View Full Version : Uncertain issue-Vitumonde?
HJT Log file;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:14 PM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {ec40b48e-722d-49e3-ac48-7eb11ac399f6} - C:\WINDOWS\system32\mudagisi.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\gakilime.dll",s
O4 - HKLM\..\Run: [687a64ef] rundll32.exe "C:\WINDOWS\system32\begajetu.dll",b
O4 - HKLM\..\Run: [CPM6b495773] Rundll32.exe "c:\windows\system32\nogezote.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://219.117.194.183:84/SysCamInst.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera.oze-hinoemata.net/kxhcm10.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113620507093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/patcher/westpatcher.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://daichi-yokohama.homeip.net/bl_camera.ocx
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - AppInit_DLLs: c:\windows\system32\yiriyidi.dll c:\windows\system32\kokemabo.dll C:\WINDOWS\system32\rojisabo.dll c:\windows\system32\nogezote.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogezote.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogezote.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
--
End of file - 9556 bytes
My son has enlisted my assistance for this trouble.
He said he tried several things to fix this trouble.
I worked with him and tried the following which is pretty much what he said he has also done.
Spybot has begun popping up System Starup global entrys.
Showing Value added changes with strange entries for Rundll32.exe
Been denying them and each time I scan with Spybot shows at least 2 entries for Vitumonde and in the last scan also seeing Vitumonde.prx
Fix these but they keep recurring.
We tried a Symantec Trojan.Vundo Removal Tool 1.5.1 utility suggested in another forum, but came back with nothing found.
Have also run AdAware, which didn't find anything of importance. It now also errors out each time its started since I installed the newest version.
McAfee wasn't updated since Aug 26 2008, DAT 5370, and fails when I attempt to update. It found nothing as well.
Now he's started getting pop-ups for various virus removers, never a good sign.
Any and all help would be appreciated.
Troop's Dad...
Hello 4Troop
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
It is advisable that you back up your personal data before starting any clean up procedure.
Do this first...Important
Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {ec40b48e-722d-49e3-ac48-7eb11ac399f6} - C:\WINDOWS\system32\mudagisi.dll
O4 - HKLM\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\gakilime.dll",s
O4 - HKLM\..\Run: [687a64ef] rundll32.exe "C:\WINDOWS\system32\begajetu.dll",b
O4 - HKLM\..\Run: [CPM6b495773] Rundll32.exe "c:\windows\system32\nogezote.dll",a
O20 - AppInit_DLLs: c:\windows\system32\yiriyidi.dll c:\windows\system32\kokemabo.dll C:\WINDOWS\system32\rojisabo.dll c:\windows\system32\nogezote.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogezote.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogezote.dll
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Thanks for your time...
Malwarebytes' Anti-Malware 1.31
Database version: 1508
Windows 5.1.2600 Service Pack 3
12/16/2008 6:04:00 PM
mbam-log-2008-12-16 (18-04-00).txt
Scan type: Quick Scan
Objects scanned: 49397
Time elapsed: 4 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\nalayafi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\telemize.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vovuhinu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vamegeye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wesokaru.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec40b48e-722d-49e3-ac48-7eb11ac399f6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec40b48e-722d-49e3-ac48-7eb11ac399f6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ec40b48e-722d-49e3-ac48-7eb11ac399f6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WebBuying (Adware.WebBuying) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6b495773 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fejitiluwa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\nalayafi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nalayafi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\nalayafi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\telemize.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\telemize.dll -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\o05PrEz (Trojan.Downloader) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\wesokaru.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\urakosew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\telemize.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vovuhinu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vamegeye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nalayafi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gafilumu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nusoyeta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reguligu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jajusema.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gogogahi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zayiveva.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zeyoheko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fonoriga.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0wMGiysg.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
*end of file*
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:32 PM, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://219.117.194.183:84/SysCamInst.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera.oze-hinoemata.net/kxhcm10.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113620507093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/patcher/westpatcher.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://daichi-yokohama.homeip.net/bl_camera.ocx
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
--
End of file - 8903 bytes
Hello,
A bit more to do as this garbage may have more entries and files we can't see.
Remove these with Hijackthis
O4 - HKUS\S-1-5-19\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'NETWORK SERVICE')
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Yes it is garbage, heaping piles of stinking :lip:... You get the idea.
ComboFix 08-12-16.03 - Admin 2008-12-16 20:16:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2344 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf
----- BITS: Possible infected sites -----
hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 17:44 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 18:04 . 2008-12-11 18:04 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-12-09 03:53 . 2008-12-09 03:53 <DIR> d-------- C:\VundoFix Backups
2008-12-09 03:33 . 2008-12-09 03:34 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-06 02:22 . 2008-12-06 02:22 <DIR> d-------- c:\documents and settings\Admin\Application Data\Spellborn Downloader
2008-11-30 05:55 . 2008-11-30 05:55 52,736 --a------ c:\windows\ipuninst.exe
2008-11-25 19:11 . 2008-11-25 19:11 <DIR> d-------- c:\documents and settings\Admin\Application Data\Toribash
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 02:44 --------- d-----w c:\program files\Java
2008-12-12 02:24 --------- d-----w c:\program files\Common Files\McAfee
2008-12-12 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-10 02:13 --------- d-----w c:\program files\Lavasoft
2008-12-10 02:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 05:01 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-05 04:59 201,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-30 13:51 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2008-11-30 06:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 09:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:41 --------- d-----w c:\documents and settings\Admin\Application Data\IGN_DLM
2008-11-06 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-06 23:50 --------- d-----w c:\program files\ATI Technologies
2008-11-05 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-29 00:20 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-10-29 00:20 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-29 00:20 22,328 ----a-w c:\documents and settings\Admin\Application Data\PnkBstrK.sys
2008-10-26 11:53 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 00:18 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-10 00:08 10,820 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 05:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2006-05-15 23:27 1 ----a-w c:\documents and settings\Admin\SI.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\FilePlanet\Download Manager\dlm.exe" [2008-08-01 1103216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2005-01-11 84480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"atwtusb"="atwtusb.exe" [2002-04-23 c:\windows\system32\atwtusb.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\SOUNDMAN.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-28 03:02 155648 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\3dsmax6\\3dsmax.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Programs\\BFHeroes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\source sdk base 2007\\hl2.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\synergy\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53125:TCP"= 53125:TCP:PORT_53125
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-04-15 44928]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-04-15 55936]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-28 10664]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys []
S3 XDva026;XDva026;\??\c:\windows\system32\XDva026.sys []
S3 XDva028;XDva028;\??\c:\windows\system32\XDva028.sys []
S3 XDva034;XDva034;\??\c:\windows\system32\XDva034.sys []
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-12-12 c:\windows\Tasks\At1.job
- c:\windows\system32\0wMGiysg.exe []
2008-06-19 c:\windows\Tasks\At10.job
- c:\windows\system32\0wMGiysg.exe []
2008-06-19 c:\windows\Tasks\At11.job
- c:\windows\system32\0wMGiysg.exe []
2008-06-19 c:\windows\Tasks\At12.job
- c:\windows\system32\0wMGiysg.exe []
2008-06-19 c:\windows\Tasks\At13.job
- c:\windows\system32\0wMGiysg.exe []
2008-06-19 c:\windows\Tasks\At14.job
- c:\windows\system32\0wMGiysg.exe []
2008-06-19 c:\windows\Tasks\At15.job
- c:\windows\system32\0wMGiysg.exe []
2008-06-19 c:\windows\Tasks\At16.job
- c:\windows\system32\0wMGiysg.exe []
2008-11-07 c:\windows\Tasks\At17.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-07 c:\windows\Tasks\At18.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-17 c:\windows\Tasks\At19.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-12 c:\windows\Tasks\At2.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-17 c:\windows\Tasks\At20.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-17 c:\windows\Tasks\At21.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-12 c:\windows\Tasks\At22.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-12 c:\windows\Tasks\At23.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-12 c:\windows\Tasks\At24.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-12 c:\windows\Tasks\At3.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-10 c:\windows\Tasks\At4.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-10 c:\windows\Tasks\At5.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-10 c:\windows\Tasks\At6.job
- c:\windows\system32\0wMGiysg.exe []
2008-12-08 c:\windows\Tasks\At7.job
- c:\windows\system32\0wMGiysg.exe []
2008-11-30 c:\windows\Tasks\At8.job
- c:\windows\system32\0wMGiysg.exe []
2008-06-19 c:\windows\Tasks\At9.job
- c:\windows\system32\0wMGiysg.exe []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-RegistryMechanic - (no file)
MSConfigStartUp-CPM6b495773 - c:\windows\system32\kokemabo.dll
MSConfigStartUp-nTrayFw - c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx
O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}
hxxp://219.117.194.183:84/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf
c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd
c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://camera.oze-hinoemata.net/kxhcm10.ocx
c:\windows\Downloaded Program Files\BFHPatcher.exe - c:\windows\Downloaded Program Files\westpatcher.dll
O16 -: {784797A8-342D-4072-9486-03C8D0F2F0A1}
hxxp://t1.battlefield-heroes.com/patcher/westpatcher.cab
c:\windows\Downloaded Program Files\westpatcher.inf
c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 20:17:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-16 20:18:54
ComboFix-quarantined-files.txt 2008-12-17 04:18:24
Pre-Run: 61,089,484,800 bytes free
Post-Run: 61,114,925,056 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
277 --- E O F --- 2008-11-16 10:04:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:45 PM, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ati2sgag.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://219.117.194.183:84/SysCamInst.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera.oze-hinoemata.net/kxhcm10.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113620507093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/patcher/westpatcher.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://daichi-yokohama.homeip.net/bl_camera.ocx
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
--
End of file - 8963 bytes
Hello,
A bit more to do as this garbage may have more entries and files we can't see.
Remove these with Hijackthis
O4 - HKUS\S-1-5-19\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'NETWORK SERVICE')
Above where not found when I ran HJT
Good Morning,
A reboot of your system is needed to remove them, there gone now :bigthumb:
O4 - HKUS\S-1-5-19\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'NETWORK SERVICE')
c:\\Program Files\\Shareaza
c:\\Program Files\\uTorrent
Limewire or any of the torrents.
A heads up for you, I don't see these programs installed but they where at one time and your firewall is allowing them to download anything they wish. P2P (File Sharing Programs ) have become the latest avenue of attack by malware writers, your downloading music or whatever files from and unknown source, its like playing Russian Roulette malware wise. Read this please.
We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.
Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.
We do not ask you to do this without reason.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.
Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html (http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html)
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections. Downloading that music file or whatever from an unknown source is kind of like playing Russian Roulette malware wise .
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\system32\0wMGiysg.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
I need you to check this file for me please
You need to enable windows to Show All Files and Folders
Click Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html) for instructions
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
c:\windows\Downloaded Program Files\sysreqlab3.dll <--This one
Good evening...
In my after work stupor I neglected to disable VirusScan in my first ComboFix run. So there are two log files...
ComboFix 08-12-16.03 - Admin 2008-12-17 18:40:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2309 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
c:\windows\system32\0wMGiysg.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 17:44 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 18:04 . 2008-12-11 18:04 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-12-09 03:53 . 2008-12-09 03:53 <DIR> d-------- C:\VundoFix Backups
2008-12-09 03:33 . 2008-12-09 03:34 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-06 02:22 . 2008-12-06 02:22 <DIR> d-------- c:\documents and settings\Admin\Application Data\Spellborn Downloader
2008-11-30 05:55 . 2008-11-30 05:55 52,736 --a------ c:\windows\ipuninst.exe
2008-11-25 19:11 . 2008-11-25 19:11 <DIR> d-------- c:\documents and settings\Admin\Application Data\Toribash
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 02:44 --------- d-----w c:\program files\Java
2008-12-12 02:24 --------- d-----w c:\program files\Common Files\McAfee
2008-12-12 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-10 02:13 --------- d-----w c:\program files\Lavasoft
2008-12-10 02:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 05:01 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-05 04:59 201,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-30 13:51 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2008-11-30 06:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 09:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:41 --------- d-----w c:\documents and settings\Admin\Application Data\IGN_DLM
2008-11-06 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-06 23:50 --------- d-----w c:\program files\ATI Technologies
2008-11-05 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-29 00:20 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-10-29 00:20 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-29 00:20 22,328 ----a-w c:\documents and settings\Admin\Application Data\PnkBstrK.sys
2008-10-26 11:53 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 00:18 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-10 00:08 10,820 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 05:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2006-05-15 23:27 1 ----a-w c:\documents and settings\Admin\SI.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2008-08-01 1103216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2005-01-11 84480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"atwtusb"="atwtusb.exe" [2002-04-23 c:\windows\system32\atwtusb.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\SOUNDMAN.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-28 03:02 155648 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\3dsmax6\\3dsmax.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Programs\\BFHeroes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\source sdk base 2007\\hl2.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\synergy\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53125:TCP"= 53125:TCP:PORT_53125
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-04-15 44928]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-04-15 55936]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-28 10664]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys []
S3 XDva026;XDva026;\??\c:\windows\system32\XDva026.sys []
S3 XDva028;XDva028;\??\c:\windows\system32\XDva028.sys []
S3 XDva034;XDva034;\??\c:\windows\system32\XDva034.sys []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx
O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}
hxxp://219.117.194.183:84/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf
c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd
c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://camera.oze-hinoemata.net/kxhcm10.ocx
c:\windows\Downloaded Program Files\BFHPatcher.exe - c:\windows\Downloaded Program Files\westpatcher.dll
O16 -: {784797A8-342D-4072-9486-03C8D0F2F0A1}
hxxp://t1.battlefield-heroes.com/patcher/westpatcher.cab
c:\windows\Downloaded Program Files\westpatcher.inf
c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 18:42:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-17 18:44:23
ComboFix-quarantined-files.txt 2008-12-18 02:43:27
ComboFix2.txt 2008-12-17 04:18:55
Pre-Run: 61,319,512,064 bytes free
Post-Run: 61,301,194,752 bytes free
260 --- E O F --- 2008-11-16 10:04:36
ComboFix 08-12-16.03 - Admin 2008-12-17 18:48:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2328 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\0wMGiysg.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 17:44 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 18:04 . 2008-12-11 18:04 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-12-09 03:53 . 2008-12-09 03:53 <DIR> d-------- C:\VundoFix Backups
2008-12-09 03:33 . 2008-12-09 03:34 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-06 02:22 . 2008-12-06 02:22 <DIR> d-------- c:\documents and settings\Admin\Application Data\Spellborn Downloader
2008-11-30 05:55 . 2008-11-30 05:55 52,736 --a------ c:\windows\ipuninst.exe
2008-11-25 19:11 . 2008-11-25 19:11 <DIR> d-------- c:\documents and settings\Admin\Application Data\Toribash
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 02:44 --------- d-----w c:\program files\Java
2008-12-12 02:24 --------- d-----w c:\program files\Common Files\McAfee
2008-12-12 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-10 02:13 --------- d-----w c:\program files\Lavasoft
2008-12-10 02:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 05:01 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-05 04:59 201,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-30 13:51 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2008-11-30 06:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 09:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:41 --------- d-----w c:\documents and settings\Admin\Application Data\IGN_DLM
2008-11-06 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-06 23:50 --------- d-----w c:\program files\ATI Technologies
2008-11-05 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-29 00:20 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-10-29 00:20 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-29 00:20 22,328 ----a-w c:\documents and settings\Admin\Application Data\PnkBstrK.sys
2008-10-26 11:53 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 00:18 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-10 00:08 10,820 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 05:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2006-05-15 23:27 1 ----a-w c:\documents and settings\Admin\SI.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2008-08-01 1103216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2005-01-11 84480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"atwtusb"="atwtusb.exe" [2002-04-23 c:\windows\system32\atwtusb.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\SOUNDMAN.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-28 03:02 155648 c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\3dsmax6\\3dsmax.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Programs\\BFHeroes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\source sdk base 2007\\hl2.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\synergy\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53125:TCP"= 53125:TCP:PORT_53125
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-04-15 44928]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-04-15 55936]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-28 10664]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys []
S3 XDva026;XDva026;\??\c:\windows\system32\XDva026.sys []
S3 XDva028;XDva028;\??\c:\windows\system32\XDva028.sys []
S3 XDva034;XDva034;\??\c:\windows\system32\XDva034.sys []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx
O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}
hxxp://219.117.194.183:84/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf
c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd
c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://camera.oze-hinoemata.net/kxhcm10.ocx
c:\windows\Downloaded Program Files\BFHPatcher.exe - c:\windows\Downloaded Program Files\westpatcher.dll
O16 -: {784797A8-342D-4072-9486-03C8D0F2F0A1}
hxxp://t1.battlefield-heroes.com/patcher/westpatcher.cab
c:\windows\Downloaded Program Files\westpatcher.inf
c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 18:49:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-17 18:50:29
ComboFix-quarantined-files.txt 2008-12-18 02:49:59
ComboFix2.txt 2008-12-18 02:44:25
ComboFix3.txt 2008-12-17 04:18:55
Pre-Run: 61,287,419,904 bytes free
Post-Run: 61,267,431,424 bytes free
233 --- E O F --- 2008-11-16 10:04:36
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:14 PM, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://219.117.194.183:84/SysCamInst.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera.oze-hinoemata.net/kxhcm10.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113620507093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/patcher/westpatcher.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://daichi-yokohama.homeip.net/bl_camera.ocx
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
--
End of file - 8845 bytes
As far as the c:\windows\Downloaded Program Files\sysreqlab3.dll
It isn't shown. There are three Program Files shown as System Requirements Lab, two with Status of Installed one shown as Damaged. The most recently accessed one (12/17/2008) also the most recently created (5/18/2007) is what is shown damaged. Did a search and sysreqlab3.dll is not found. Wanted to send a screen shot but don't have a program installed on this machine to do one.
Hello,
sysreqlab3.dll <-- Did some more snooping on this file and it appears ok.
You did just fine and your logs look good :bigthumb:
How are things running now??
Haven't been getting popups but still seems to have lags where the system just freezes for a few moments. Updated and ran SyBot and found the following;
Hint of the Day: Click the bar at the right of this to see more information! ()
Virtumonde: [SBI $1E12D746] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1645522239-287218729-839522115-1003\Software\Microsoft\fias4013
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---
2008-08-14 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2005-10-11 unins000.exe (51.41.0.0)
2008-08-31 unins001.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-11-04 Includes\Adware.sbi (*)
2008-12-09 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-12-16 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-16 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-12-16 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2008-12-16 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-17 Includes\Security.sbi (*)
2008-12-16 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2008-12-10 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-12-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Did the fix. TeaTimer is still disabled.
I'll reboot and run it again and see if it recurs.
I also installed SpywareBlaster and enabled all protection.
I'd like to do something to clean/compact the registry when this is all done with as well.
Hello,
Don't fool with the registry with any registry cleaners, there not recommended, even the good ones at times may remove valid entries that can disable your system and if it removes a bunch of unused entries you will see no difference in system performance.
We just do malware removal on this forum, I am linking you to some windows support sites that can help you sort out any other issues you may have.
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html)
It's Not Always Malware
Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)
Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)
Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java SE Runtime Environment (JRE) 6 Update 11 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Hijackthis <---Your call, hopefully you won't need it again, if you do you can redownload it
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Forgot to mention that this garbage leaves entries all over the place, the infection is gone but what you should do is to run Spybot Search and Destroy removing all it finds......REBOOT YOUR SYSTEM....and run it again until its clean, it may take a time or two to accomplish that.
Have a Happy Holiday,
Ken:)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.