PDA

View Full Version : Virtumonde



s-t-n
2009-03-10, 21:31
'Allo, my computer illiterate friend has managed to get himself a nice juicy Virtumonde trojan (i dont even want to know how...). Spybot claims to have killed it, yet upon a reboot and rescan it is back...so its obviously hiding somewhere. Anyone able to help? And after someone decends to smite the virus, any chance of some information on how to help defend his computer (it really would have to be idiot proof...hes an ad-clicker) :thud:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:08 PM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F3 - REG:win.ini: run=
O2 - BHO: ShoppingAdsHelper - {2C86C605-6081-D104-96F7-F765C20B22F1} - C:\Program Files\ShoppingAdsHelper\ShoppingAdsHelper-1.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Qbemirozili] rundll32.exe "C:\WINDOWS\Pzolukog.dll",e
O4 - HKLM\..\Run: [Rcarosita] rundll32.exe "C:\WINDOWS\umezudan.dll",e
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F27257.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F27257.exe
O4 - HKCU\..\Run: [A00F10F1C4.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F10F1C4.exe
O4 - HKCU\..\Run: [A00F68D2A7.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F68D2A7.exe
O4 - HKCU\..\Run: [A00FEEFF9.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00FEEFF9.exe
O4 - HKCU\..\Run: [A00F51FCC5.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F51FCC5.exe
O4 - HKCU\..\Run: [A00FFF851.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00FFF851.exe
O4 - HKCU\..\Run: [A00F18601C.exe] C:\DOCUME~1\LEEHIL~1\LOCALS~1\Temp\_A00F18601C.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ifxcardm32.dll
O20 - Winlogon Notify: 30e0e646530 - C:\WINDOWS\System32\ifxcardm32.dll
O20 - Winlogon Notify: __c0063031 - C:\WINDOWS\system32\__c0063031.dat
O20 - Winlogon Notify: __c00889E9 - C:\WINDOWS\system32\__c00889E9.dat (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5262 bytes

peku006
2009-03-11, 18:54
Hello and welcome to Malware Removal.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

There is no sign of an antivirus installed on your system. There are several reasons for it. Either you have disabled your antivirus or there's no antivirus installed.

If you have disabled it, please re-enable it. If you have no antivirus installed, please get ONE antivirus and install it. Restart the computer for changes to take effect.

avast! 4 Home Edition (http://files.avast.com/iavs4pro/setupeng.exe)
AntiVir Free Edition (http://www.antivir-pe.com/freet/index.php?id=25&domain=free-av.com)

1 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


2 - Scan With ComboFix

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)

Please include the C:\ComboFix.txt in your next reply for further review.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

s-t-n
2009-03-12, 01:26
okay, got the combofix here...but avast activated itself after the reboot so dont know if it interfered with the results.

and on a side-note, ive never seen so many "a virus has been detected" notifications in my life. possibly because my computer actually gets treat with an once of respect :rolleyes:

Ive noticed hes got both Limwire and Vuze installed, so im going to get rid of them as well.

ComboFix 09-03-10.03 - lee hill 2009-03-11 22:18:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.223.48 [GMT 0:00]
Running from: c:\documents and settings\lee hill\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090205-1] *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530C.manifest
c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530O.manifest
c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530P.manifest
c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530S.manifest
c:\windows\GnuHashes.ini
c:\windows\system32\__c002BF04.dat
c:\windows\system32\__c004517.dat
c:\windows\system32\__c0051131.dat
c:\windows\system32\__c005DE3A.dat
c:\windows\system32\__c0063031.dat
c:\windows\system32\__c0078A84.dat
c:\windows\system32\__c007EB2.dat
c:\windows\system32\__c00A5190.dat
c:\windows\system32\__c00B93BF.dat
c:\windows\system32\__c00EA361.dat
c:\windows\system32\__c00FF684.dat
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\pthreadGC2.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 22:28 . 2009-03-11 22:28 0 --a------ c:\windows\system32\2.tmp
2009-03-11 21:31 . 2009-03-11 21:31 <DIR> d-------- c:\program files\Alwil Software
2009-03-11 21:31 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-11 21:17 . 2009-03-11 22:28 <DIR> d--hs---- c:\windows\system32\NetworkService32
2009-03-10 19:16 . 2009-03-10 19:16 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 09:54 . 2009-03-08 09:54 374,272 --ahs---- c:\windows\system32\35.tmp
2009-03-07 13:54 . 2009-03-07 13:54 374,272 --ahs---- c:\windows\system32\33.tmp
2009-03-06 17:54 . 2009-03-06 17:54 374,272 --ahs---- c:\windows\system32\22.tmp
2009-03-01 12:45 . 2009-03-01 12:45 135,680 --a------ c:\windows\umezudan.dll
2009-03-01 12:33 . 2009-03-01 12:33 43,520 --a------ c:\windows\Pzolukog.dll
2009-02-28 19:48 . 2009-02-28 19:48 374,272 --ahs---- c:\windows\system32\10.tmp
2009-02-28 19:47 . 2009-02-28 19:47 135,168 --a------ c:\windows\system32\ifxcardm32.dll
2009-02-28 18:28 . 2008-01-01 08:00 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-02-28 18:28 . 2008-01-01 08:00 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-02-28 18:28 . 2008-01-02 03:12 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-02-28 18:28 . 2008-01-02 03:12 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-02-28 18:28 . 2008-01-01 08:00 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-28 18:18 . 2009-02-28 18:29 <DIR> d-------- c:\program files\ffdshow
2009-02-27 22:15 . 2009-02-27 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-02-27 22:13 . 2009-02-27 22:13 <DIR> d-------- c:\program files\Messenger Plus! Live
2009-02-27 22:04 . 2009-02-07 02:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-02-25 06:49 . 2008-06-17 19:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
2009-02-22 20:15 . 2009-02-22 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
2009-02-22 20:14 . 2009-03-09 11:30 <DIR> d-------- c:\documents and settings\lee hill\Application Data\Azureus
2009-02-22 20:11 . 2009-02-28 09:00 <DIR> d-------- c:\program files\Vuze
2009-02-22 19:54 . 2009-02-22 19:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-22 19:54 . 2009-02-22 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 19:34 . 2009-03-04 00:23 <DIR> d-------- c:\documents and settings\lee hill\Application Data\LimeWire
2009-02-22 19:33 . 2009-02-22 19:34 <DIR> d-------- c:\program files\LimeWire
2009-02-20 10:49 . 2008-05-09 10:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
2009-02-20 10:49 . 2008-05-09 10:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
2009-02-20 10:49 . 2008-05-09 10:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2009-02-20 10:49 . 2008-05-09 10:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2009-02-20 10:49 . 2008-05-08 11:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2009-02-20 10:49 . 2008-05-09 08:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2009-02-20 10:49 . 2008-05-09 10:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\system32\scripting
2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\system32\bits
2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\l2schemas
2009-02-19 21:09 . 2009-02-19 21:23 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-18 19:08 . 2009-02-26 16:22 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-15 08:56 . 2008-04-14 00:12 276,992 --------- c:\windows\system32\wmphoto.dll
2009-02-15 08:54 . 2008-04-14 00:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2009-02-15 08:53 . 2008-04-14 00:10 102,912 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2009-02-15 08:53 . 2008-04-14 00:11 86,016 --------- c:\windows\system32\mdmxsdk.dll
2009-02-15 08:53 . 2008-04-14 00:11 61,440 --------- c:\windows\system32\kmsvc.dll
2009-02-15 08:53 . 2008-04-13 18:45 46,592 --------- c:\windows\system32\drivers\irbus.sys
2009-02-15 08:53 . 2008-04-14 00:11 37,376 --------- c:\windows\system32\l2gpstore.dll
2009-02-15 08:53 . 2008-04-14 00:09 24,064 -----c--- c:\windows\system32\dllcache\pidgen.dll
2009-02-15 08:53 . 2004-08-04 06:41 11,868 --------- c:\windows\system32\drivers\mdmxsdk.sys
2009-02-15 08:53 . 2008-04-14 00:12 10,752 --------- c:\windows\system32\smtpapi.dll
2009-02-15 08:53 . 2008-04-14 00:12 9,728 --------- c:\windows\system32\rwnh.dll
2009-02-15 08:53 . 2008-04-13 18:43 9,728 --------- c:\windows\system32\comsdupd.exe
2009-02-15 08:53 . 2007-06-21 05:52 974 --------- c:\windows\system32\pid.inf
2009-02-15 08:51 . 2008-04-13 18:36 44,928 --------- c:\windows\system32\drivers\agpcpq.sys
2009-02-15 08:51 . 2008-04-13 18:36 43,008 --------- c:\windows\system32\drivers\amdagp.sys
2009-02-15 08:51 . 2008-04-13 18:36 42,752 --------- c:\windows\system32\drivers\alim1541.sys
2009-02-15 08:51 . 2008-04-13 18:36 42,368 --------- c:\windows\system32\drivers\agp440.sys
2009-02-15 08:51 . 2008-04-14 00:11 4,255 --------- c:\windows\system32\drivers\adv01nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,967 --------- c:\windows\system32\drivers\adv02nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,775 --------- c:\windows\system32\drivers\adv11nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,711 --------- c:\windows\system32\drivers\adv09nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,647 --------- c:\windows\system32\drivers\adv07nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,615 --------- c:\windows\system32\drivers\adv05nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,135 --------- c:\windows\system32\drivers\adv08nt5.dll
2009-02-14 13:47 . 2009-03-11 22:29 <DIR> d-------- c:\documents and settings\lee hill\Tracing
2009-02-14 13:39 . 2009-02-14 13:39 <DIR> d-------- c:\program files\Microsoft
2009-02-14 13:36 . 2009-02-14 13:36 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-14 13:26 . 2009-02-14 13:26 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-11 22:25 . 2004-08-03 23:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-11 22:22 . 2009-02-11 22:22 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-11 22:22 . 2009-02-11 22:23 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-11 04:47 . 2009-02-11 04:47 552 --a------ c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 22:04 --------- d-----w c:\program files\Windows Live
2009-02-11 22:25 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-05 15:55 --------- d-----w c:\program files\Microsoft Games
2009-02-04 23:13 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-25 00:03 --------- d-----w c:\program files\DivX
2009-01-16 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-01-16 03:47 --------- d-----w c:\program files\ReflexiveArcade
.

------- Sigcheck -------

2004-08-03 23:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe

2007-03-08 15:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$NtServicePackUninstall$\user32.dll
2006-12-18 19:35 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

2004-08-03 23:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

2008-08-20 05:30 666112 9af5f25124fbdc36e2b510729cba2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
2008-08-20 04:58 666624 94418f53d2612c26dbadc04dafbc197c c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
2008-08-26 09:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 01:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
2008-10-16 01:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-20 23:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2006-12-18 19:35 664576 231ef4179acabe486376b5ca893f1076 c:\windows\$NtUninstallKB956390$\wininet.dll
2008-08-20 05:33 667648 c91e3a6ef094202f6b5ca8960dfcf243 c:\windows\$NtUninstallKB958215$\wininet.dll
2008-10-16 10:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\ie7\wininet.dll
2007-08-14 02:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 07:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-10-16 20:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
2008-04-14 00:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-12-20 23:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
2008-12-20 23:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll

2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2006-12-18 19:35 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2004-08-03 23:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2007-06-13 11:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$NtServicePackUninstall$\explorer.exe
2006-12-18 19:33 1033216 42d32722b805d7df42d30487a0bcbd78 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-03 23:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

2004-08-03 23:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

2004-08-03 23:56 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

2006-12-18 19:35 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

2004-08-03 23:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

2006-12-18 19:35 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll

2007-04-16 16:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$NtServicePackUninstall$\kernel32.dll
2006-12-18 19:33 985600 16f21882c96ee0136a92e867da94215c c:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-14 00:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 00:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll

2004-08-03 23:56 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 00:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 00:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll

2004-08-03 23:56 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 00:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 00:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"Qbemirozili"="c:\windows\Pzolukog.dll" [2009-03-01 43520]
"Rcarosita"="c:\windows\umezudan.dll" [2009-03-01 135680]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"C-Media Mixer"="Mixer.exe" [2002-10-16 c:\windows\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\30e0e646530]
2009-02-28 19:47 135168 c:\windows\system32\ifxcardm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\ifxcardm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-11 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-02-27 55152]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2009-02-02 31872]

--- Other Services/Drivers In Memory ---

*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NWCWorkstation
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SLService
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-__c0063031 - c:\windows\system32\__c0063031.dat
Notify-__c00889E9 - c:\windows\system32\__c00889E9.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 22:30:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\System32\ifxcardm32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\WgaTray.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-11 22:40:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-11 22:39:55

Pre-Run: 47,534,796,800 bytes free
Post-Run: 47,475,150,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

322

s-t-n
2009-03-12, 01:31
and heres the hijack this report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:53 PM, on 3/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Qbemirozili] rundll32.exe "C:\WINDOWS\Pzolukog.dll",e
O4 - HKLM\..\Run: [Rcarosita] rundll32.exe "C:\WINDOWS\umezudan.dll",e
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\ifxcardm32.dll
O20 - Winlogon Notify: 30e0e646530 - C:\WINDOWS\System32\ifxcardm32.dll
O20 - Winlogon Notify: __c003C3B1 - C:\WINDOWS\system32\__c003C3B1.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5073 bytes

peku006
2009-03-12, 09:24
Hi s-t-n

1 - Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Qbemirozili] rundll32.exe "C:\WINDOWS\Pzolukog.dll",e
O4 - HKLM\..\Run: [Rcarosita] rundll32.exe "C:\WINDOWS\umezudan.dll",e
O20 - AppInit_DLLs: C:\WINDOWS\System32\ifxcardm32.dll
O20 - Winlogon Notify: 30e0e646530 - C:\WINDOWS\System32\ifxcardm32.dll
O20 - Winlogon Notify: __c003C3B1 - C:\WINDOWS\system32\__c003C3B1.dat



Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

2 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\system32\2.tmp
c:\windows\system32\35.tmp
c:\windows\system32\33.tmp
c:\windows\system32\22.tmp
c:\windows\umezudan.dll
c:\windows\Pzolukog.dll
c:\windows\system32\10.tmp
C:\WINDOWS\System32\ifxcardm32.dll

DirLook::
c:\windows\system32\NetworkService32


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006

s-t-n
2009-03-13, 01:31
right, had some problems booting the computer and after 3 attempts i booted in safe mode to fix the hijack this entries. after this, i was able to boot normally so it was abviously the infection complaining that it was getting killed. everything else worked without a hitch, although i temporarily uninstalled avast for the combofix (its back on now)

ComboFix 09-03-10.03 - lee hill 2009-03-12 21:27:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.223.61 [GMT 0:00]
Running from: c:\documents and settings\lee hill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lee hill\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Pzolukog.dll
c:\windows\system32\10.tmp
c:\windows\system32\2.tmp
c:\windows\system32\22.tmp
c:\windows\system32\33.tmp
c:\windows\system32\35.tmp
c:\windows\System32\ifxcardm32.dll
c:\windows\umezudan.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530C.manifest
c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530O.manifest
c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530P.manifest
c:\documents and settings\lee hill\Application Data\02000000ac1ccf51530S.manifest
c:\windows\GnuHashes.ini
c:\windows\Pzolukog.dll
c:\windows\system32\__c003C3B1.dat
c:\windows\system32\10.tmp
c:\windows\system32\2.tmp
c:\windows\system32\22.tmp
c:\windows\system32\33.tmp
c:\windows\system32\35.tmp
c:\windows\system32\5.tmp
c:\windows\system32\GroupPolicy000.dat
c:\windows\System32\ifxcardm32.dll
c:\windows\umezudan.dll
C:\xcrashdump.dat
E:\autorun.inf
F:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-12 21:25 . 2009-03-12 21:26 <DIR> d-------- C:\32788R22FWJFW
2009-03-11 21:31 . 2009-03-11 21:31 <DIR> d-------- c:\program files\Alwil Software
2009-03-11 21:31 . 2003-03-18 20:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-11 21:17 . 2009-03-11 22:43 <DIR> d--hs---- c:\windows\system32\NetworkService32
2009-03-11 12:31 . 2008-12-05 06:54 144,896 -----c--- c:\windows\system32\dllcache\schannel.dll
2009-03-10 19:16 . 2009-03-10 19:16 <DIR> d-------- c:\program files\Trend Micro
2009-02-28 18:28 . 2008-01-01 08:00 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-02-28 18:28 . 2008-01-01 08:00 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-02-28 18:28 . 2008-01-02 03:12 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-02-28 18:28 . 2008-01-02 03:12 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-02-28 18:28 . 2008-01-01 08:00 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-28 18:18 . 2009-02-28 18:29 <DIR> d-------- c:\program files\ffdshow
2009-02-27 22:15 . 2009-02-27 22:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-02-27 22:13 . 2009-02-27 22:13 <DIR> d-------- c:\program files\Messenger Plus! Live
2009-02-27 22:04 . 2009-02-07 02:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-02-25 06:49 . 2008-06-17 19:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll
2009-02-22 20:15 . 2009-02-22 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
2009-02-22 20:14 . 2009-03-09 11:30 <DIR> d-------- c:\documents and settings\lee hill\Application Data\Azureus
2009-02-22 20:11 . 2009-03-12 03:09 <DIR> d-------- c:\program files\Vuze
2009-02-22 19:54 . 2009-02-22 19:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-22 19:54 . 2009-02-22 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 19:34 . 2009-03-04 00:23 <DIR> d-------- c:\documents and settings\lee hill\Application Data\LimeWire
2009-02-20 10:49 . 2008-05-09 10:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
2009-02-20 10:49 . 2008-05-09 10:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
2009-02-20 10:49 . 2008-05-09 10:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2009-02-20 10:49 . 2008-05-09 10:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2009-02-20 10:49 . 2008-05-08 11:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2009-02-20 10:49 . 2008-05-09 08:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2009-02-20 10:49 . 2008-05-09 10:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\system32\scripting
2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\system32\bits
2009-02-19 21:20 . 2009-02-19 21:20 <DIR> d-------- c:\windows\l2schemas
2009-02-19 21:09 . 2009-02-19 21:23 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-18 19:08 . 2009-02-26 16:22 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-15 08:56 . 2008-04-14 00:12 276,992 --------- c:\windows\system32\wmphoto.dll
2009-02-15 08:54 . 2008-04-14 00:12 4,274,816 --------- c:\windows\system32\nv4_disp.dll
2009-02-15 08:53 . 2008-04-14 00:10 102,912 -----c--- c:\windows\system32\dllcache\dpcdll.dll
2009-02-15 08:53 . 2008-04-14 00:11 86,016 --------- c:\windows\system32\mdmxsdk.dll
2009-02-15 08:53 . 2008-04-14 00:11 61,440 --------- c:\windows\system32\kmsvc.dll
2009-02-15 08:53 . 2008-04-13 18:45 46,592 --------- c:\windows\system32\drivers\irbus.sys
2009-02-15 08:53 . 2008-04-14 00:11 37,376 --------- c:\windows\system32\l2gpstore.dll
2009-02-15 08:53 . 2008-04-14 00:09 24,064 -----c--- c:\windows\system32\dllcache\pidgen.dll
2009-02-15 08:53 . 2004-08-04 06:41 11,868 --------- c:\windows\system32\drivers\mdmxsdk.sys
2009-02-15 08:53 . 2008-04-14 00:12 10,752 --------- c:\windows\system32\smtpapi.dll
2009-02-15 08:53 . 2008-04-14 00:12 9,728 --------- c:\windows\system32\rwnh.dll
2009-02-15 08:53 . 2008-04-13 18:43 9,728 --------- c:\windows\system32\comsdupd.exe
2009-02-15 08:53 . 2007-06-21 05:52 974 --------- c:\windows\system32\pid.inf
2009-02-15 08:51 . 2008-04-13 18:36 44,928 --------- c:\windows\system32\drivers\agpcpq.sys
2009-02-15 08:51 . 2008-04-13 18:36 43,008 --------- c:\windows\system32\drivers\amdagp.sys
2009-02-15 08:51 . 2008-04-13 18:36 42,752 --------- c:\windows\system32\drivers\alim1541.sys
2009-02-15 08:51 . 2008-04-13 18:36 42,368 --------- c:\windows\system32\drivers\agp440.sys
2009-02-15 08:51 . 2008-04-14 00:11 4,255 --------- c:\windows\system32\drivers\adv01nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,967 --------- c:\windows\system32\drivers\adv02nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,775 --------- c:\windows\system32\drivers\adv11nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,711 --------- c:\windows\system32\drivers\adv09nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,647 --------- c:\windows\system32\drivers\adv07nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,615 --------- c:\windows\system32\drivers\adv05nt5.dll
2009-02-15 08:51 . 2008-04-14 00:11 3,135 --------- c:\windows\system32\drivers\adv08nt5.dll
2009-02-14 13:47 . 2009-03-12 21:24 <DIR> d-------- c:\documents and settings\lee hill\Tracing
2009-02-14 13:39 . 2009-02-14 13:39 <DIR> d-------- c:\program files\Microsoft
2009-02-14 13:36 . 2009-02-14 13:36 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-14 13:26 . 2009-02-14 13:26 <DIR> d-------- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 22:04 --------- d-----w c:\program files\Windows Live
2009-02-11 22:25 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-05 15:55 --------- d-----w c:\program files\Microsoft Games
2009-02-04 23:13 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-25 00:03 --------- d-----w c:\program files\DivX
2009-01-16 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\Alawar Stargaze
2009-01-16 03:47 --------- d-----w c:\program files\ReflexiveArcade
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\NetworkService32 ----

2009-03-11 22:28 0 --a------ c:\windows\system32\NetworkService32\3.tmp
2009-03-11 21:23 93 --a------ c:\windows\system32\NetworkService32\58.music.wav.kwd
2009-03-11 21:13 873657 --a------ c:\windows\system32\NetworkService32\62.setup.zip
2009-03-11 21:13 862793 --a------ c:\windows\system32\NetworkService32\61.serial.zip
2009-03-11 21:13 860396 --a------ c:\windows\system32\NetworkService32\60.keygen.zip
2009-03-11 21:12 927861 --a------ c:\windows\system32\NetworkService32\59.crack.zip
2009-03-11 20:24 5088466 --a------ c:\windows\system32\NetworkService32\58.music.wav
2009-03-11 20:23 4088466 --a------ c:\windows\system32\NetworkService32\57.music.snd
2009-03-11 20:20 3905427 --a------ c:\windows\system32\NetworkService32\56.music.mp3
2009-03-11 20:13 659608 --a------ c:\windows\system32\NetworkService32\63.unpack.zip
2009-03-05 20:21 76 --a------ c:\windows\system32\NetworkService32\56.music.mp3.kwd
2009-03-05 20:19 102 --a------ c:\windows\system32\NetworkService32\57.music.snd.kwd
2009-02-02 17:43 269 --a------ c:\windows\system32\NetworkService32\62.setup.zip.kwd
2009-02-02 17:41 272 --a------ c:\windows\system32\NetworkService32\61.serial.zip.kwd
2009-02-02 17:40 270 --a------ c:\windows\system32\NetworkService32\60.keygen.zip.kwd
2009-02-02 17:39 204 --a------ c:\windows\system32\NetworkService32\59.crack.zip.kwd
2008-11-22 20:32 6 --a------ c:\windows\system32\NetworkService32\63.unpack.zip.kwd


------- Sigcheck -------

2004-08-03 23:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 00:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\system32\svchost.exe

2007-03-08 15:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$NtServicePackUninstall$\user32.dll
2006-12-18 19:35 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 00:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\system32\user32.dll

2004-08-03 23:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 00:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\system32\ws2_32.dll

2008-08-20 05:30 666112 9af5f25124fbdc36e2b510729cba2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
2008-08-20 04:58 666624 94418f53d2612c26dbadc04dafbc197c c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
2008-08-26 09:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 01:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
2008-10-16 01:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-20 23:56 827904 044e0a4e9fe97c0fb9afe9c89e2a82e6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2006-12-18 19:35 664576 231ef4179acabe486376b5ca893f1076 c:\windows\$NtUninstallKB956390$\wininet.dll
2008-08-20 05:33 667648 c91e3a6ef094202f6b5ca8960dfcf243 c:\windows\$NtUninstallKB958215$\wininet.dll
2008-10-16 10:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\ie7\wininet.dll
2007-08-14 02:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 07:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-10-16 20:38 826368 6741eaf7b7f110e803a6e38f6e5fa6b0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
2008-04-14 00:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-12-20 23:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\wininet.dll
2008-12-20 23:15 826368 a82935d32d0672e8ff4e91ae398e901c c:\windows\system32\dllcache\wininet.dll

2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2006-12-18 19:35 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2004-08-03 23:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\system32\winlogon.exe

2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 19:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 18:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\explorer.exe
2007-06-13 11:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$NtServicePackUninstall$\explorer.exe
2006-12-18 19:33 1033216 42d32722b805d7df42d30487a0bcbd78 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 00:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-03 23:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 00:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\system32\services.exe

2004-08-03 23:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 00:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\system32\lsass.exe

2004-08-03 23:56 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 00:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\ctfmon.exe

2006-12-18 19:35 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 00:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\system32\spoolsv.exe

2004-08-03 23:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\userinit.exe

2006-12-18 19:35 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 00:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\system32\termsrv.dll

2007-04-16 16:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$NtServicePackUninstall$\kernel32.dll
2006-12-18 19:33 985600 16f21882c96ee0136a92e867da94215c c:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-14 00:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 00:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\system32\kernel32.dll

2004-08-03 23:56 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 00:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 00:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\system32\powrprof.dll

2004-08-03 23:56 110080 87ca7ce6469577f059297b9d6556d66d c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 00:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 00:11 110080 0da85218e92526972a821587e6a8bf8f c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-03-11_22.35.04.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2007-06-12 07:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 18:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2009-02-19 23:09:57 98,256 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-12 03:09:25 98,256 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-08-11 04:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 09:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys
- 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 18:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2009-03-12 21:33:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2d4.dat
+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"C-Media Mixer"="Mixer.exe" [2002-10-16 c:\windows\mixer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-02-27 55152]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-07 533360]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2009-02-02 31872]
.
- - - - ORPHANS REMOVED - - - -

Notify-30e0e646530 - c:\windows\System32\ifxcardm32.dll
Notify-__c003C3B1 - c:\windows\system32\__c003C3B1.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 21:38:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-12 21:45:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 21:45:12
ComboFix2.txt 2009-03-11 22:40:10

Pre-Run: 47,530,020,864 bytes free
Post-Run: 47,519,789,056 bytes free

290 --- E O F --- 2009-03-12 03:02:39

s-t-n
2009-03-13, 01:33
the Bytes log

Malwarebytes' Anti-Malware 1.34
Database version: 1841
Windows 5.1.2600 Service Pack 3

3/12/2009 11:25:45 PM
mbam-log-2009-03-12 (23-25-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 99029
Time elapsed: 50 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\shoppingadshelper.browserwatcher (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingadshelper.browserwatcher.1 (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingadshelper.pornpro_bho (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingadshelper.pornpro_bho.1 (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingadshelper.precachebrowserhost (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingadshelper.precachebrowserhost.1 (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{af56fd81-28a2-0159-4922-1211155898a9} (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{913e9215-eb81-7e43-76e6-fc26e50e264c} (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingAdsHelper (Adware.ShoppingAdsHelper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\10.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\22.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\33.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\35.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\5.tmp.vir (Worm.P2P) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ifxcardm32.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A6248DF-E653-46A2-BC43-AAC820D0826E}\RP105\A0053040.exe (Rogue.PlayMp3s) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A6248DF-E653-46A2-BC43-AAC820D0826E}\RP117\A0068679.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A6248DF-E653-46A2-BC43-AAC820D0826E}\RP119\A0070960.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9A6248DF-E653-46A2-BC43-AAC820D0826E}\RP54\A0021282.dll (Adware.Shopper) -> Quarantined and deleted successfully.

s-t-n
2009-03-13, 01:34
finally, the fresh HT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:58 PM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3769 bytes

peku006
2009-03-13, 09:04
Hi s-t-n

1 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


2 - Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006

s-t-n
2009-03-15, 15:20
sorry this is taking so long Peku, i havent just run off without replying. having some internet troubles on the other computers network. I did manage to get Kaspersky to scan before it crashed, but i had no memory stick to transfer the log at that time. Ill reply again when i have the log. But i did see that Kaspersky found 7 infections. most of those were quarantined items from avast, or viruses in the system restore, but there was one still roaming free. a win32 virus/worm.

peku006
2009-03-22, 10:31
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.