f5-695a3d4067b9} - c:\windows\system32\xhiyyv.dll
HKCU-Run-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 18:08:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-11-28 18:11:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 18:11:13
Pre-Run: 354,520,514,560 bytes free
Post-Run: 354,492,235,776 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
250 --- E O F --- 2008-11-12 17:22:03
And Finally Here is the New Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13:42, on 28/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Hercules\Audio\Hercules DJ Console\DJConsoleMixer.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [DJ Console] C:\Program Files\Hercules\Audio\Hercules DJ Console\DJConsoleMixer.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.beatport.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1221368020458&h=4f2d35faa83357f812d9d9b75e540cc9/&filename=jinstall-6u7-windows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wfdykm.dll covlee.dll xhiyyv.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6039 bytes
Once again THANK YOU!!!!!! I'll look forward to further instructions!!!
pskelley
2008-11-28, 20:44
Thanks for returning your information, looking at the uninstall list first.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Azureus <<< uninstall all p2p programs, see this:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 7.1.0 <<< out of date, see this information:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php
ZoneAlarm Spy Blocker <<< suggest you uninstall, see this information:
http://securitygarden.blogspot.com/2007/12/beware-of-zonealarm.html
http://www.benedelman.org/spyware/installations/askjeeves-banner/
http://www.malwarebytes.org/forums/index.php?showtopic=3143
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Folder::
C:\VundoFix Backups
c:\documents and settings\Scott\Application Data\Azureus
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
(leave the next item if you are positive it is safe)
O15 - Trusted Zone: http://*.beatport.com
O20 - AppInit_DLLs: wfdykm.dll covlee.dll xhiyyv.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running?
Thanks
FilthyOstrich
2008-11-28, 22:52
OK, When i came to the part where you asked me to check use hijackthis and scan only and look for the entries including the beatport one, the other 2 were missing. (The beatport is totally safe, it is a legit music download website i use)
Here is Combofix log:
ComboFix 08-11-27.07 - Scott 2008-11-28 19:36:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2512 [GMT 0:00]
Running from: c:\documents and settings\Scott\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Scott\Application Data\Azureus
c:\documents and settings\Scott\Application Data\Azureus\.certs
c:\documents and settings\Scott\Application Data\Azureus\.keystore
c:\documents and settings\Scott\Application Data\Azureus\.lock
c:\documents and settings\Scott\Application Data\Azureus\active\119683F7C6C52802D86D047F94CED94E49F66E57.dat
c:\documents and settings\Scott\Application Data\Azureus\active\119683F7C6C52802D86D047F94CED94E49F66E57.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\1D620244F60589E78ACE9B48EAC408C79E097322.dat
c:\documents and settings\Scott\Application Data\Azureus\active\1D620244F60589E78ACE9B48EAC408C79E097322.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\21E0CEA355A523955FC9935FA21314D1DD6018C1.dat
c:\documents and settings\Scott\Application Data\Azureus\active\21E0CEA355A523955FC9935FA21314D1DD6018C1.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\28DE3DDB4CCF40DEF63F518F6083A1326408393D.dat
c:\documents and settings\Scott\Application Data\Azureus\active\28DE3DDB4CCF40DEF63F518F6083A1326408393D.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\2BEE718FAB42620BF537F12E96177A3C6F995C49.dat
c:\documents and settings\Scott\Application Data\Azureus\active\2BEE718FAB42620BF537F12E96177A3C6F995C49.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\3C61259DE5F49EEBC39C49D1C24CC33D7A4CB2D9.dat
c:\documents and settings\Scott\Application Data\Azureus\active\3C61259DE5F49EEBC39C49D1C24CC33D7A4CB2D9.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\4582030E5A6EBA9D93D96A58AF9D13F8AA40F0BB.dat
c:\documents and settings\Scott\Application Data\Azureus\active\4582030E5A6EBA9D93D96A58AF9D13F8AA40F0BB.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\4A5729152B1837033F71C3C028859900714592CC.dat
c:\documents and settings\Scott\Application Data\Azureus\active\4A5729152B1837033F71C3C028859900714592CC.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\514F0B902B3E1F68688A9A849C6DEF6DFEE2F5E9.dat
c:\documents and settings\Scott\Application Data\Azureus\active\514F0B902B3E1F68688A9A849C6DEF6DFEE2F5E9.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\518B42962FC7AC3D06CD4C6480471878D99BE7FA.dat
c:\documents and settings\Scott\Application Data\Azureus\active\518B42962FC7AC3D06CD4C6480471878D99BE7FA.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\58E92626E811B9338745C98116DCEDF7E7093EE8.dat
c:\documents and settings\Scott\Application Data\Azureus\active\58E92626E811B9338745C98116DCEDF7E7093EE8.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\5F03B59EF9A4ED6D7521EDBC31271E12D9FD5E6A.dat
c:\documents and settings\Scott\Application Data\Azureus\active\5F03B59EF9A4ED6D7521EDBC31271E12D9FD5E6A.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\6447FF062E6FEDD896D284DE84A6E344F2E7CD77.dat
c:\documents and settings\Scott\Application Data\Azureus\active\6447FF062E6FEDD896D284DE84A6E344F2E7CD77.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\6684EA28414D3B771D31FD002EAFC456AA035956.dat
c:\documents and settings\Scott\Application Data\Azureus\active\6684EA28414D3B771D31FD002EAFC456AA035956.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\6C01433426D9421C10BAF69D51461A3212839AE4.dat
c:\documents and settings\Scott\Application Data\Azureus\active\6C01433426D9421C10BAF69D51461A3212839AE4.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\6FEFF664BCAD0F45A7DEE421052CCE3C7A498876.dat
c:\documents and settings\Scott\Application Data\Azureus\active\6FEFF664BCAD0F45A7DEE421052CCE3C7A498876.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\707170746A66CF3F3B611C4F3CB44E63FA51AF74.dat
c:\documents and settings\Scott\Application Data\Azureus\active\707170746A66CF3F3B611C4F3CB44E63FA51AF74.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\73CEACF3B636033D74BB6DE314299F0091A1A937.dat
c:\documents and settings\Scott\Application Data\Azureus\active\73CEACF3B636033D74BB6DE314299F0091A1A937.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\749CAB141475F46F78716AB98E97177D647507B8.dat
c:\documents and settings\Scott\Application Data\Azureus\active\749CAB141475F46F78716AB98E97177D647507B8.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\7592FC8E745FF98D40CCAC51195362FDFA360E4E.dat
c:\documents and settings\Scott\Application Data\Azureus\active\7592FC8E745FF98D40CCAC51195362FDFA360E4E.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\817D984F5E022761ACDBC46DF188460ACF2F9608.dat
c:\documents and settings\Scott\Application Data\Azureus\active\817D984F5E022761ACDBC46DF188460ACF2F9608.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\9B217E88E10CD282080597F9207C1F5D925ABB01.dat
c:\documents and settings\Scott\Application Data\Azureus\active\9B217E88E10CD282080597F9207C1F5D925ABB01.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\A442FF6E6B4DC0E7D868A71AE8A5E3DBDF3EE4CB.dat
c:\documents and settings\Scott\Application Data\Azureus\active\A442FF6E6B4DC0E7D868A71AE8A5E3DBDF3EE4CB.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\AB4A61ACE28FEE06EC8DA03296BE016057A3CA76.dat
c:\documents and settings\Scott\Application Data\Azureus\active\AB4A61ACE28FEE06EC8DA03296BE016057A3CA76.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\AF57B0F14F487347B09597D7AF9C55E3E29581DF.dat
c:\documents and settings\Scott\Application Data\Azureus\active\AF57B0F14F487347B09597D7AF9C55E3E29581DF.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\AF9EDD1086D1885097BF5A9E685CD117AAAD15CE.dat
c:\documents and settings\Scott\Application Data\Azureus\active\AF9EDD1086D1885097BF5A9E685CD117AAAD15CE.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\C44EE7F9E27BE4462B43C92AE1D412CEF66956E8.dat
c:\documents and settings\Scott\Application Data\Azureus\active\C44EE7F9E27BE4462B43C92AE1D412CEF66956E8.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\C687BDBB2027292C3DAB2B6C2A65D9CD1BFD2129.dat
c:\documents and settings\Scott\Application Data\Azureus\active\C687BDBB2027292C3DAB2B6C2A65D9CD1BFD2129.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\C695E4E8E5A67FB9FCFD8ABC63B9187AEB511F12.dat
c:\documents and settings\Scott\Application Data\Azureus\active\C695E4E8E5A67FB9FCFD8ABC63B9187AEB511F12.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\cache.dat
c:\documents and settings\Scott\Application Data\Azureus\active\CD895594E37BE282C0867F48EB5AE8CC56BFA9BC.dat
c:\documents and settings\Scott\Application Data\Azureus\active\CD895594E37BE282C0867F48EB5AE8CC56BFA9BC.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\D2C300367C7105ADB3FF080D751B73AEFBEF0A9F.dat
c:\documents and settings\Scott\Application Data\Azureus\active\D2C300367C7105ADB3FF080D751B73AEFBEF0A9F.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\D54875413E5C82B9562D5F425C1F953AD0CD816E.dat
c:\documents and settings\Scott\Application Data\Azureus\active\D54875413E5C82B9562D5F425C1F953AD0CD816E.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\E0BA7B4FDB8B2998DEADB1EE1C44B9DA1F1B8BCA.dat
c:\documents and settings\Scott\Application Data\Azureus\active\E0BA7B4FDB8B2998DEADB1EE1C44B9DA1F1B8BCA.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\E2C1CE49467D9AEC1622262C9426509E89A17B98.dat
c:\documents and settings\Scott\Application Data\Azureus\active\E2C1CE49467D9AEC1622262C9426509E89A17B98.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\E4C1E2A51CE8872B0FBB1A46754C9DE1B0981932.dat
c:\documents and settings\Scott\Application Data\Azureus\active\E4C1E2A51CE8872B0FBB1A46754C9DE1B0981932.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\active\E579BDBEDD821D92E1AF630D8C8EB9B4D954BF51.dat
c:\documents and settings\Scott\Application Data\Azureus\active\E579BDBEDD821D92E1AF630D8C8EB9B4D954BF51.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\azureus.config
c:\documents and settings\Scott\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Scott\Application Data\Azureus\azureus.statistics
c:\documents and settings\Scott\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Scott\Application Data\Azureus\banips.config
c:\documents and settings\Scott\Application Data\Azureus\banips.config.bak
c:\documents and settings\Scott\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Scott\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Scott\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Scott\Application Data\Azureus\dht\general.dat
c:\documents and settings\Scott\Application Data\Azureus\dht\version.dat
c:\documents and settings\Scott\Application Data\Azureus\downloads.config
c:\documents and settings\Scott\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Scott\Application Data\Azureus\friends.config
c:\documents and settings\Scott\Application Data\Azureus\friends.config.bak
c:\documents and settings\Scott\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Scott\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\AutoSpeed_2.log
c:\documents and settings\Scott\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\AutoSpeedSearchHistory_2.log
c:\documents and settings\Scott\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Scott\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\MetaSearch_2.log
c:\documents and settings\Scott\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Scott\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\Scott\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\Scott\Application Data\Azureus\logs\MetaSearch_Engine_6.txt
c:\documents and settings\Scott\Application Data\Azureus\logs\MetaSearch_Engine_9.txt
c:\documents and settings\Scott\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\Scott\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Scott\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\v3.CMsgr_2.log
c:\documents and settings\Scott\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Scott\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Scott\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Scott\Application Data\Azureus\metasearch.config
c:\documents and settings\Scott\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Scott\Application Data\Azureus\net\pm_35228.dat
c:\documents and settings\Scott\Application Data\Azureus\net\pm_4589.dat
c:\documents and settings\Scott\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Scott\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Scott\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Scott\Application Data\Azureus\subs\32E8D1849848B7F51127.vuze
c:\documents and settings\Scott\Application Data\Azureus\subs\447229A3A371779E8871.vuze
c:\documents and settings\Scott\Application Data\Azureus\subs\A57341AB2AA7A98D5F19.vuze
c:\documents and settings\Scott\Application Data\Azureus\subscriptions.config
c:\documents and settings\Scott\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Scott\Application Data\Azureus\tables.config
c:\documents and settings\Scott\Application Data\Azureus\tables.config.bak
c:\documents and settings\Scott\Application Data\Azureus\timingstats.dat
c:\documents and settings\Scott\Application Data\Azureus\tmp\AZU55035.tmp
c:\documents and settings\Scott\Application Data\Azureus\tmp\AZU55036.tmp
c:\documents and settings\Scott\Application Data\Azureus\tmp\AZU55037.tmp
c:\documents and settings\Scott\Application Data\Azureus\tmp\AZU55038.tmp
c:\documents and settings\Scott\Application Data\Azureus\tmp\AZU55039.tmp
c:\documents and settings\Scott\Application Data\Azureus\tmp\AZU55040.tmp
c:\documents and settings\Scott\Application Data\Azureus\tmp\AZU55041.tmp
c:\documents and settings\Scott\Application Data\Azureus\tmp\AZU55042.tmp
c:\documents and settings\Scott\Application Data\Azureus\torrents\%5BTBox%5D+Calvin+Harris-I+Created+Disco%28www.widgetzone.co.uk%29[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\[isoHunt]_Ableton_Live_7.0.3-Multilingual-(NEW-Full_RETAIL).4111350.TPB.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\[isoHunt]_download-albums-134589-Taproot_Discography[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\[isoHunt]_download.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\[isoHunt]_Puremagnetik.Elektrodrum.for.Ableton.Live.6-BEAT.rar.1237927.SN.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\1605469
c:\documents and settings\Scott\Application Data\Azureus\torrents\Ableton_Live_-_Sampled_Instruments_-_Drum_Machines.3976513.TPB.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Ableton_Live_-_Software_Instruments.3976550.TPB.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Arturia_Minimoog_V_v1.0_H2O.3417036.TPB.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\AZU45714.tmp
c:\documents and settings\Scott\Application Data\Azureus\torrents\AZU47143.tmp
c:\documents and settings\Scott\Application Data\Azureus\torrents\AZU55044.tmp
c:\documents and settings\Scott\Application Data\Azureus\torrents\BenDJ Feat. Sushy - Me & Myself (Wolfgang Gartner Remix) 2008 320KBps [Electro House].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Blendbrank___Synthetic_Symphony__Deadmau5_Remix__2008_320KBps__Electro_House__TMGK.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Bloc_Party_-_3_Albums_[Silent_Alarm][A_Weekend_In_The_City][Inti.4418059.TPB[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\BSOD [Deadmau5 & Steve Duda] - Choplifted (Original Mix) 2008 320KBps [Electro House].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Ce Ce Peniston - Finally 2008 (The Kam Denny & Paul Zala Remix) 320KBps [Electro House].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Db_audioware_Sidechain_Compressor_VST_v1_1_0-AMPLiFY.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Deadmau5 - Bye Friend (Original Mix) 2008 320KBps [Electro House].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Deadmau5__amp__MC_Flipside___Hi_Friend_2008_320KBps__Electro_House__TMGK.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\DEADMAU5_COLLECTION.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Eminem_-_full_discography_[1995-2008].4465275.TPB.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Essential_Mix____Deadmau5____2008_07_19____Er7Radio_com__amp__Scanne.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Essential_Mix____Herve__amp__Sinden____2008_01_05____Er7Pro_tk__amp__Sca.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\GForce_The_Oddity__VSTi_RTAS_v1_15_in_cl_Keygen_AiR.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Glasvegas_-_Glasvegas_[2008]_[HaRiKo].4409631.TPB[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Kings_Of_Leon_--_Only_By_The_Night[2008][MP3_320kbps].4439683.TPB[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Lord_Of_The_Rings_Battle_For_Middle_Earth_NoDVD-Crack.3264293.TPB[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Melleefresh & Deadmau5 - Attention Whore (Original Mix) 2008 320KBps [Electro House].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Metallica_-_Death_Magnetic_[2008][CD+SkidVid_XviD+Cov]_[mininova][1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Oasis_-_Dig_Out_Your_Soul_[2008].4440946.TPB[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Purple_Code___The_Rising__Deadmau5_Remix_2007___Electro___Progre.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Raconteurs_-_Consolers_Of_The_Lonely_(2008)_[Mp3].4131663.TPB[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Slipknot_-_All_Hope_Is_Gone_[Special_Edition]_[2008]_[mininova][1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Stereophonics.Decade.In.The.Sun.Best.Of.The.Stereophonics.(2008).4494015.TPB[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Sylenth1.2.1.4106230.TPB.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Taproot_-_Our_Long_Road_Home[2008][MP3@320kbps]-antecho[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\The_Cribs___Men_s_Needs__Women_s_Needs__Whatever__.torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\Vibrasphere_-_6_albums_(swedish_psy___ambient).3785345.TPB[1].torrent
c:\documents and settings\Scott\Application Data\Azureus\torrents\VSTi_collection.3740769.TPB.torrent
c:\documents and settings\Scott\Application Data\Azureus\tracker.config
c:\documents and settings\Scott\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Scott\Application Data\Azureus\unsentdata.config
c:\documents and settings\Scott\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Scott\Application Data\Azureus\update.log
c:\documents and settings\Scott\Application Data\Azureus\update.properties
c:\documents and settings\Scott\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Scott\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Scott\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Scott\Application Data\Azureus\VuzeActivities.config.bak
C:\VundoFix Backups
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.
2008-11-28 19:27 . 2008-11-28 19:27 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-28 19:22 . 2008-09-12 13:33 262,144 --a------ c:\program files\Uninstall Spy Blocker.dll
2008-11-28 19:14 . 2008-11-28 19:14 <DIR> d-------- c:\windows\LastGood
2008-11-28 19:14 . 2008-11-28 19:14 <DIR> d-------- c:\program files\Secunia
2008-11-27 23:02 . 2008-11-27 23:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-27 17:09 . 2008-11-27 19:21 <DIR> d-------- c:\documents and settings\Scott\.housecall6.6
2008-11-18 13:36 . 2008-11-18 13:36 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-11-16 20:53 . 2008-11-16 20:53 <DIR> d-------- c:\documents and settings\Scott\Application Data\NI.GSCNS
2008-11-12 10:20 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 10:20 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d-------- c:\program files\iTunes
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d-------- c:\program files\iPod
2008-11-01 19:16 . 2008-11-01 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-01 19:14 . 2008-11-01 19:14 <DIR> d-------- c:\program files\Bonjour
2008-11-01 19:13 . 2008-11-01 19:14 <DIR> d-------- c:\program files\QuickTime
2008-11-01 19:12 . 2008-11-01 19:12 <DIR> d-------- c:\program files\Apple Software Update
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 19:38 55,210,016 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-28 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-28 18:58 --------- d-----w c:\program files\Diablo II
2008-11-28 18:07 646,160 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-28 08:27 --------- d-----w c:\program files\Vuze
2008-11-27 19:24 2,153,034 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-27 17:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-08 14:32 410,624 ----a-w c:\windows\Internet Logs\xDB12.tmp
2008-11-08 14:32 1,639,936 ----a-w c:\windows\Internet Logs\xDB13.tmp
2008-11-03 19:32 152,089 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_11_03_19_25_04_small.dmp.zip
2008-11-03 14:09 610,304 ----a-w c:\windows\Internet Logs\xDB10.tmp
2008-11-03 14:09 1,636,352 ----a-w c:\windows\Internet Logs\xDB11.tmp
2008-11-02 16:40 --------- d-----w c:\documents and settings\Scott\Application Data\Skype
2008-11-02 16:32 1,633,792 ----a-w c:\windows\Internet Logs\xDBF.tmp
2008-11-02 16:24 --------- d-----w c:\documents and settings\Scott\Application Data\skypePM
2008-11-01 19:13 --------- d-----w c:\program files\Common Files\Apple
2008-10-30 12:17 606,720 ----a-w c:\windows\Internet Logs\xDBD.tmp
2008-10-30 12:17 1,617,920 ----a-w c:\windows\Internet Logs\xDBE.tmp
2008-10-27 15:01 155,097 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_27_14_48_24_small.dmp.zip
2008-10-26 01:53 --------- d-----w c:\program files\Warcraft III
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 09:22 152,677 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_24_10_12_30_small.dmp.zip
2008-10-24 09:12 967,168 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-10-24 09:12 1,608,192 ----a-w c:\windows\Internet Logs\xDBC.tmp
2008-10-23 12:42 156,015 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_23_13_29_38_small.dmp.zip
2008-10-21 20:46 1,606,144 ----a-w c:\windows\Internet Logs\xDBA.tmp
2008-10-21 20:32 --------- d-----w c:\program files\Common Files\Skype
2008-10-21 20:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-21 20:32 --------- d-----r c:\program files\Skype
2008-10-16 21:20 1,598,976 ----a-w c:\windows\Internet Logs\xDB9.tmp
2008-10-16 20:48 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-16 19:31 152,375 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_10_16_20_22_41_small.dmp.zip
2008-10-16 19:22 1,732,608 ----a-w c:\windows\Internet Logs\xDB7.tmp
2008-10-16 19:22 1,595,392 ----a-w c:\windows\Internet Logs\xDB8.tmp
2008-10-09 23:50 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-09 23:50 --------- d-----w c:\program files\BeatportDownloader
2008-10-09 23:50 --------- d-----w c:\documents and settings\Scott\Application Data\BeatportDownloader.EE670286545758FAB4A69D4439CF6054F83E0AC2.1
2008-10-06 21:22 --------- d-----w c:\program files\Alt WAV MP3 WMA OGG Converter
2008-10-05 22:23 --------- d-----w c:\documents and settings\Scott\Application Data\My Battle for Middle-earth Files
2008-09-30 21:47 552,960 ----a-w c:\windows\Internet Logs\xDB5.tmp
2008-09-30 21:47 1,533,952 ----a-w c:\windows\Internet Logs\xDB6.tmp
2008-09-29 21:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-29 21:42 --------- d-----w c:\program files\NETGEAR
2008-09-25 11:06 764,416 ----a-w c:\windows\Internet Logs\xDB4.tmp
2008-09-20 15:34 2,941,440 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-09-20 15:34 1,464,832 ----a-w c:\windows\Internet Logs\xDB3.tmp
2008-09-18 21:28 21,840 ----atw c:\windows\system32\SIntfNT.dll
2008-09-18 21:28 17,212 ----atw c:\windows\system32\SIntf32.dll
2008-09-18 21:28 12,067 ----atw c:\windows\system32\SIntf16.dll
2008-09-18 21:22 94,208 ----a-w c:\windows\DIIUnin.exe
2008-09-18 21:22 2,829 ----a-w c:\windows\DIIUnin.pif
2008-09-17 02:42 70,656 ----a-w c:\windows\ScUnin.exe
2008-09-16 01:53 18 ----a-w c:\documents and settings\Scott\ambt.dat
2008-09-16 01:48 0 ----a-w c:\documents and settings\Scott\session.dat
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 00:19 436,224 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-09-12 15:26 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-02 17:37 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-08-29 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 09:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2007-08-21 03:25 460,928 ----a-w c:\windows\inf\WN111\Mrvw245.sys
2007-05-24 13:58 249,856 ----a-w c:\windows\inf\WN111\InsDrv2k.exe
2006-07-05 10:21 212,992 ----a-w c:\windows\inf\WN111\CopyWHQLDriver.exe
2005-11-17 14:46 845,736 ----a-w c:\windows\inf\WN111\DPInst.exe
2003-10-22 10:36 9,592,832 ----a-w c:\program files\CS-80V.dll
2003-10-17 16:20 524,288 ----a-w c:\program files\CS-80V.dpm
2003-09-25 08:57 765,815 ----a-w c:\program files\CS-80V.dpm.rsr
.
((((((((((((((((((((((((((((( snapshot@2008-11-28_18.10.51.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 15:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"DJ Console"="c:\program files\Hercules\Audio\Hercules DJ Console\DJConsoleMixer.exe" [2004-10-22 278528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Scott\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-11-25 728408]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2007-08-27 1343488]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^Startup^Registration Assassin's Creed.LNK]
path=c:\documents and settings\Scott\Start Menu\Programs\Startup\Registration Assassin's Creed.LNK
backup=c:\windows\pss\Registration Assassin's Creed.LNKStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-12-16 11:57 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-29 12:05 486856 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-03-24 11:52 13524992 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-03-24 11:52 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-10-10 14:56 25798440 c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-08 16:55 1410296 c:\program files\Valve\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 02:43 69632 c:\windows\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-03-24 11:52 1626112 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-10-30 03:49 16269312 c:\windows\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 02:04 2879488 c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
R2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 664840]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);"c:\program files\O2\bin\sprtsvc.exe" /service /p O2 [2007-06-07 202280]
R3 Bulk;HDJBulk;c:\windows\system32\Drivers\HDJBulk.sys [2008-08-03 34176]
R3 HDJAsioK;HDJAsioK;c:\windows\system32\Drivers\HDJAsioK.sys [2008-08-03 81536]
R3 HDJMidi;Hercules DJ Console MIDI;c:\windows\system32\DRIVERS\HDJMidi.sys [2008-08-03 32384]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-11-18 7808]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2004-08-04 3584]
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 894216]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebb3026c-88b6-11dd-8f5f-001d7dd4059e}]
\Shell\AutoRun\command - E:\wdsync.exe
*Newly Created Service* - PSI
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 19:38:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-28 19:39:16
ComboFix-quarantined-files.txt 2008-11-28 19:39:14
ComboFix2.txt 2008-11-28 18:11:17
Pre-Run: 358,039,056,384 bytes free
Post-Run: 358,047,903,744 bytes free
426 --- E O F --- 2008-11-12 17:22:03
and MBAM log:
Malwarebytes' Anti-Malware 1.30
Database version: 1433
Windows 5.1.2600 Service Pack 3
28/11/2008 20:46:18
mbam-log-2008-11-28 (20-46-18).txt
Scan type: Full Scan (C:\|)
Objects scanned: 107217
Time elapsed: 26 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 27
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Scott\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\egwllt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jrexkbsy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnljHaB.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRKCuTL.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP102\A0054811.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP102\A0054812.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0055986.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0055988.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056054.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056060.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056061.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056062.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056063.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056064.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056065.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056066.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056069.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP103\A0056067.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP108\A0056230.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP108\A0056233.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP108\A0056234.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP108\A0056237.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP97\A0053265.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP99\A0054086.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4BC8B9C4-02FB-439D-B107-3D731F21DA95}\RP99\A0054437.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Scott\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Scott\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.
Finally Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:47:32, on 28/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Hercules\Audio\Hercules DJ Console\DJConsoleMixer.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [DJ Console] C:\Program Files\Hercules\Audio\Hercules DJ Console\DJConsoleMixer.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: NETGEAR WN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.beatport.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1221368020458&h=4f2d35faa83357f812d9d9b75e540cc9/&filename=jinstall-6u7-windows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6422 bytes
My system seems much better since the first round of combofix! Much smoother, and NO POP-UPS :)
I cannot thank you enough so far! I'll check back here soon for your reply!
pskelley
2008-11-28, 23:03
Thanks for returning your information, I see these running:
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
and I suggest you turn those off in MSConfig and run them when needed, information: http://www.netsquirrel.com/msconfig/msconfig_xp.html
This information may help your computer run better:
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Let's proceed like this:
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
Update ESET NOD32 Antivirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.eset.com/support/
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
FilthyOstrich
2008-11-28, 23:32
THANK YOU!
I have to go out for a few hours, possibly until the early hours. I will leave these scans running and as soon as I get in I will let you know how it went.
Thank you so much so far.
FilthyOstrich
2008-11-29, 18:45
What can I say except THANK YOU a thousand times over. Not only have you cured my PC but you also have given me some really valuable programs and information which i will now use.
Eternal Respect to you for doing this for me.
Eternally greatful
Regards!