View Full Version : Virtumonde and Smitfraud
I have been hit by both Virtumonde and Smitfraud. I am currently logged in through safe mode and appear to be able to function. I am unable to log in normally (I have used my password, but it logs me back off shortly after). Please help me. Below is the HJTlog.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:07 PM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://home.secureapp.att.net/bellsouth/s/userinfo.dll?ep=1031&spage=sso/logon.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
--
End of file - 5645 bytes
Thank you in advance for your time.
Hello TNTMad,
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Run this program in Safemode with Network Support
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Thank you for choosing to help me. The ComboFix and Hijackthis logs are posted below in that order.
ComboFix 09-01-10.03 - Giannoula Popp 2009-01-11 14:57:21.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.360 [GMT -5:00]
Running from: c:\documents and settings\Giannoula Popp\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\daeuit.dll
c:\windows\system32\gqsnsfrs.dll
c:\windows\system32\hernorqu.dll
c:\windows\system32\hzyqga.dll
c:\windows\system32\jkkLFwur.dll
c:\windows\system32\jnvpwu.dll
c:\windows\system32\ljJYPhEu.dll
c:\windows\system32\msexcl35.dll
c:\windows\system32\msltus35.dll
c:\windows\system32\mspdox35.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\mstext35.dll
c:\windows\system32\msxbse35.dll
c:\windows\system32\noyriu.dll
c:\windows\system32\rdocurs.dll
c:\windows\system32\ruwFLkkj.ini
c:\windows\system32\ruwFLkkj.ini2
c:\windows\system32\wipvyfus.dll
c:\windows\system32\wpv631229210935.cpx
c:\windows\system32\xbmuqhst.dll
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.
2008-12-27 22:35 . 2008-12-27 23:09 639 --a------ c:\windows\cdplayer.ini
2008-12-27 20:11 . 2006-10-23 21:53 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-27 20:11 . 2008-12-27 20:11 <DIR> d-------- c:\documents and settings\Administrator
2008-12-27 18:49 . 2005-10-14 20:45 135,168 --a------ c:\windows\system32\igfxres.dll
2008-12-17 22:06 . 2004-08-04 05:00 156,672 --a--c--- c:\windows\system32\dllcache\winzm.ime
2008-12-17 22:06 . 2004-08-04 05:00 156,672 --a--c--- c:\windows\system32\dllcache\winsp.ime
2008-12-17 22:06 . 2004-08-04 05:00 156,672 --a--c--- c:\windows\system32\dllcache\winpy.ime
2008-12-17 22:06 . 2004-08-04 05:00 79,360 --a--c--- c:\windows\system32\dllcache\winar30.ime
2008-12-17 22:06 . 2004-08-04 05:00 69,120 --a--c--- c:\windows\system32\dllcache\wingb.ime
2008-12-17 22:06 . 2004-08-04 05:00 65,536 --a--c--- c:\windows\system32\dllcache\winime.ime
2008-12-17 22:06 . 2004-08-04 05:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-12-17 22:04 . 2004-08-04 05:00 482,304 --a--c--- c:\windows\system32\dllcache\pintlgnt.ime
2008-12-17 22:03 . 2004-08-04 05:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2008-12-17 22:03 . 2004-08-04 05:00 229,439 --a--c--- c:\windows\system32\dllcache\multibox.dll
2008-12-17 22:03 . 2004-08-04 05:00 111,104 --a--c--- c:\windows\system32\dllcache\mtstocom.exe
2008-12-17 22:03 . 2004-08-04 05:00 98,304 --a--c--- c:\windows\system32\dllcache\msir3jp.dll
2008-12-17 22:03 . 2004-08-04 05:00 92,416 --a--c--- c:\windows\system32\dllcache\mga.sys
2008-12-17 22:03 . 2004-08-04 05:00 92,032 --a--c--- c:\windows\system32\dllcache\mga.dll
2008-12-17 22:03 . 2001-08-17 22:36 65,536 --a--c--- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2008-12-17 22:03 . 2001-08-17 22:36 38,912 --a--c--- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2008-12-17 22:03 . 2004-08-04 05:00 33,792 --a--c--- c:\windows\system32\dllcache\lmmib2.dll
2008-12-17 22:03 . 2004-08-04 05:00 22,528 --a--c--- c:\windows\system32\dllcache\lpdsvc.dll
2008-12-17 22:03 . 2004-08-04 05:00 18,944 --a--c--- c:\windows\system32\dllcache\lprmon.dll
2008-12-17 22:03 . 2004-08-04 05:00 7,680 --a--c--- c:\windows\system32\dllcache\migregdb.exe
2008-12-17 22:01 . 2004-08-04 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-12-17 22:00 . 2004-08-04 05:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll
2008-12-17 21:59 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2008-12-17 21:58 . 2003-03-24 16:52 188,480 --a--c--- c:\windows\system32\dllcache\cfgwiz.exe
2008-12-17 21:58 . 2004-05-13 00:39 184,435 --a--c--- c:\windows\system32\dllcache\fp4amsft.dll
2008-12-17 21:58 . 2003-03-24 16:52 20,540 --a--c--- c:\windows\system32\dllcache\author.dll
2008-12-17 21:58 . 2003-03-24 16:52 20,540 --a--c--- c:\windows\system32\dllcache\admin.dll
2008-12-17 21:58 . 2003-03-24 16:52 16,439 --a--c--- c:\windows\system32\dllcache\author.exe
2008-12-17 21:58 . 2003-03-24 16:52 16,439 --a--c--- c:\windows\system32\dllcache\admin.exe
2008-12-17 21:49 . 2008-12-17 21:49 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-17 21:49 . 2008-12-17 21:49 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-17 21:49 . 2008-12-17 21:49 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-17 21:49 . 2008-12-17 21:49 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-17 21:49 . 2008-12-17 21:49 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-17 21:44 . 2004-08-04 05:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-12-17 21:43 . 2004-08-04 05:00 214,528 --a--c--- c:\windows\system32\dllcache\icwconn1.exe
2008-12-17 21:43 . 2004-08-04 05:00 86,016 --a--c--- c:\windows\system32\dllcache\icwconn2.exe
2008-12-17 21:43 . 2004-08-04 05:00 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll
2008-12-17 21:43 . 2004-08-04 05:00 20,480 --a--c--- c:\windows\system32\dllcache\inetwiz.exe
2008-12-17 21:19 . 2004-08-04 05:00 2,012,670 --a--c--- c:\windows\system32\dllcache\NT5.CAT
2008-12-17 21:19 . 2004-08-04 05:00 1,086,058 --a--c--- c:\windows\system32\dllcache\NTPRINT.CAT
2008-12-17 21:19 . 2004-08-04 05:00 1,086,058 -ra------ c:\windows\SET87.tmp
2008-12-17 21:19 . 2004-08-04 05:00 1,042,903 --a--c--- c:\windows\system32\dllcache\SP2.CAT
2008-12-17 21:19 . 2004-08-04 05:00 1,042,903 -ra------ c:\windows\SET84.tmp
2008-12-17 21:19 . 2004-08-04 05:00 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2008-12-17 21:19 . 2004-08-04 05:00 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT
2008-12-17 21:19 . 2004-08-04 05:00 382,952 --a--c--- c:\windows\system32\dllcache\NT5INF.CAT
2008-12-17 21:19 . 2004-08-04 05:00 13,753 -ra------ c:\windows\SET93.tmp
2008-12-17 19:59 . 2008-12-17 20:21 90,112 --a------ c:\windows\DUMP5fa4.tmp
2008-12-17 16:05 . 2008-12-17 16:05 <DIR> d-------- c:\windows\dell
2008-12-17 16:05 . 2008-12-18 13:52 527,921,152 --a------ c:\windows\MEMORY.DMP
2008-12-14 14:26 . 2008-12-14 14:26 120 --ahs---- c:\windows\system32\latjrlyd.ini
2008-12-14 13:57 . 2008-12-14 13:57 <DIR> d-------- c:\windows\LastGood.Tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 01:59 50,526 ----a-w c:\documents and settings\Giannoula Popp\Application Data\wklnhst.dat
2008-12-17 23:38 --------- d-----w c:\program files\Veoh Networks
2008-12-14 18:58 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-10 10:57 --------- d-----w c:\program files\Dl_cats
2008-11-29 22:08 --------- d-----w c:\program files\vixy.net
2008-11-19 20:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-13 03:13 --------- d-----w c:\documents and settings\Joshua Popp\Application Data\DivX
2008-06-10 00:20 504 ----a-w c:\documents and settings\Joshua Popp\Application Data\wklnhst.dat
2007-06-17 20:54 385 ----a-w c:\program files\MahJongg.lnk
2006-10-24 02:42 0 ---ha-w c:\documents and settings\All Users\Application Data\gwseh.dat
2006-10-29 21:33 8 --sha-r c:\windows\system32\BA83ACF171.sys
2006-10-29 21:33 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB7520"="command" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-28 185872]
"DLCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-02-24 73728]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 212992]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2006-02-13 430080]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"SRFirstRun"="srclient.dll" [2004-08-04 c:\windows\system32\srclient.dll]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\jkkLFwur
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
S4 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2008-05-28 43816]
S4 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 523816]
S4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
.
Contents of the 'Scheduled Tasks' folder
2008-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
2008-12-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
2008-12-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (NEWONE-Giannoula Popp).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
2009-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{7437752C-422A-482E-9F95-FE0BD3C2F2DF} - (no file)
BHO-{9A54AC8E-8083-4005-A283-A808CEDC7E7C} - (no file)
BHO-{9C537C34-9B28-4B25-97BD-7305E3751DE6} - (no file)
BHO-{9fca565d-ce99-41cb-9b38-a883438ab68f} - c:\windows\system32\noyriu.dll
BHO-{F3C3E0B3-8D3F-44B4-AE4A-9308F90FF834} - c:\windows\system32\jkkLFwur.dll
HKLM-Run-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
HKLM-Run-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
HKLM-Run-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
HKLM-Run-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
.
------- Supplementary Scan -------
.
uStart Page = https://home.secureapp.att.net/bellsouth/s/userinfo.dll?ep=1031&spage=sso/logon.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: online.musicmatch.com
FF - ProfilePath - c:\documents and settings\Giannoula Popp\Application Data\Mozilla\Firefox\Profiles\55dfl850.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 15:21:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-11 15:25:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-11 20:25:22
Pre-Run: 15,091,302,400 bytes free
Post-Run: 15,769,423,872 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
222 --- E O F --- 2008-10-23 23:01:59
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:35 PM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://home.secureapp.att.net/bellsouth/s/userinfo.dll?ep=1031&spage=sso/logon.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7520] command /c del "C:\WINDOWS\system32\ruwFLkkj.ini"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
--
End of file - 5040 bytes
Hello,
This may fix the log on issue
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\SET87.tmp
c:\windows\SET84.tmp
c:\windows\SET93.tmp
c:\windows\system32\latjrlyd.ini
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Post the new Combofix log, the Malwarebytes log and see if you can log into normal windows and run HJT from normal windows and post a new log please
The requested logs will be posted on this reply and the following one. This post will contain the ComboFix and HijackThis logs you requested before you mentioned Malwarebytes' Anti-Malware in that order, while the next will include the requested logs that you mentioned at the end of your post. There are also a few questions that I need to ask. First, shortly after I dragged and dropped the CFScript into/on ComboFix, ComboFix mentioned that there was an update available and asked me if I wanted to update to the new version now. I clicked on 'No' because I was unsure if it would affect the current process. Would you like me to redo it but this time allow it to update? Next question. This computer has 2 separate accounts with administrative rights. Will this interfere with the removal of the viruses, and if so, what do you want me to do?
ComboFix 09-01-10.03 - Giannoula Popp 2009-01-12 16:23:23.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.375 [GMT -5:00]
Running from: c:\documents and settings\Giannoula Popp\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Giannoula Popp\Desktop\CFScript.txt
FILE ::
c:\windows\SET84.tmp
c:\windows\SET87.tmp
c:\windows\SET93.tmp
c:\windows\system32\latjrlyd.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\SET84.tmp
c:\windows\SET87.tmp
c:\windows\SET93.tmp
c:\windows\system32\latjrlyd.ini
.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2008-12-27 22:35 . 2008-12-27 23:09 639 --a------ c:\windows\cdplayer.ini
2008-12-27 20:11 . 2006-10-23 21:53 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-27 20:11 . 2008-12-27 20:11 <DIR> d-------- c:\documents and settings\Administrator
2008-12-27 18:49 . 2005-10-14 20:45 135,168 --a------ c:\windows\system32\igfxres.dll
2008-12-17 22:06 . 2004-08-04 05:00 156,672 --a--c--- c:\windows\system32\dllcache\winzm.ime
2008-12-17 22:06 . 2004-08-04 05:00 156,672 --a--c--- c:\windows\system32\dllcache\winsp.ime
2008-12-17 22:06 . 2004-08-04 05:00 156,672 --a--c--- c:\windows\system32\dllcache\winpy.ime
2008-12-17 22:06 . 2004-08-04 05:00 79,360 --a--c--- c:\windows\system32\dllcache\winar30.ime
2008-12-17 22:06 . 2004-08-04 05:00 69,120 --a--c--- c:\windows\system32\dllcache\wingb.ime
2008-12-17 22:06 . 2004-08-04 05:00 65,536 --a--c--- c:\windows\system32\dllcache\winime.ime
2008-12-17 22:06 . 2004-08-04 05:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-12-17 22:04 . 2004-08-04 05:00 482,304 --a--c--- c:\windows\system32\dllcache\pintlgnt.ime
2008-12-17 22:03 . 2004-08-04 05:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2008-12-17 22:03 . 2004-08-04 05:00 229,439 --a--c--- c:\windows\system32\dllcache\multibox.dll
2008-12-17 22:03 . 2004-08-04 05:00 111,104 --a--c--- c:\windows\system32\dllcache\mtstocom.exe
2008-12-17 22:03 . 2004-08-04 05:00 98,304 --a--c--- c:\windows\system32\dllcache\msir3jp.dll
2008-12-17 22:03 . 2004-08-04 05:00 92,416 --a--c--- c:\windows\system32\dllcache\mga.sys
2008-12-17 22:03 . 2004-08-04 05:00 92,032 --a--c--- c:\windows\system32\dllcache\mga.dll
2008-12-17 22:03 . 2001-08-17 22:36 65,536 --a--c--- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2008-12-17 22:03 . 2001-08-17 22:36 38,912 --a--c--- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2008-12-17 22:03 . 2004-08-04 05:00 33,792 --a--c--- c:\windows\system32\dllcache\lmmib2.dll
2008-12-17 22:03 . 2004-08-04 05:00 22,528 --a--c--- c:\windows\system32\dllcache\lpdsvc.dll
2008-12-17 22:03 . 2004-08-04 05:00 18,944 --a--c--- c:\windows\system32\dllcache\lprmon.dll
2008-12-17 22:03 . 2004-08-04 05:00 7,680 --a--c--- c:\windows\system32\dllcache\migregdb.exe
2008-12-17 22:01 . 2004-08-04 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-12-17 22:00 . 2004-08-04 05:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll
2008-12-17 21:59 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2008-12-17 21:58 . 2003-03-24 16:52 188,480 --a--c--- c:\windows\system32\dllcache\cfgwiz.exe
2008-12-17 21:58 . 2004-05-13 00:39 184,435 --a--c--- c:\windows\system32\dllcache\fp4amsft.dll
2008-12-17 21:58 . 2003-03-24 16:52 20,540 --a--c--- c:\windows\system32\dllcache\author.dll
2008-12-17 21:58 . 2003-03-24 16:52 20,540 --a--c--- c:\windows\system32\dllcache\admin.dll
2008-12-17 21:58 . 2003-03-24 16:52 16,439 --a--c--- c:\windows\system32\dllcache\author.exe
2008-12-17 21:58 . 2003-03-24 16:52 16,439 --a--c--- c:\windows\system32\dllcache\admin.exe
2008-12-17 21:49 . 2008-12-17 21:49 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-17 21:49 . 2008-12-17 21:49 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-17 21:49 . 2008-12-17 21:49 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-17 21:49 . 2008-12-17 21:49 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-17 21:49 . 2008-12-17 21:49 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-17 21:44 . 2004-08-04 05:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-12-17 21:43 . 2004-08-04 05:00 214,528 --a--c--- c:\windows\system32\dllcache\icwconn1.exe
2008-12-17 21:43 . 2004-08-04 05:00 86,016 --a--c--- c:\windows\system32\dllcache\icwconn2.exe
2008-12-17 21:43 . 2004-08-04 05:00 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll
2008-12-17 21:43 . 2004-08-04 05:00 20,480 --a--c--- c:\windows\system32\dllcache\inetwiz.exe
2008-12-17 21:19 . 2004-08-04 05:00 2,012,670 --a--c--- c:\windows\system32\dllcache\NT5.CAT
2008-12-17 21:19 . 2004-08-04 05:00 1,086,058 --a--c--- c:\windows\system32\dllcache\NTPRINT.CAT
2008-12-17 21:19 . 2004-08-04 05:00 1,042,903 --a--c--- c:\windows\system32\dllcache\SP2.CAT
2008-12-17 21:19 . 2004-08-04 05:00 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2008-12-17 21:19 . 2004-08-04 05:00 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT
2008-12-17 21:19 . 2004-08-04 05:00 382,952 --a--c--- c:\windows\system32\dllcache\NT5INF.CAT
2008-12-17 19:59 . 2008-12-17 20:21 90,112 --a------ c:\windows\DUMP5fa4.tmp
2008-12-17 16:05 . 2008-12-17 16:05 <DIR> d-------- c:\windows\dell
2008-12-17 16:05 . 2008-12-18 13:52 527,921,152 --a------ c:\windows\MEMORY.DMP
2008-12-14 13:57 . 2008-12-14 13:57 <DIR> d-------- c:\windows\LastGood.Tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 01:59 50,526 ----a-w c:\documents and settings\Giannoula Popp\Application Data\wklnhst.dat
2008-12-17 23:38 --------- d-----w c:\program files\Veoh Networks
2008-12-14 18:58 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-10 10:57 --------- d-----w c:\program files\Dl_cats
2008-11-29 22:08 --------- d-----w c:\program files\vixy.net
2008-11-19 20:00 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-13 03:13 --------- d-----w c:\documents and settings\Joshua Popp\Application Data\DivX
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-27 15:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 15:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 15:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 15:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-06-10 00:20 504 ----a-w c:\documents and settings\Joshua Popp\Application Data\wklnhst.dat
2007-06-17 20:54 385 ----a-w c:\program files\MahJongg.lnk
2006-10-24 02:42 0 ---ha-w c:\documents and settings\All Users\Application Data\gwseh.dat
2006-10-29 21:33 8 --sha-r c:\windows\system32\BA83ACF171.sys
2006-10-29 21:33 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2009-01-11_15.24.02.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 01:51:35 74,046 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-11 20:25:22 74,046 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-28 01:51:35 430,676 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-11 20:25:22 430,676 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB7520"="command" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-28 185872]
"DLCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll" [2006-02-24 73728]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 212992]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"dlcimon.exe"="c:\program files\Dell AIO Printer 946\dlcimon.exe" [2006-02-13 430080]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]
"SRFirstRun"="srclient.dll" [2004-08-04 c:\windows\system32\srclient.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
S4 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2008-05-28 43816]
S4 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2007-12-17 523816]
S4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
.
Contents of the 'Scheduled Tasks' folder
2008-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
2008-12-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
2008-12-12 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (NEWONE-Giannoula Popp).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
2009-01-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = https://home.secureapp.att.net/bellsouth/s/userinfo.dll?ep=1031&spage=sso/logon.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: online.musicmatch.com
FF - ProfilePath - c:\documents and settings\Giannoula Popp\Application Data\Mozilla\Firefox\Profiles\55dfl850.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("network.protocol-handler.warn-external.veoh2", false);
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 16:26:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-12 16:28:49
ComboFix-quarantined-files.txt 2009-01-12 21:28:17
ComboFix2.txt 2009-01-11 20:25:26
Pre-Run: 15,785,213,952 bytes free
Post-Run: 15,773,020,160 bytes free
205 --- E O F --- 2008-10-23 23:01:59
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:32 PM, on 1/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://home.secureapp.att.net/bellsouth/s/userinfo.dll?ep=1031&spage=sso/logon.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7520] command /c del "C:\WINDOWS\system32\ruwFLkkj.ini"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
--
End of file - 5040 bytes
It does not matter about the accounts, all these infections are on your Operating System itself.
You did just fine with combofix.
Fix these with HJT
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\RunOnce: [SpybotDeletingB7520] command /c del "C:\WINDOWS\system32\ruwFLkkj.ini"
Reboot and try logging into Normal windows
No luck with logging into normal windows. I had restarted as per your instructions before your most recent post at 00:33 and ran into several problems along the way.
The first problem was that after I tried to log on to an account I received the following message:
"Windows cannot create a local profile and is logging you on with a temporary profile." the message then goes on to state something about the profile being deleted later or something. Sorry, but I am a slow writer and was unable to write down more of the message before its timer to automatically continue ran out.
After that, while the computer was continuing to attempt to log on, I received a message stating the following:
"One of the files containing the system's Registry data had to be recovered by use of a log or alternate copy. The recovery was successful."
When it finally logged me onto the temporary profile, I was unable to access the Start> All Programs> area at all. After I told the computer to restart, it went into a weird blue screen thing. The message that the blue screen supplied me with was:
STOP: <0000135 {Unable To Locate Component}
This application has fail to start because CFGMGR32.dll was not found. Re-installing the application may fix the problem.
Beginning dump of physical memory
Dumping physical memory to disk: # (# went from 1 to 100 then the system restarted)
When I went to tell you this I found out that you had replied to my 23:56 post with your 00:33 post. I did what you requested and tried to logging on to Normal windows. After a few minutes of the system logging on, a small window with only a white 'X' within a red circle and the option 'OK' appeared. I clicked on 'OK' and the system immediately started logging me back off. After it logged me off, I restarted and am now back into Safe Mode with Networking.
I hope this information can be of some help as to what the problems are.
Hi,
Logging onto windows appears to be a windows issue and we just do malware removal in this forum, I am going to link you to some windows support sites that will help you fix that problem.
Windows Tech Support Forums
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html)
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Good luck with your log on issue
Ken:)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.