View Full Version : Virtumonde
I keep running scans and quarantining it, but it always comes back..
Here is the log..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:10 PM, on 1/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\COMMON~1\AOL\122904~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\122904~1\EE\AOLServiceHost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DriveIcon\DriveIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet /nodetect
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [DriveIcons] "C:\Program Files\DriveIcon\DriveIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: ihywbl.dll dvhkef.dll bujwam.dll eemafk.dll jfsbir.dll gjpkdz.dll aprktr.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com (http://www.webroot.com)) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
--
End of file - 7540 bytes
Also, SuperJuan was also found on my system..
Hello and welcome to Safer Networking.
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.
1 - Scan With ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
How to Temporarily Disable Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)
Please include the C:\ComboFix.txt in your next reply for further review.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3 - Status Check
Please reply with
1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log
Thanks peku006
Combo fix log:
ComboFix 09-01-21.04 - Owner 2009-01-22 18:09:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.147 [GMT -8:00]
Running from: c:\documents and settings\Owner.Brett-C\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner.Brett-C\Application Data\.#
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@1098@13239D0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@1098@13239E0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@13CC@13439B0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@13CC@13439C0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@208@13539D0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@208@13539E0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@59C@13239D0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@59C@13239E0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@5C0@13239D0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@5C0@13239E0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@844@13739B0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@844@13739C0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@8AC@13539B0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@8AC@13539C0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@9E0@13539B0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@9E0@13539C0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@A2C@13239D0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@A2C@13239E0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@C3C@13239D0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@C3C@13239E0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@D48@13239D0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@D48@13239E0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@D70@13439B0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@D70@13439C0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@DB4@13239D0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@DB4@13239E0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@FD8@13439B0.###
c:\documents and settings\Owner.Brett-C\Application Data\.#\MBX@FD8@13439C0.###
c:\documents and settings\Owner.Brett-C\Application Data\gadcom
c:\documents and settings\Owner.Brett-C\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\baujdfex.dll
c:\windows\system32\bjamfx.dll
c:\windows\system32\bujwam.dll
c:\windows\system32\dvhkef.dll
c:\windows\system32\fknrirdp.dll
c:\windows\system32\iovoflbf.dll
c:\windows\system32\kRBIkUvw.ini
c:\windows\system32\kRBIkUvw.ini2
c:\windows\system32\lscqefix.dll
c:\windows\system32\vgdmcqvi.dll
c:\windows\system32\ycxxtsyk.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.
2010-01-25 17:58 . 2010-01-25 17:59 120 --ahs---- c:\windows\system32\pnuiskom.ini
2009-01-21 21:22 . 2009-01-21 21:22 <DIR> d-------- c:\program files\Tencent
2009-01-21 21:22 . 2009-01-21 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Tencent
2009-01-21 21:21 . 2009-01-21 21:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-01-21 21:21 . 2009-01-21 21:21 21 --a------ c:\windows\atid.ini
2009-01-21 21:20 . 2009-01-21 21:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-01-21 21:19 . 2009-01-21 21:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-01-21 21:18 . 2009-01-21 21:23 <DIR> d-------- c:\program files\AIM6
2009-01-13 18:00 . 2009-01-21 22:42 <DIR> d-------- c:\documents and settings\Owner.Brett-C\Application Data\SI Swimsuit Calendar
2009-01-13 17:59 . 2009-01-13 17:59 <DIR> d-------- c:\program files\SI Swimsuit Calendar
2009-01-13 17:59 . 2009-01-13 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SI Swimsuit Calendar
2009-01-12 17:50 . 2009-01-12 17:50 120 --ahs---- c:\windows\system32\mqenwkcu.ini
2009-01-11 18:07 . 2009-01-11 18:07 120 --ahs---- c:\windows\system32\ksbbkwsi.ini
2009-01-10 17:51 . 2009-01-10 17:51 120 --ahs---- c:\windows\system32\fblfovoi.ini
2009-01-09 18:19 . 2009-01-09 18:19 120 --ahs---- c:\windows\system32\xifeqcsl.ini
2009-01-07 16:13 . 2009-01-07 16:13 120 --ahs---- c:\windows\system32\ceredmmk.ini
2009-01-06 16:38 . 2009-01-06 16:38 120 --ahs---- c:\windows\system32\umobqefk.ini
2009-01-06 16:33 . 2004-05-10 12:42 110,592 --a------ c:\windows\system32\suppdll.dll
2009-01-06 16:33 . 2009-01-06 17:56 35,363 --a------ c:\windows\system32\windrvNT.sys
2009-01-05 19:34 . 2009-01-05 19:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Webroot
2009-01-05 19:11 . 2009-01-05 19:11 <DIR> d-------- c:\documents and settings\Owner.Brett-C\Application Data\Steganos
2009-01-05 16:36 . 2009-01-05 16:36 1,306,349 --ahs---- c:\windows\system32\qcnlbdqg.ini
2009-01-04 12:56 . 2009-01-04 12:56 1,307,356 --ahs---- c:\windows\system32\bfcepvki.ini
2009-01-04 10:19 . 2009-01-04 10:20 1,307,356 --ahs---- c:\windows\system32\jjnilkft.ini
2009-01-03 09:30 . 2009-01-03 09:30 1,307,356 --ahs---- c:\windows\system32\wydypdnp.ini
2008-12-25 22:16 . 2008-12-25 22:16 120 --ahs---- c:\windows\system32\ivmwxloe.ini
2008-12-24 17:19 . 2008-12-25 09:34 1,661,209 --ahs---- c:\windows\system32\ivqcmdgv.ini
2008-12-24 11:44 . 2008-12-24 11:44 120 --ahs---- c:\windows\system32\luocgvxc.ini
2008-12-24 11:04 . 2008-12-24 11:04 <DIR> d-------- c:\program files\ESET
2008-12-23 11:40 . 2008-12-23 11:40 120 --ahs---- c:\windows\system32\otypahpg.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 05:20 --------- d-----w c:\program files\Viewpoint
2009-01-22 05:20 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-22 05:19 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-19 22:50 --------- d-----w c:\program files\Folder Lock
2008-12-23 18:29 --------- d-----w c:\program files\Google
2008-12-23 18:15 --------- d-----w c:\program files\DivX
2008-12-22 06:14 --------- d-----w c:\program files\MySpace
2008-12-22 06:14 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\MySpace
2008-12-22 06:05 --------- d-----w c:\program files\Paint.NET
2008-12-22 05:02 --------- d-----w c:\program files\Trend Micro
2008-12-21 19:12 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\AdobeUM
2008-12-19 15:40 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-19 05:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 05:01 --------- d-----w c:\program files\CyberLink
2008-12-17 22:47 --------- d-----w c:\program files\Microsoft Works
2008-12-16 05:53 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\DivX
2008-12-16 05:52 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\Apple Computer
2008-12-13 17:46 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-12-13 16:40 --------- d-----w c:\program files\MSXML 4.0
2008-12-12 04:54 --------- d-----w c:\program files\Java
2008-12-12 04:21 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-12-12 04:18 --------- d-----w c:\program files\Pure Networks
2008-12-12 04:05 164 ----a-w C:\install.dat
2008-12-12 03:59 --------- d-----w c:\program files\Webroot
2008-12-12 03:59 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\Webroot
2008-12-12 03:55 --------- d-----w c:\program files\Napster
2008-12-12 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-12-12 03:51 --------- d-----w c:\program files\iTunes
2008-12-12 03:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-12 03:50 --------- d-----w c:\program files\iPod
2008-12-12 03:50 --------- d-----w c:\program files\Common Files\Apple
2008-12-12 03:50 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\McAfee.com Personal Firewall
2008-12-12 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-12 03:49 --------- d-----w c:\program files\QuickTime
2008-12-12 03:49 --------- d-----w c:\program files\Bonjour
2008-12-12 03:46 --------- d-----w c:\program files\Apple Software Update
2008-12-12 03:44 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-12 03:40 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-12 03:40 --------- d-----w c:\program files\Windows Live
2008-12-12 03:37 --------- d-----w c:\program files\Common Files\AOL
2008-12-12 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-12 00:57 --------- d-----w c:\program files\McAfee
2008-12-12 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-12-12 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-12 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-12 00:54 --------- d-----w c:\program files\gtw_logo
2008-12-12 00:54 --------- d-----w c:\program files\DriveIcon
2008-12-12 00:53 --------- d-----w c:\program files\Synaptics
2008-12-12 00:51 --------- d-----w c:\program files\AMD
2008-12-12 00:51 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\SampleView
2008-12-12 00:51 --------- d-----w c:\documents and settings\Administrator\Application Data\SampleView
2008-12-12 00:49 --------- d-----w c:\program files\MSN Encarta Plus
2008-12-12 00:49 --------- d-----w c:\program files\Common Files\Nullsoft
2008-12-12 00:49 --------- d-----w c:\program files\Common Files\aolshare
2008-12-12 00:49 --------- d-----w c:\program files\America Online 9.0
2008-12-12 00:49 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\You've Got Pictures Screensaver
2008-12-12 00:49 --------- d-----w c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-12-12 00:48 8,552 ----a-w c:\windows\system32\drivers\asctrm.sys
2008-12-12 00:48 --------- d-----w c:\program files\Real
2008-12-12 00:48 --------- d-----w c:\program files\Common Files\Real
2008-12-12 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2008-12-12 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2008-12-12 00:47 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-12 00:46 --------- d-----w c:\program files\Microsoft Digital Image 2006
2008-12-12 00:46 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-12 00:45 --------- d-----w c:\program files\Common Files\Adobe
2008-12-12 00:43 --------- d-----w c:\program files\SigmaTel
2008-12-12 00:42 --------- d-----w c:\program files\Common Files\Java
2008-12-12 00:39 --------- d-----w c:\program files\BigFix
2008-12-12 00:33 --------- d-----w c:\program files\Microsoft.NET
2008-12-12 00:28 --------- d-----w c:\program files\Common Files\New Boundary
2008-12-12 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\Prism Deploy
2008-12-11 23:10 --------- d-----w c:\program files\Windows Plus
2008-12-11 23:10 --------- d-----w c:\program files\microsoft frontpage
2008-11-14 01:11 1,553,272 ----a-w c:\windows\WRSetup.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Google Update"="c:\documents and settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-15 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"AGRSMMSG"="c:\windows\AGRSMMSG.exe" [2005-12-12 88204]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"nwiz"="c:\windows\system32\nwiz.exe" [2006-04-27 1519616]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"DriveIcons"="c:\program files\DriveIcon\DriveIcon.exe" [2006-03-16 655360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-11-13 6273400]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2008-12-11 2168360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1229042854\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGamesD.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\Update\\Update.exe"=
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-01-21 24652]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-12-11 1086840]
.
Contents of the 'Scheduled Tasks' folder
2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-917182482-1572896559-854172064-1006.job
- c:\documents and settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-15 20:08]
2009-01-16 c:\windows\Tasks\wrSpySweeper_L616E2964308041448C2AF145202F362B.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-11-13 17:11]
2009-01-16 c:\windows\Tasks\wrSpySweeper_L616E2964308041448C2AF145202F362B.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-11-13 17:11]
2009-01-16 c:\windows\Tasks\wrSpySweeper_L616E2964308041448C2AF145202F362B.job
- C:\ [2009-01-22 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.Brett-C\Application Data\Mozilla\Firefox\Profiles\r3buwjeo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weirdspot.com/
FF - plugin: c:\documents and settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 18:14:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\BigFix\bigfix.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\program files\Webroot\WebrootSecurity\SSU.exe
.
**************************************************************************
.
Completion time: 2009-01-22 18:19:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-23 02:18:57
Pre-Run: 15,408,844,800 bytes free
Post-Run: 15,573,815,296 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
297 --- E O F --- 2008-12-21 18:39:48
Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:14 PM, on 1/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DriveIcon\DriveIcon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet /nodetect
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [DriveIcons] "C:\Program Files\DriveIcon\DriveIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
--
End of file - 7569 bytes
Thanks for all your help
Hi DoodLPK
1 - Run CFScript
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\pnuiskom.ini
c:\windows\system32\mqenwkcu.ini
c:\windows\system32\ksbbkwsi.ini
c:\windows\system32\fblfovoi.ini
c:\windows\system32\xifeqcsl.ini
c:\windows\system32\ceredmmk.ini
c:\windows\system32\umobqefk.ini
c:\windows\system32\qcnlbdqg.ini
c:\windows\system32\bfcepvki.ini
c:\windows\system32\jjnilkft.ini
c:\windows\system32\wydypdnp.ini
c:\windows\system32\ivmwxloe.ini
c:\windows\system32\ivqcmdgv.ini
c:\windows\system32\luocgvxc.ini
c:\windows\system32\otypahpg.ini
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
3 - Status Check
Please reply with
1 the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
Thanks peku006
CFScan:
ComboFix 09-01-21.04 - Owner 2009-01-23 19:38:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.501 [GMT -8:00]
Running from: c:\documents and settings\Owner.Brett-C\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.Brett-C\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point
FILE ::
c:\windows\system32\bfcepvki.ini
c:\windows\system32\ceredmmk.ini
c:\windows\system32\fblfovoi.ini
c:\windows\system32\ivmwxloe.ini
c:\windows\system32\ivqcmdgv.ini
c:\windows\system32\jjnilkft.ini
c:\windows\system32\ksbbkwsi.ini
c:\windows\system32\luocgvxc.ini
c:\windows\system32\mqenwkcu.ini
c:\windows\system32\otypahpg.ini
c:\windows\system32\pnuiskom.ini
c:\windows\system32\qcnlbdqg.ini
c:\windows\system32\umobqefk.ini
c:\windows\system32\wydypdnp.ini
c:\windows\system32\xifeqcsl.ini
.
((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.
2009-01-22 22:08 . 2009-01-22 22:08 <DIR> d-------- c:\documents and settings\Owner.Brett-C\Application Data\QQ Games Plugin
2009-01-22 22:08 . 2009-01-22 22:08 <DIR> d-------- c:\documents and settings\Owner.Brett-C\Application Data\acccore
2009-01-21 21:22 . 2009-01-21 21:22 <DIR> d-------- c:\program files\Tencent
2009-01-21 21:22 . 2009-01-21 21:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Tencent
2009-01-21 21:21 . 2009-01-21 21:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-01-21 21:21 . 2009-01-21 21:21 21 --a------ c:\windows\atid.ini
2009-01-21 21:20 . 2009-01-21 21:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-01-21 21:19 . 2009-01-22 22:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-01-21 21:18 . 2009-01-21 21:23 <DIR> d-------- c:\program files\AIM6
2009-01-13 18:00 . 2009-01-21 22:42 <DIR> d-------- c:\documents and settings\Owner.Brett-C\Application Data\SI Swimsuit Calendar
2009-01-13 17:59 . 2009-01-13 17:59 <DIR> d-------- c:\program files\SI Swimsuit Calendar
2009-01-13 17:59 . 2009-01-13 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SI Swimsuit Calendar
2009-01-06 16:33 . 2004-05-10 12:42 110,592 --a------ c:\windows\system32\suppdll.dll
2009-01-06 16:33 . 2009-01-06 17:56 35,363 --a------ c:\windows\system32\windrvNT.sys
2009-01-05 19:34 . 2009-01-05 19:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Webroot
2009-01-05 19:11 . 2009-01-05 19:11 <DIR> d-------- c:\documents and settings\Owner.Brett-C\Application Data\Steganos
2008-12-24 11:04 . 2008-12-24 11:04 <DIR> d-------- c:\program files\ESET
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 05:35 --------- d-----w c:\program files\Folder Lock
2009-01-22 05:20 --------- d-----w c:\program files\Viewpoint
2009-01-22 05:20 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-22 05:19 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-23 18:29 --------- d-----w c:\program files\Google
2008-12-23 18:15 --------- d-----w c:\program files\DivX
2008-12-22 06:14 --------- d-----w c:\program files\MySpace
2008-12-22 06:14 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\MySpace
2008-12-22 06:05 --------- d-----w c:\program files\Paint.NET
2008-12-22 05:02 --------- d-----w c:\program files\Trend Micro
2008-12-21 19:12 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\AdobeUM
2008-12-19 15:40 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-19 05:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 05:01 --------- d-----w c:\program files\CyberLink
2008-12-17 22:47 --------- d-----w c:\program files\Microsoft Works
2008-12-16 05:53 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\DivX
2008-12-16 05:52 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\Apple Computer
2008-12-13 17:46 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-12-13 16:40 --------- d-----w c:\program files\MSXML 4.0
2008-12-12 04:54 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-12 04:54 --------- d-----w c:\program files\Java
2008-12-12 04:21 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-12-12 04:18 --------- d-----w c:\program files\Pure Networks
2008-12-12 04:05 164 ----a-w C:\install.dat
2008-12-12 03:59 --------- d-----w c:\program files\Webroot
2008-12-12 03:59 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\Webroot
2008-12-12 03:55 --------- d-----w c:\program files\Napster
2008-12-12 03:55 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-12-12 03:51 --------- d-----w c:\program files\iTunes
2008-12-12 03:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-12 03:50 --------- d-----w c:\program files\iPod
2008-12-12 03:50 --------- d-----w c:\program files\Common Files\Apple
2008-12-12 03:50 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\McAfee.com Personal Firewall
2008-12-12 03:50 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-12 03:49 --------- d-----w c:\program files\QuickTime
2008-12-12 03:49 --------- d-----w c:\program files\Bonjour
2008-12-12 03:46 --------- d-----w c:\program files\Apple Software Update
2008-12-12 03:44 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-12 03:40 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-12 03:40 --------- d-----w c:\program files\Windows Live
2008-12-12 03:37 --------- d-----w c:\program files\Common Files\AOL
2008-12-12 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-12 00:57 --------- d-----w c:\program files\McAfee
2008-12-12 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2008-12-12 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-12 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-12 00:54 --------- d-----w c:\program files\gtw_logo
2008-12-12 00:54 --------- d-----w c:\program files\DriveIcon
2008-12-12 00:53 --------- d-----w c:\program files\Synaptics
2008-12-12 00:51 --------- d-----w c:\program files\AMD
2008-12-12 00:51 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\SampleView
2008-12-12 00:51 --------- d-----w c:\documents and settings\Administrator\Application Data\SampleView
2008-12-12 00:49 --------- d-----w c:\program files\MSN Encarta Plus
2008-12-12 00:49 --------- d-----w c:\program files\Common Files\Nullsoft
2008-12-12 00:49 --------- d-----w c:\program files\Common Files\aolshare
2008-12-12 00:49 --------- d-----w c:\program files\America Online 9.0
2008-12-12 00:49 --------- d-----w c:\documents and settings\Owner.Brett-C\Application Data\You've Got Pictures Screensaver
2008-12-12 00:49 --------- d-----w c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-12-12 00:48 8,552 ----a-w c:\windows\system32\drivers\asctrm.sys
2008-12-12 00:48 --------- d-----w c:\program files\Real
2008-12-12 00:48 --------- d-----w c:\program files\Common Files\Real
2008-12-12 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2008-12-12 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2008-12-12 00:47 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-12-12 00:46 --------- d-----w c:\program files\Microsoft Digital Image 2006
2008-12-12 00:46 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-12 00:45 --------- d-----w c:\program files\Common Files\Adobe
2008-12-12 00:43 --------- d-----w c:\program files\SigmaTel
2008-12-12 00:42 --------- d-----w c:\program files\Common Files\Java
2008-12-12 00:39 --------- d-----w c:\program files\BigFix
2008-12-12 00:33 --------- d-----w c:\program files\Microsoft.NET
2008-12-12 00:28 --------- d-----w c:\program files\Common Files\New Boundary
2008-12-12 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\Prism Deploy
2008-12-11 23:10 --------- d-----w c:\program files\Windows Plus
2008-12-11 23:10 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:45 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-11-21 21:45 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-11-21 21:45 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-11-21 21:45 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-11-21 21:45 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-11-21 21:45 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-11-21 21:45 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-11-21 21:45 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-14 01:11 1,553,272 ----a-w c:\windows\WRSetup.dll
.
((((((((((((((((((((((((((((( snapshot@2009-01-22_18.17.50.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-17 22:32:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-23 10:12:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-17 22:32:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-23 10:12:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-17 22:32:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-23 10:12:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-23 10:12:34 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_214.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Google Update"="c:\documents and settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-15 133104]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"AGRSMMSG"="c:\windows\AGRSMMSG.exe" [2005-12-12 88204]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"nwiz"="c:\windows\system32\nwiz.exe" [2006-04-27 1519616]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 737370]
"DriveIcons"="c:\program files\DriveIcon\DriveIcon.exe" [2006-03-16 655360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-11-13 6273400]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2008-12-11 2168360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1229042854\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\QQGamesD.exe"=
"c:\\Program Files\\Tencent\\QQ Games\\Update\\Update.exe"=
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-01-21 24652]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-12-11 1086840]
.
Contents of the 'Scheduled Tasks' folder
2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-01-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-917182482-1572896559-854172064-1006.job
- c:\documents and settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-15 20:08]
2009-01-23 c:\windows\Tasks\wrSpySweeper_L616E2964308041448C2AF145202F362B.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-11-13 17:11]
2009-01-23 c:\windows\Tasks\wrSpySweeper_L616E2964308041448C2AF145202F362B.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-11-13 17:11]
2009-01-23 c:\windows\Tasks\wrSpySweeper_L616E2964308041448C2AF145202F362B.job
- C:\ [2009-01-23 19:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.Brett-C\Application Data\Mozilla\Firefox\Profiles\r3buwjeo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weirdspot.com/
FF - plugin: c:\documents and settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 19:39:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
Completion time: 2009-01-23 19:41:17
ComboFix-quarantined-files.txt 2009-01-24 03:41:15
ComboFix2.txt 2009-01-24 03:36:14
ComboFix3.txt 2009-01-23 02:19:07
Pre-Run: 15,530,586,112 bytes free
Post-Run: 15,515,283,456 bytes free
259 --- E O F --- 2009-01-23 10:05:13
mbam log:
Malwarebytes' Anti-Malware 1.33
Database version: 1688
Windows 5.1.2600 Service Pack 2
1/24/2009 12:12:33 PM
mbam-log-2009-01-24 (12-12-33).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 208456
Time elapsed: 1 hour(s), 54 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\My Documents\Camtasia Studio\as\WIP\CMD\FirePassword.exe (Spyware.FirePass) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\baujdfex.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bjamfx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lscqefix.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP26\A0006818.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP26\A0006819.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP47\A0020169.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP47\A0020182.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Hi DoodLPK
Looking good :)
Let's make sure we got everything
1 - Clean temp files
Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program
2- Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
4 - Status Check
Please reply with
1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?
Thanks peku006
kaspersky:
Sunday, January 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 24, 2009 20:21:51
Records in database: 1700126
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 171332
Threat name 10
Infected objects 22
Suspicious objects 0
Duration of the scan 09:40:39
File name Threat name Threats count
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-65eeb8e4 Infected: Exploit.Java.Gimsh.b 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-463b1e57.zip Infected: Exploit.Java.Gimsh.b 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Local Settings\Temp\filejoiner.zip Infected: Constructor.Win32.Binder.nn 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Local Settings\Temp\RarSFX0\pwdump2\pwdump2.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Local Settings\Temp\RarSFX0\pwdump2\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Local Settings\Temp\RarSFX0\RockXP4_.exe Infected: not-a-virus:PSWTool.Win32.RAS.k 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Local Settings\Temp\RarSFX1\pwdump2\pwdump2.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Local Settings\Temp\RarSFX1\pwdump2\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\Local Settings\Temp\RarSFX1\RockXP4_.exe Infected: not-a-virus:PSWTool.Win32.RAS.k 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\My Documents\Camtasia Studio\as\WIP\CMD\iepv.exe Infected: not-a-virus:PSWTool.Win32.IEPassView.e 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\My Documents\Downloads\binder\FileJoiner.exe Infected: Constructor.Win32.Binder.nn 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\My Documents\My Pictures\ads\abuse\Abuse.exe Infected: Trojan-Spy.Win32.Ardamax.n 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\My Documents\My Pictures\ads\abuse\Abuse.zip Infected: Trojan-Spy.Win32.Ardamax.n 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\My Documents\My Pictures\ads\Dice Rigger\Dice Rigger.exe Infected: Trojan-Spy.Win32.Ardamax.n 1
C:\My Backup -- 08-12-11 0406PM\Documents and Settings\Owner.Brett.000\My Documents\My Pictures\ads\Dice Rigger\Dice Rigger.zip Infected: Trojan-Spy.Win32.Ardamax.n 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bujwam.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ftk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dvhkef.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ftk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fknrirdp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ftk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iovoflbf.dll.vir Infected: Trojan.Win32.Monder.alte 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vgdmcqvi.dll.vir Infected: Trojan.Win32.Monder.afjq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ycxxtsyk.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ftk 1
D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP8\A0000827.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
The selected area was scanned.
Hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:24 AM, on 1/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DriveIcon\DriveIcon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3414
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [AGRSMMSG] "C:\WINDOWS\AGRSMMSG.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet /nodetect
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [DriveIcons] "C:\Program Files\DriveIcon\DriveIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.Brett-C\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
--
End of file - 7341 bytes
My Laptop is actually running really good... I haven't gotten an annoying pop-up in a while now, and it hasn't gotten snail-speed for a while, either.. Thanks again for all your help,
Dood
Hi Dood
Congratulations, your log looks clean! :yahoo:
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
Happy safe surfing! :bigthumb:
One last question... As far as anti-virus programs go, is ESET NOD32 a pretty good one?
Thanks for all your help!!
:wav:
Hi DoodLPK
Yes, ESET NOD32 is good enough
Here (http://www.av-comparatives.org/) you find av comparatives
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.