View Full Version : Virtumond problem
Firedraconian
2008-12-07, 10:44
I'm having a problem with an icon along the bottom of my screen that claims my Windows Auto-Update is disable, but when I check under System Tools, it's enabled and working fine. In addition, whenever I browse online, I get frequent popups. I downloaded SpyBot S&D to do a scan, and it tells me I have multiple 'Virtumond' infections. It tried to get rid of them, but they keep coming back - even just after 'fixing' the problem, the scan finds it again. Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:37 AM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hide My IP 2007\SecureSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vsp8/en-us/vsp8/default.asp?affid=0-3&installtype=force&langid=1&systempopup=true
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
F3 - REG:win.ini: run=
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [igndlm.exe] D:\Warcraft\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [GetModule31] "C:\Program Files\GetModule\GetModule31.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/58/EN/html/gtdownlr.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/075a68ad192d78c67401/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093733485187
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F62EF18-84CE-4AA1-A4DE-8AFD233B12F5}: NameServer = 24.148.96.1,24.148.96.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{35449647-3169-43D5-AFE5-E6EF382293E9}: NameServer = 24.148.96.1,24.148.96.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6893800E-1B2F-43F7-85F1-AE4CF8E76343}: NameServer = 66.109.38.250,66.109.38.251
O17 - HKLM\System\CCS\Services\Tcpip\..\{D47CFF36-AA47-4FC0-9262-3EA436E67E62}: NameServer = 24.148.96.1,24.148.96.2
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: fecfnh.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2007\SecureSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 8416 bytes
chryssi2001
2008-12-07, 12:26
Hello Firedraconian,
I will be assisting you with your malware issues.
Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
Please bookmark or favourite this page. In case you need it as reference or etc.
----------------------------------------------
RENAME HIJACKTHIS
There is some infection hiding in your log.
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.
Firedraconian
2008-12-07, 17:25
New log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:02 AM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hide My IP 2007\SecureSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vsp8/en-us/vsp8/default.asp?affid=0-3&installtype=force&langid=1&systempopup=true
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: (no name) - {2966EE21-315A-4B8F-8690-14495A1917EC} - C:\WINDOWS\system32\tuvWpoMd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\rqRJCUNF.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {85B680C9-5981-4E68-86A3-4E17FE9D0DB2} - (no file)
O2 - BHO: (no name) - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: {f14da941-48cd-9a69-bbb4-196becb3a3af} - {fa3a3bce-b691-4bbb-96a9-dc84149ad41f} - C:\WINDOWS\system32\fecfnh.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [igndlm.exe] D:\Warcraft\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [GetModule31] "C:\Program Files\GetModule\GetModule31.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/58/EN/html/gtdownlr.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/075a68ad192d78c67401/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093733485187
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F62EF18-84CE-4AA1-A4DE-8AFD233B12F5}: NameServer = 24.148.96.1,24.148.96.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{35449647-3169-43D5-AFE5-E6EF382293E9}: NameServer = 24.148.96.1,24.148.96.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6893800E-1B2F-43F7-85F1-AE4CF8E76343}: NameServer = 66.109.38.250,66.109.38.251
O17 - HKLM\System\CCS\Services\Tcpip\..\{D47CFF36-AA47-4FC0-9262-3EA436E67E62}: NameServer = 24.148.96.1,24.148.96.2
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: fecfnh.dll
O20 - Winlogon Notify: rqRJCUNF - C:\WINDOWS\SYSTEM32\rqRJCUNF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2007\SecureSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 9368 bytes
chryssi2001
2008-12-10, 20:02
Hello Firedraconian,
I apologise for the delay, but i didn't receive email notification for your new post. :(
Is one of these Companies your Internet provider? If yes, do you know the other one?
Mid-Hudson Cablevision, Inc. (Hudson)
Tech Valley Communications
----------------------------------------------
Download and run Combofix
Please visit this webpage for download links, and instructions for running the tool:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this topic (http://www.bleepingcomputer.com/forums/topic114351.html) if you need help to disable your protection programs.
Please include the C:\ComboFix.txt in your next reply for further review.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Answer my question about your Internet provider.
Firedraconian
2008-12-11, 05:54
Combofix Report:
ComboFix 08-12-09.03 - NAME 2008-12-10 22:32:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.650 [GMT -5:00]
Running from: c:\documents and settings\NAME\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\SLMSS
c:\program files\Common Files\SLMSS\acp1.dat
c:\program files\GetModule
c:\program files\QdrDrive
c:\windows\IE4 Error Log.txt
c:\windows\smdat32m.sys
c:\windows\system32\aipqnepn.dll
c:\windows\system32\dMopWvut.ini
c:\windows\system32\dMopWvut.ini2
c:\windows\system32\eeyecb.dll
c:\windows\system32\fecfnh.dll
c:\windows\system32\hkibmwph.dll
c:\windows\system32\igrirvtl.ini
c:\windows\system32\igrjyuxq.dll
c:\windows\system32\kgerdc.dll
c:\windows\system32\llyvibuu.dll
c:\windows\system32\npenqpia.ini
c:\windows\system32\oxnbxwlt.dll
c:\windows\system32\oxoafx.dll
c:\windows\system32\pnncgqku.dll
c:\windows\system32\qqjxeeuv.ini
c:\windows\system32\sputkc.dll
c:\windows\system32\sxtgchdq.dll
c:\windows\system32\teyraixt.ini
c:\windows\system32\tuvWpoMd.dll
c:\windows\system32\tvabgkie.ini
c:\windows\system32\twarbhdd.dll
c:\windows\system32\txiaryet.dll
c:\windows\system32\uubivyll.ini
c:\windows\system32\vueexjqq.dll
c:\windows\system32\wpv651228550018.cpx
c:\windows\system32\xfnrbi.dll
c:\windows\system32\xqaqclsh.dll
c:\windows\system32\yglqxg.dll
c:\windows\Tasks\tfgzvbqe.job
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ZESOFT
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.
2008-12-09 18:26 . 2008-12-09 18:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-09 18:24 . 2008-12-09 18:26 <DIR> d-------- c:\program files\Linksys EasyLink Advisor
2008-12-07 03:40 . 2008-12-07 03:40 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 02:15 . 2008-12-07 02:15 <DIR> d-------- c:\documents and settings\Administrator
2008-12-05 22:30 . 2008-12-05 22:30 <DIR> d-------- c:\program files\Ventrilo
2008-12-05 22:30 . 2008-12-05 22:30 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-05 22:29 . 2008-12-05 22:29 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-22 21:24 . 2008-11-22 21:24 <DIR> d-------- c:\documents and settings\NAME\Application Data\Xilisoft Corporation
2008-11-22 21:21 . 2008-11-22 21:21 <DIR> d-------- c:\program files\Xilisoft
2008-11-16 13:39 . 2008-11-16 13:39 66,082 --a--c--- c:\windows\system32\dllcache\c_10021.nls
2008-11-16 13:39 . 2008-11-16 13:39 66,082 --a------ c:\windows\system32\c_10021.nls
2008-11-12 12:33 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 12:32 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 03:00 --------- d-----w c:\program files\McAfee
2008-12-10 21:23 --------- d-----w c:\documents and settings\NAME\Application Data\Ventrilo
2008-12-10 04:41 --------- d-----w c:\documents and settings\NAME\Application Data\uTorrent
2008-12-09 23:24 --------- d--ha-w c:\documents and settings\All Users\Application Data\Gtek
2008-12-07 07:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 07:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 03:41 --------- d-----w c:\program files\Trillian
2008-11-17 04:15 --------- d-----w c:\program files\Winamp
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 16:53 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0A94B116-4504-4e26-AB05-E61E474AA38B}"= "c:\program files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL" [2007-12-11 61440]
[HKEY_CLASSES_ROOT\clsid\{0a94b116-4504-4e26-ab05-e61e474aa38b}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="d:\warcraft\Download Manager\DLM.exe" [2006-11-07 972432]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 c:\windows\system32\TWEAKUI.CPL]
"C-Media Mixer"="Mixer.exe" [2002-04-29 c:\windows\mixer.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"MaxRecentDocs"= 11 (0xb)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xfnrbi.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^NAME^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=c:\documents and settings\NAME\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=c:\windows\pss\Folding@Home 5.03.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-04 23:52 282624 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\NAME\\My Documents\\utorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-08-28 206096]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2007-08-24 21920]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2007\SecureSrv.exe [2007-09-02 368718]
S3 gsplittm;gsplittm;\??\c:\docume~1\NAME\LOCALS~1\Temp\gsplittm.sys []
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\DRIVERS\netusbxp.sys [2002-02-20 72576]
S3 WMP11;Instant Wireless PCI Card Driver;c:\windows\system32\DRIVERS\WMP11NDS.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05d73da6-bd97-11d9-a28a-0050fc818a3c}]
\Shell\AutoRun\command - H:\LinksysConnectPC.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ccd43b4-a8a8-11db-bbc5-00045a5c09e2}]
\Shell\AutoRun\command - I:\LinksysConnectPC.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-13 19:12]
2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -
BHO-{85B680C9-5981-4E68-86A3-4E17FE9D0DB2} - (no file)
BHO-{bf149fdd-586b-4c88-945b-6d3c06412dc0} - c:\windows\system32\xfnrbi.dll
BHO-{E85460B5-3D0F-4845-9995-A7B71D078CF5} - c:\windows\system32\tuvWpoMd.dll
HKCU-Run-GetModule31 - c:\program files\GetModule\GetModule31.exe
HKLM-Run-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
HKLM-Run-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
HKLM-Run-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
Notify-rqRJCUNF - rqRJCUNF.dll
MSConfigStartUp-uDO - c:\documents and settings\NAME\local settings\temp\uDO.exe
MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
.
------- Supplementary Scan -------
.
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vsp8/en-us/vsp8/default.asp?affid=0-3&installtype=force&langid=1&systempopup=true
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\securenet.dll
TCP: {2F62EF18-84CE-4AA1-A4DE-8AFD233B12F5} = 24.148.96.1,24.148.96.2
TCP: {35449647-3169-43D5-AFE5-E6EF382293E9} = 24.148.96.1,24.148.96.2
TCP: {6893800E-1B2F-43F7-85F1-AE4CF8E76343} = 66.109.38.250,66.109.38.251
TCP: {D47CFF36-AA47-4FC0-9262-3EA436E67E62} = 24.148.96.1,24.148.96.2
TCP: {D4EAB9B8-E0E4-4B17-8847-4DD2F8554786} = 24.148.96.1,24.148.96.2
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\NAME\Application Data\Mozilla\Firefox\Profiles\pmemm50u.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - d:\warcraft\Download Manager\npfpdlm.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 22:38:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\securenet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-10 22:43:40 - machine was rebooted [NAME]
ComboFix-quarantined-files.txt 2008-12-11 03:42:50
Pre-Run: 6,053,085,184 bytes free
Post-Run: 5,909,352,448 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
235 --- E O F --- 2008-11-12 17:39:58
New HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:16 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hide My IP 2007\SecureSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vsp8/en-us/vsp8/default.asp?affid=0-3&installtype=force&langid=1&systempopup=true
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: (no name) - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [igndlm.exe] D:\Warcraft\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/58/EN/html/gtdownlr.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093733485187
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F62EF18-84CE-4AA1-A4DE-8AFD233B12F5}: NameServer = 24.148.96.1,24.148.96.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{35449647-3169-43D5-AFE5-E6EF382293E9}: NameServer = 24.148.96.1,24.148.96.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6893800E-1B2F-43F7-85F1-AE4CF8E76343}: NameServer = 66.109.38.250,66.109.38.251
O17 - HKLM\System\CCS\Services\Tcpip\..\{D47CFF36-AA47-4FC0-9262-3EA436E67E62}: NameServer = 24.148.96.1,24.148.96.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4EAB9B8-E0E4-4B17-8847-4DD2F8554786}: NameServer = 24.148.96.1,24.148.96.2
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: xfnrbi.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2007\SecureSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 8925 bytes
My IP is [B]Mid-Hudson Cablevision, Inc. (Hudson). The other one is unfamiliar to me.
chryssi2001
2008-12-11, 14:43
Hello Firedraconian,
My IP is Mid-Hudson Cablevision, Inc. (Hudson). The other one is unfamiliar to me.
Ok we'll remove the other one. I will point out the line we'll remove, in case you loose your Internet connection, all you have to do is use HijackThis backups, and bring the line back.
Here are the instructins in case you need them:
HIJACKTHIS/RESTORE DELETED ENTRIES
Restore HijackThis entries
The HijackThis log contains both good and bad entries, you may have deleted some good ones, we can restore the deleted entries and start again:
Run HijackThis and select View the list of backups
If you don't see that button, select Config on the bottom-right, then choose backups from the top
Find this line:O17 - HKLM\System\CCS\Services\Tcpip\..\{6893800E-1B2F-43F7-85F1-AE4CF8E76343}: NameServer = 66.109.38.250,66.109.38.251 and place a check in the box in front of the line, and then press Restore
Close HijackThis.
----------------------------------------------
REMOVE P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
uTorrent
Ares
BitTornado
Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=25290&postcount=4) where we explain why it's not a good idea to have them.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
----------------------------------------------
FIX HIJACKTHIS ENTRIES
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: (no name) - {0A94B111-4504-4e26-AB05-E61E474AA38B} - (no file)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{6893800E-1B2F-43F7-85F1-AE4CF8E76343}: NameServer = 66.109.38.250,66.109.38.251
<< This is the line for Tech Valley Communications
Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\docume~1\NAME\LOCALS~1\Temp\gsplittm.sys
Folder::
c:\documents and settings\NAME\Application Data\uTorrent
c:\program files\AskPBar
c:\Program Files\Ares
c:\Program Files\BitTornado
Driver::
gsplittm
Registry::
[-HKEY_CLASSES_ROOT\clsid\{0a94b116-4504-4e26-ab05-e61e474aa38b}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ares\\Ares.exe"=-
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=-
"c:\\Documents and Settings\\NAME\\My Documents\\utorrent.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
This topic has been archived due to inactivity.
As it has been five days or more since your last post, and your helper posted a response to which you did not reply, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.