PDA

View Full Version : HiJackThis log - something stealing CPU cycles



Idz21
2008-12-09, 22:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:27 PM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\APPZ\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228531991093
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5619 bytes

Idz21
2008-12-10, 13:42
I read through some more information on the site and realized I had ran some additional scans even though warned against running them. Here's what I did thus far (which is reflective to the original log I posted in my OP):

1. Installed and ran the ComboFix application
- This deleted the 5 files that I had determined were suspect (all weird name .DLLs).
- Log posted at the bottom of this post.

2. Ran HiJackThis and posted the log (my OP).

3. Installed and ran Spybot S&D which found an additional Reg entry in my registry which was related to the Virtumond trojan. I got rid of it.

4. I just ran a full Kaspersky scan. Here's the additional Kaspersky log:
- It appears that it found some Trojan activity in my Inbox & Sent Items mailboxes.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 09, 2008 21:19:47
Records in database: 1448136
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 58222
Threat name: 2
Infected objects: 1
Suspicious objects: 6
Duration of the scan: 05:25:37


File name / Threat name / Threats count
C:\Documents and Settings\Pete\Local Settings\Application Data\Identities\{237BCD90-E443-4EF3-ACD7-0E29C7DB7E7B}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Pete\Local Settings\Application Data\Identities\{237BCD90-E443-4EF3-ACD7-0E29C7DB7E7B}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\Pete\Local Settings\Application Data\Identities\{237BCD90-E443-4EF3-ACD7-0E29C7DB7E7B}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5

The selected area was scanned.



Overall I still feel that I have the Virtumond trojan because everytime I load an Internet page it tells me it was Done, but with errors on page. My apologies for going outside of the guided help route.





Here's the ComboFix log:

ComboFix 08-12-07.04 - Pete 2008-12-09 14:18:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2840 [GMT -5:00]
Running from: c:\documents and settings\Pete\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bidiyije.dll
c:\windows\system32\fetutupi.dll
c:\windows\system32\ipututef.ini
c:\windows\system32\luyehije.dll
c:\windows\system32\ribehige.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 13:33 . 2008-12-09 13:33 <DIR> d-------- c:\program files\Lavasoft
2008-12-09 13:33 . 2008-12-09 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-09 13:30 . 2008-12-09 13:30 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-23 16:38 . 2008-11-23 16:38 <DIR> d--h----- c:\windows\PIF
2008-11-23 14:04 . 2008-11-23 14:04 <DIR> d-------- c:\documents and settings\Pete\Application Data\Windows Search
2008-11-23 13:49 . 2008-11-23 13:49 <DIR> d-------- c:\windows\system32\GroupPolicy
2008-11-23 13:49 . 2008-12-01 18:16 <DIR> d-------- c:\program files\Windows Desktop Search
2008-11-23 13:42 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-18 22:58 . 2008-11-18 22:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-18 21:04 . 2008-11-18 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-14 14:05 . 2008-11-14 14:05 <DIR> d-------- c:\documents and settings\Pete\Application Data\Apple Computer
2008-11-14 13:47 . 2008-11-14 13:47 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-14 13:47 . 2008-11-14 13:47 <DIR> d-------- c:\program files\Apple Software Update
2008-11-14 13:47 . 2008-11-14 13:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-14 13:47 . 2008-11-14 13:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 19:08 --------- d-----w c:\program files\Trend Micro
2008-12-09 11:26 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-12-07 06:56 90,112 ----a-w c:\windows\DUMP6050.tmp
2008-11-28 05:43 --------- d-----w c:\documents and settings\Pete\Application Data\OpenOffice.org2
2008-11-19 03:59 --------- d-----w c:\program files\AIM6
2008-11-19 03:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 17:50 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-12 17:05 --------- d-----w c:\documents and settings\Pete\Application Data\Skype
2008-10-12 17:00 --------- d-----w c:\documents and settings\Pete\Application Data\skypePM
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-23 21:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2001-11-19 17:14 61,440 ----a-w c:\windows\inf\i386\gl.dll
2001-10-29 19:30 245,760 ----a-w c:\windows\inf\i386\viceo.dll
2001-08-17 22:43 32,768 ----a-w c:\windows\inf\i386\Wiamicro.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="d:\appz\Gadu-Gadu\gg.exe" [2007-11-14 2131392]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-22 86016]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"nwiz"="nwiz.exe" [2008-02-22 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2008-02-22 c:\windows\system32\nvhotkey.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate]
--a------ 2001-07-03 13:12 176128 c:\windows\system32\BMUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C120 Series]
--a------ 2007-03-12 06:00 182272 c:\windows\system32\spool\drivers\w32x86\3\E_FATICCA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
--a------ 2007-11-14 05:54 2131392 d:\appz\Gadu-Gadu\gg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-02-13 10:37 488984 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-02-13 10:38 774680 c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a------ 2002-04-16 07:12 86016 c:\progra~1\VISION~1\ONETOU~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 d:\appz\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 d:\appz\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-27 12:42 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\APPZ\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"d:\\APPZ\\Skype\\Phone\\Skype.exe"=

R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2008-04-14 23200]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2006-09-11 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2006-08-29 280392]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f16ef26c-a92d-4992-8971-d14fb0c3d9dc} - c:\windows\system32\bidiyije.dll
HKLM-Run-gudiwisodu - c:\windows\system32\zupejaku.dll
MSConfigStartUp-203679fe - c:\windows\system32\fetutupi.dll
MSConfigStartUp-CPM23054a62 - c:\windows\system32\ribehige.dll
MSConfigStartUp-gudiwisodu - c:\windows\system32\zupejaku.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 14:21:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1372)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\stacsv.exe
c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe
c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-09 14:36:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 19:36:41

Pre-Run: 10,169,769,984 bytes free
Post-Run: 10,335,059,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

164

pskelley
2008-12-14, 20:37
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.

If you are still having malware issues, post a new HijackThis log and tell me what they are. If you are receiving any error messages, post them word for word.

Thanks

Idz21
2008-12-14, 21:02
To be honest, I haven't seen any symptoms since I ran the Combofix & Spyware S&D, outside of that error message in IE which states that my pages were loaded but with errors on page (the yellow exlamation point in the bottom left hand corner of IE). Here's the error text I get when double clicking the icon:

Line: 2
Char: 1
Error: Syntax error
Code: 0
URL: http://forums.spybot.info/newreply.php?do=newreply&noquote=1&p=266994


However, I just get this feeling that something isn't right. I think at the least I'd like to take some preventative steps to perform additional scans to get rid of any further traces of Virtumonde. I don't feel comfortable using this laptop for any financial transaction type functions since this happened.

I launched & ran the HJT system scan. Here are the results. There is a suspect wuauclt.exe running (in bold). If it helps any, I still have my original HJT log saved... the one before I ran any fixes.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:05 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\APPZ\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228531991093
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5720 bytes

pskelley
2008-12-14, 22:08
Thanks for returning your information and the feedback. We will look at little, stating with the error:

http://www.google.com/search?hl=en&q=+Syntax+error&btnG=Search
I suggest you update Internet Explorer to IE7 to see if that stops the error.
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Kaspersky Online Scan: Delete the items in RED
C:\Documents and Settings\Pete\Local Settings\Application Data\Identities\{237BCD90-E443-4EF3-ACD7-0E29C7DB7E7B}\Microsoft\Outlook Express\Inbox.dbx <------Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Pete\Local Settings\Application Data\Identities\{237BCD90-E443-4EF3-ACD7-0E29C7DB7E7B}\Microsoft\Outlook Express\Inbox.dbx ------> Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\Pete\Local Settings\Application Data\Identities\{237BCD90-E443-4EF3-ACD7-0E29C7DB7E7B}\Microsoft\Outlook Express\Sent Items.dbx <------Trojan-Spy.HTML.Fraud.gen 5


C:\Program Files\Viewpoint\Common\ViewpointService.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546


Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/mbam/mbam-setup.exe
or http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

Idz21
2008-12-15, 02:32
1. IE7 install
- I'm not a big fan of IE7, so I'm sticking with IE6 as long as I can. I can live with the error. I thought the error might have been related to virtumonde in some way, but it sounds like it's not.

2. E-mail file delete
- Is there a way to scan the mail .dbx files and remove only the trojan infected e-mails? I don't want to delete my entire mailbox history.

3. Viewpoint Media Player uninstall
- This is done. Thanks for pointing that out. I've been pretty annoyed at the periodic "Your viewpoint has been updated" message. I guess AIM packages it withing their install package.

4. Malwarebytes install/scan
- This is done. During the scan I encountered a drastic slow-down which is why it took so long to scan. Symptoms were CPU cycle spikes, and when viewing the Windows Task Manager, the Proceses would blink non-stop. System Idle seemed to have the highest CPU usage, so not sure why the slow down. I experienced a similar symptom while the computer was still infected. Here are the updated Malware & HJT logs:

Malware Log:
Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 2

12/14/2008 7:25:09 PM
mbam-log-2008-12-14 (19-25-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 103713
Time elapsed: 3 hour(s), 57 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\bidiyije.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fetutupi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\luyehije.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ribehige.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4DE6CC1-020D-4769-B1D8-568B33DEBD41}\RP146\A0025321.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4DE6CC1-020D-4769-B1D8-568B33DEBD41}\RP146\A0025328.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4DE6CC1-020D-4769-B1D8-568B33DEBD41}\RP146\A0025329.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4DE6CC1-020D-4769-B1D8-568B33DEBD41}\RP146\A0025331.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A4DE6CC1-020D-4769-B1D8-568B33DEBD41}\RP146\A0025332.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:42 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] d:\appz\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\APPZ\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\APPZ\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228531991093
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5739 bytes


[B]HJT Uninstall Log:
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
AIM 6
Broadcom 440x 10/100 Integrated Controller
Conexant HDA D110 MDC V.92 Modem
Dell Wireless WLAN Card
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EPSON Printer Software
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
IrfanView (remove only)
Java(TM) 6 Update 7
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MVision
NVIDIA Drivers
OpenOffice.org 2.4
PerformanceTools
QuickTime
RealPlayer
Rhapsody Player Engine
SigmaTel Audio
Skype™ 3.8
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Trend Micro PC-cillin Internet Security 14
Trend Micro PC-cillin Internet Security 14
Visioneer 8100 Scanner
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation

pskelley
2008-12-15, 03:01
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8.1.2 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

Java(TM) 6 Update 7 <<< out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Spybot - Search & Destroy <<< make sure you are up to date and fully immunized:
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html


1) It's your computer, Internet Explorer 8 is released in beta and IE7 is more secure that IE6.

2) Not that I know of, but I have not used OE for many years.

Hard to troubleshoot the issues you are having, are there any error message you can post?

Let's do this:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update the antivirus and scan the system, to be sure it is running right and scanning clean.

When you get to that point, please run the free diagnostic here:
http://www.pcpitstop.com/
Run the "Full Test" you will need to register free, post a link to the results so I can view them.

You can also look at this information to help you troubleshoot the high CPU usage: http://kadaitcha.cx/high_cpu.html

Thanks

Idz21
2008-12-15, 04:29
I'm posting this reply for documentation purposes only. I started going through my uninstall process of Java and got that "CPU thief" thing again. PC got really sluggish, and I couldn't really pinpoint what was taking up all the CPU power. Well finally had to end the Java Uninstall because it was taking wayyyy too long, and tried restarting. I got the blue screen:

A problem has been detected and windows has been shut down to prevent damange to your computer.

The problem seems to be cause by the following file: nv4_disp

If this is the firrst time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

The device driver got stuck in an infinite loop. This usually indicates problem with the device itself or with the device driver programming the hardware incorrectly.

Please check with your hardware device vendor for any driver updates.

Technical information:

*** STOP: 0x000000EA (0x8A2E6Da8,0x8A4F2008,0xB79B8CBC,0x00000001)

nv4_disp
Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrato or technical suppoer group for further assistance.

pskelley
2008-12-15, 13:33
Out of date drivers can cause all kinds of programs, as you will see in the troubleshooting information I provided. The diagnostic I suggested may show the issue also? The Nvidia graphics adapter is likely the culprint, here is some information that might help you.

http://www.google.com/search?hl=en&q=STOP%3A+0x000000EA+&btnG=Google+Search&aq=f&oq=
http://www.google.com/search?hl=en&q=nv4_disp&btnG=Search
http://forums.nvidia.com/index.php?showtopic=4432 <<< forum

The same forum I suggest for the diagnostic is very good with these kinds of problems also, post here:
http://forums.pcpitstop.com/index.php?showforum=3

Hope that helps:santa:

Idz21
2008-12-16, 14:01
Alright, here we go. It took me a little while to go through everything with the really slow PC response in the beginning:

1. Adobe out of date
- I uninstalled Adobe and installed Foxit 3.0 instead.
- I also wound up uninstalling some other old programs that I use, and most likely have updated, but wanted to get rid of them and install fresh:
a) DivX players/codes etc..
b) Adobe Flash 10x
c) Rhapsody Player

2. Java
- Uninstalled old Java using the instructions provided.
- Installed Java 6 u11

3. Spybot s&D
- Updated, scanned one more time (nothing found) & Performed Immunization with Spybot. I got the sluggish issue again. In the middle of the S&D scan, it got realllly slow, and then it continued to work without issues. Not sure what's going on.
- I ran a Disk Cleanup before I did the Immunization. Got rid of everything.

4. Error messages
- Nope. I don't get any error messages. The computer just starts running reallllly slow.

5. ComboFix
- Uninstalled.

6. System Restore
- Followed the instructions to clear it out. Computer went into sluggish mode after reboot. It took about 3 minutes to try and turn on System Restore... I eventually got an error saying "System Restore encountered an error tryin gto enable/disable on or more drives. Please restart your mmachine an dtry again.(so I did).
- Attempted to restart and it took a loooong time. Even the Bios boot took a while. Eventually it felt like the computer hung up so I shut it down for the night. Tried again the next day, and it booted up like a champ.

7. Malwarebytes scan
- Updated & Scanned. No infections found. Scan went through rather quickly. No sluggish performance.

8. Anti-Virus
- Updated & Scanned (no sluggishness during scan). Detected Adware_MemWatcher (http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADWARE%5FMEMWATCHER) -> C:\Windows\system32\drivers\etc\hosts\127.0.0.1. This must have been recently updated because I scanned my computer many times in the past few days, and this wasn't detected. I attempted to remove it using the following instructions, but I did not find those registry keys:
Removing Other Malware Entries from the Registry

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main

3. In the right panel, locate and delete the entry:

Search Bar = "file://%System%\Searchx.htm"
Use Custom Search URL = "1"

4. Close Registry Editor.
Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Download and unzip the latest spyware pattern file and scan your computers. Then, delete all files detected as ADWARE_MEMWATCHER, ADW_IEHOST, and ADW_URLSPY.

*NOTE: If the above manual removal instructions fail to eliminate this grayware, close all Internet Explorer windows, and perform the solution again.


- I turned off System Restore, restarted and ran a full Scan again with my Anti-Virus program. No infections found, and no sluggishness during scan.
- Turned System Restore back on, and restarted.

9. PC Pitstop
- Ran the full test in Expert mode -> http://www.pcpitstop.com/betapit/sec.asp?conid=21417286

10. High CPU Usage website
- I didn't get a chance to review the information you provided yet... there's a lot. I noticed that sluggishness went away when I kept my PC on-line during scans. It's when I was taking it off-line that the sluggishness occurred. I haven't had a chance to test this yet by doing a scan off-line, but some food for thought.

11. NVidia drivers
- When checking the Dell support website, I do have the latest drivers for my video card. I think I tried installing non-Dell drivers in the past (or simply couldn't find them) but it didn't work. I haven't gotten a chance to look into the nVidia forums just yet.

12. Scanning OE Mailbox files
- If you do come across a program which will allow me to do this, definitely let me know. I'm very reluctant to delete my entier mailbox files.





Alright, I know I provided a lot of information here, so take your time chewing it over :) Appreciate your help.

pskelley
2008-12-16, 14:12
Alright, I know I provided a lot of information here, so take your time chewing it over Appreciate your help.
I am sorry, I believe I helped remove the malware and that your issues are not malware related. I have already posted links to where I believe you can get help and I wish I had the time to respond to this information dealing with other issues than malware.
(199 members waiting now for a first response:sad:)

I wish you safe surfing and Happy Holidays:santa:

Idz21
2008-12-16, 14:20
I am sorry, I believe I helped remove the malware and that your issues are not malware related. I have already posted links to where I believe you can get help and I wish I had the time to respond to this information dealing with other issues than malware.
(199 members waiting now for a first response:sad:)

I wish you safe surfing and Happy Holidays:santa:

Alright, no problem. I'll go through the other information you provided when I get home from work today and post up an update on what I did.

I have 1 more thing - Did you get a chance to review my PC Pitstop results? Not sure if you were looking for anything in particular, or just want me to follow the advice they provided in making any necessary adjustments.

Again, if you get wind of any mailbox file scanners, do let me know. :D

pskelley
2008-12-16, 14:37
Recommended Fixes <<< look at this link
http://www.pcpitstop.com/betapit/sec.asp?conid=21417286
My suggest would be to follow that advice. Poor maintenance contributes much to poor performance.
Please note how out of date those drivers are:

Update Modems Driver 12/2/2005

Update Network adapters Driver 11/21/2006

Idz21
2008-12-17, 14:19
Alright, here's my final note:

1. TCP Pocket size
- I changed this to the recommended value by PCPitStop, but it yielded bad results. Changed it back.

2. Network drivers
- The drivers for my Network Card & Modem are already the latest out there. Not sure why PCPitStop didn't see this.

3. I ran a System File Checker
- I didn't get any report whether any files had to be replaced, so I'm thinking it's a good thing.

4. Defrag
- I defragged the drive, but it's still at 22% defragmented because the Windows one can't move some files. I neglected to do this consistently so I'm to blame.

5. 100% CPU Utilization
- I looked through all the scenarios listed in the 100% webpage, but none of them fit me. I'm not getting the 100% CPU anymore, and no sluggishness, even during scans. So it would appear that's gone away as well.

6. Virus scan
- I ran another virus scan and found no infections.


PSkelly - Thanks for your help with everything. I usually don't need help when it comes to computers, but this time no matter what I did I couldn't get rid of this bug. You da man! Merry Christmas :santa:

pskelley
2008-12-17, 14:30
4. Defrag
- I defragged the drive, but it's still at 22% defragmented because the Windows one can't move some files. I neglected to do this consistently so I'm to blame.
Defrag in safe mode when nothing is running.

If you have not checked your hard disks for errors in a long time:
http://www.updatexp.com/windows-xp-chkdsk.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/kbtip.mspx

This can take a while and the computer can not be used while it happens. I find it is best to set it up at night and let it run when I first boot in the AM. That way it is finished by the time I have had breakfast, it will take an hour or more depending on how bad the disk is.

Idz21
2008-12-19, 21:57
I tried a few times, but wasn't able to get Defrag to run in Safe mode. It would just hang at 3% and never move anywhere from there. I came to the decision of actually reformatting it and loading everything from scratch. I have a feeling that I might have a hardware problem with either my RAM or HardDrive because I've never had my laptop heat up as much as it has since I got infected.

I've ran more scans over and over again, and did not detect any more viruses, trojans, etc... so I'm kind of at a loss regarding these sluggish periods my computer is going through, so the only true test will be to reformat it. I was thinking of trying out XP SP3, but I can't imagine that will solve any problems, but I will go straight to SP3 upon my re-install and start using IE7.

pskelley
2009-02-19, 14:51
Idz21 wanted all to know how this was resolved in case it can help another member or helpers...thanks to this member.

From a private message this member sent me:


Update on my case

Hey, I wanted to provide an update on my case (Thread here -> http://forums.spybot.info/showthread.php?t=41190), in the event that you wanted to update my thread so that anyone searching for similar issues will be able to read about my resolution. My 100% CPU usage turned out to be a bad CPU. My laptop was overheating because the heatsink got so clogged up with dust that no air could get through anymore, effectively overheating my CPU to the point of failure.

I had a Dell tech come out and replace both the CPU & Fan/heatsink and am now back in action. Thankfully I was still under warranty so the whole thing merely cost me the $20 I gave him as a tip. I did also bite the bullet and installed SP3 & IE7.

Thanks again for all your help.