Results 1 to 8 of 8

Thread: Virtumonde...again and again.

  1. #1
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Angry

    Hello. I've read numerous posts...attempted a couple of the requested answers for other people and i have not got anywhere...about 2 hours later i finally gave up and posted here. Here is the information i've accumulated.

    Error's
    When i attempt to open ComboFix i get 2 different error messages.

    16 Bit MS-Dos Subsystem
    C:\DOCUME~1\Alzarial\Desktop\Combofix.exe
    The NTVDM CPU has encountered an illegal instruction.
    CS:0533 IP:0225 OP:64 65 63 32 30 Choose 'Close' to terminate this application
    Close Ignore.

    If i hit close, obviously it closes, if i hit ignore i get the exact same msg. 2 Attempts to ignore and the box and window closes. There are small variations in each ignore though.
    The rest of the message is the same.
    IP:0226 OP:65 63 32 30 30
    IP:0227 OP:63 32 30 30 33

    Also, i cannot delete Combofix. I get an error message stating its in use.

    Cannot delete ComboFix: It is being used by another person or program. Close any other programs that might be using the file and try again.

    I've also downloaded vundo and followed the steps, Scan - remove - reboot - remove - rescan until it finally says "Clear" but it cannot remove this file after about 20 Reboot/Scan/Remove attempts.
    C:\\WINDOWS\system32\yayyvsq.dll

    When i restart the computer i get an error message when i log in.
    RUNDLL
    Error loading C:\WINDOWS\System32\pmbefcpx.dll
    The specified module could not be found.

    I also noticed that they want a HJT Log From the other posts i downloaded it and here is the log After i did as much as i could with Vundo (I also did a research with S&D and Virtumonde generic still comes up)

    Log: Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:26:13 AM, on 1/26/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvder.dll,startup
    O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\System32\drvjak.dll,startup
    O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\Documents and Settings\Alzarial\Desktop\install_en.exe"
    O4 - HKLM\..\Run: [fc7832f6] rundll32.exe "C:\WINDOWS\System32\pmbefcpx.dll",b
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1194475117546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194475283062
    O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://66.184.224.178:84/plugin/h263ctrl.cab
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 4308 bytes



    To Sum up: ComboFix Wont work for me. Cant delete it, Multiple Error Messages, Vundo wont remove a file.

    PLEASE help..Thank you so much for any info you can help me with.. I'll Be off work tomorrow (Saturday at 5 30 PM My time) Thank you very much to whomever helps me out. I'll try just about anything.

    Also this is probably something completely different...but sometimes my computer will pull me out of a window / Game. IE: Full Screen Game gets minimized - Typing in this box and suddenly cant type because it de-selected this window. Stuff like that. Thanks guys

    I managed to delete the incorrect ComboFix Downloads and i got the new version. I ran that and now have a log (with a million deletes). Still waiting for initial reply just letting whoever looks next know i got it going.

    Current Programs:

    Spybot Search and Destroy
    VundoFix
    ComboFix


    If anything else is needed just let me know. Looking forward to an answer. =)

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello Alzarial

    Welcome to Safer Networking.

    Please read Before YouPost
    That said, All advice given by anyone volunteering here, is taken at own risk.
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



    You have some issues going on that we need to take care of, lets clean out some of the garbage first to get rid of that error message and so we can run some tools.


    Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

    O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvder.dll,startup
    O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\System32\drvjak.dll,startup
    O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\Documents and Settings\Alzarial\Desktop\install_en.exe"
    O4 - HKLM\..\Run: [fc7832f6] rundll32.exe "C:\WINDOWS\System32\pmbefcpx.dll",b

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm




    Please download OTMoveIt by OldTimer.

    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


      C:\WINDOWS\System32\drvder.dll
      C:\WINDOWS\System32\drvjak.dll
      C:\WINDOWS\System32\pmbefcpx.dll
      C:\Documents and Settings\Alzarial\Desktop\install_en.exe
    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
    • Close OTMoveIt


    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




    Please download ATF Cleaner by Atribune to your desktop.
    • This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.


    Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.




    • When shown the disclaimer, Select "2"


    The above procedure will:
    • Delete the following:
      • ComboFix and its associated files and folders.
      • VundoFix backups, if present
      • The C:\Deckard folder, if present
      • The C:_OtMoveIt folder, if present

    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.





    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**

    • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
    • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
    • Please do not re-connect your machine back to the Internet until Combofix has completely finished.



    Post the Combofix log and a new HJT log please
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Unhappy k

    ok my keyboard stopped working
    not wireless no special installs
    using char map
    computer schemes set to classic cant change back
    using admin user
    other user freezes now
    here are the logs you requested seems like it is in safe mode with background no safe mode in corners iŽll try getting my keyboard to work again

    ComboFix 08-01-23.1C - Alzarial 2008-01-27 13:23:23.4 - NTFSx86 NETWORK
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.843 [GMT -6:00]
    Running from: C:\Documents and Settings\Alzarial\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
    .

    2008-01-27 13:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
    2008-01-26 01:35 . 2008-01-26 01:35 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
    2008-01-26 01:16 . 2008-01-26 01:16 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-25 23:16 . 2008-01-25 23:16 263 --a------ C:\WINDOWS\wininit.ini
    2008-01-24 22:39 . 2008-01-24 22:39 94,208 --a------ C:\WINDOWS\DIIUnin.exe
    2008-01-24 22:39 . 2008-01-24 22:46 35,387 --a------ C:\WINDOWS\DIIUnin.dat
    2008-01-24 22:39 . 2008-01-24 22:39 2,829 --a------ C:\WINDOWS\DIIUnin.pif
    2008-01-24 22:36 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
    2008-01-24 22:36 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2008-01-24 22:36 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2008-01-24 22:36 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
    2008-01-24 22:36 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
    2008-01-24 21:01 . 2008-01-24 22:45 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
    2008-01-24 21:01 . 2008-01-24 22:45 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
    2008-01-24 21:01 . 2008-01-24 22:45 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
    2008-01-24 20:47 . 2008-01-26 23:05 <DIR> d-------- C:\Program Files\Diablo II
    2008-01-23 19:02 . 2008-01-27 13:21 <DIR> d-------- C:\Program Files\Steam
    2008-01-23 18:32 . 2008-01-24 21:39 <DIR> d-------- C:\Program Files\Diablo II Shareware
    2008-01-21 02:40 . 2003-07-20 12:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
    2008-01-21 02:40 . 2005-01-04 03:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
    2008-01-21 02:20 . 2008-01-21 02:20 <DIR> d-------- C:\Nexon
    2008-01-17 23:59 . 2008-01-19 20:32 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-01-13 14:16 . 2008-01-13 14:16 66,936 --ahs---- C:\WINDOWS\dlinfo_0.drv
    2008-01-13 14:15 . 2008-01-13 14:15 61,440 --a------ C:\WINDOWS\diabunin.exe
    2008-01-12 19:33 . 2008-01-12 19:33 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2008-01-12 19:33 . 2008-01-12 19:33 <DIR> d-------- C:\Program Files\Ahead
    2008-01-12 19:33 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
    2008-01-12 19:33 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
    2008-01-12 19:33 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
    2008-01-12 19:33 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
    2008-01-12 19:33 . 2004-07-20 17:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
    2008-01-12 19:33 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
    2008-01-12 19:33 . 2004-03-03 21:30 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
    2008-01-12 19:33 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
    2008-01-12 19:33 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
    2008-01-12 19:33 . 2004-03-03 21:30 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
    2008-01-12 19:07 . 2008-01-13 14:15 86,528 --a------ C:\WINDOWS\bnetunin.exe
    2008-01-12 19:07 . 2008-01-12 19:07 61,440 --a------ C:\WINDOWS\diabswun.exe
    2008-01-09 20:56 . 2008-01-09 20:56 <DIR> d-------- C:\Program Files\Audacity
    2008-01-01 13:52 . 2004-03-22 18:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
    2008-01-01 13:52 . 2008-01-01 13:52 376 --a------ C:\WINDOWS\ODBC.INI
    2008-01-01 13:51 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\Microsoft.NET
    2008-01-01 13:51 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
    2008-01-01 13:50 . 2008-01-01 13:51 <DIR> d-------- C:\WINDOWS\SHELLNEW

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-27 05:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
    2008-01-21 02:12 --------- d-----w C:\Program Files\World of Warcraft
    2007-12-05 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-05 06:05 --------- d-----w C:\Program Files\GameTap
    2007-11-27 01:00 --------- d-----w C:\Program Files\Ares
    2007-11-11 09:08 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
    2007-11-06 03:28 4,692,992 ----a-w C:\Program Files\NETGEAR WG311v2 802.11g Wireless PCI Adapter.msi
    2007-11-06 03:28 4,107 ----a-w C:\Program Files\0x0409.ini
    2004-07-02 18:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
    2004-06-18 05:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
    2004-04-04 19:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
    2004-04-04 19:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
    2004-02-04 18:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
    2004-02-04 18:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-27_13.11.30.95 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-27 18:52:26 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-01-27 19:20:44 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-01-27 18:52:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-01-27 19:20:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-01-27 18:52:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-27 19:20:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63EB56F2-2F51-46CE-A523-3E59E80F058B}]
    C:\WINDOWS\System32\gebyy.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955a7ae5-0405-41ed-8386-f175fd7efdb6}]
    C:\WINDOWS\System32\dvyykndf.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE4F65E3-65B2-49D9-A040-9D9C16C96DF6}]
    C:\WINDOWS\System32\jkhff.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFDD2703-A8B3-4CB6-A4F9-11816B463C37}]
    C:\WINDOWS\System32\ddayw.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-11-06 19:51 3810544]
    "RemoteControl"="" []
    "MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18 1670144]
    "ares"="C:\Program Files\Ares\Ares.exe" [2007-11-23 10:18 962560]
    "Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-23 19:17 1266936]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 01:29 7561216]
    "nwiz"="nwiz.exe" []
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 01:29 86016]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "RemoteCenter"="" []
    "SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 12:32:18 450560]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sjctpmik]

    R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM3.sys [2007-11-05 21:28]
    S2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-10-31 05:14]
    S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys [2004-05-02 02:47]
    S3 mdxgthkn;mdxgthkn;C:\DOCUME~1\Alzarial\LOCALS~1\Temp\mdxgthkn.sys []

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-27 13:24:56
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-27 13:25:13
    ComboFix-quarantined-files.txt 2008-01-27 19:25:05
    .
    2007-11-14 21:08:43 --- E O F ---

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:25:44 PM, on 1/27/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {63EB56F2-2F51-46CE-A523-3E59E80F058B} - C:\WINDOWS\System32\gebyy.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: {6bdfe7df-571f-6838-de14-50405ea7a559} - {955a7ae5-0405-41ed-8386-f175fd7efdb6} - C:\WINDOWS\System32\dvyykndf.dll (file missing)
    O2 - BHO: (no name) - {CE4F65E3-65B2-49D9-A040-9D9C16C96DF6} - C:\WINDOWS\System32\jkhff.dll (file missing)
    O2 - BHO: (no name) - {EFDD2703-A8B3-4CB6-A4F9-11816B463C37} - C:\WINDOWS\System32\ddayw.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1194475117546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194475283062
    O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://66.184.224.178:84/plugin/h263ctrl.cab
    O20 - Winlogon Notify: sjctpmik - C:\WINDOWS\
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 4302 bytes


    File/Folder not found.
    DllUnregisterServer procedure not found in C:\WINDOWS\System32\drvder.dll
    C:\WINDOWS\System32\drvder.dll NOT unregistered.
    C:\WINDOWS\System32\drvder.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\System32\drvjak.dll
    C:\WINDOWS\System32\drvjak.dll NOT unregistered.
    C:\WINDOWS\System32\drvjak.dll moved successfully.
    File/Folder C:\WINDOWS\System32\pmbefcpx.dll not found.
    File/Folder C:\Documents and Settings\Alzarial\Desktop\install_en.exe not found.

    Created on 01/27/2008 13:01:51

  4. #4
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default o.O

    Aright well i got my keyboard working again...I'll try to re-explain. All my windows/Start bar is set in Classic Scheme now, Everything else now seems to work. No errors upon start up. ..Well seems like the browser here is the only thing that isnt frozen now. My "Windows" securities are gone. Just giving you an update.

  5. #5
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default Update.

    Ran Kapersky, Found 2 infected files - The OTMoveit was listed for both. Sometimes freezes up now in User:Alzarial (Not admin)

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello,

    Nothing real bad on the scans, just some leftovers. Keep in mind that you seem pretty heavy into gaming and sometimes the programs you download bring other garbage with it.

    Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

    File::
    C:\DOCUME~1\Alzarial\LOCALS~1\Temp\mdxgthkn.sys

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63EB56F2-2F51-46CE-A523-3E59E80F058B}]

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{955a7ae5-0405-41ed-8386-f175fd7efdb6}]

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE4F65E3-65B2-49D9-A040-9D9C16C96DF6}]

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFDD2703-A8B3-4CB6-A4F9-11816B463C37}]

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sjctpmik]
    Save this as CFScript to your desktop.

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default Here ya go =)

    Heh, you are right, im into gaming. I know exactly how i got this too >.< History in a nutshell: Girl reformatted when i was gone - SP2 wasnt dl'd - I was downloading somthing and got redirected when i wasnt looking. Here's the new files and thanks a lot for all this =) I need to get SP 2 after were done with this. If you have any links, or will auto updates work again.



    HJT


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:41:41 PM, on 1/27/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1194475117546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194475283062
    O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://66.184.224.178:84/plugin/h263ctrl.cab
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 4277 bytes




    Combo



    ComboFix 08-01-23.1C - Alzarial 2008-01-27 16:39:37.5 - NTFSx86 NETWORK
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.789 [GMT -6:00]
    Running from: C:\Documents and Settings\Alzarial\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Alzarial\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE
    C:\DOCUME~1\Alzarial\LOCALS~1\Temp\mdxgthkn.sys
    .

    ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
    .

    2008-01-27 14:26 . 2008-01-27 14:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-01-27 13:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
    2008-01-26 01:35 . 2008-01-26 01:35 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
    2008-01-26 01:16 . 2008-01-26 01:16 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-25 23:16 . 2008-01-25 23:16 263 --a------ C:\WINDOWS\wininit.ini
    2008-01-24 22:39 . 2008-01-24 22:39 94,208 --a------ C:\WINDOWS\DIIUnin.exe
    2008-01-24 22:39 . 2008-01-24 22:46 35,387 --a------ C:\WINDOWS\DIIUnin.dat
    2008-01-24 22:39 . 2008-01-24 22:39 2,829 --a------ C:\WINDOWS\DIIUnin.pif
    2008-01-24 22:36 . 2004-10-07 13:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
    2008-01-24 22:36 . 2004-10-07 13:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
    2008-01-24 22:36 . 2004-10-07 13:39 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
    2008-01-24 22:36 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
    2008-01-24 22:36 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
    2008-01-24 21:01 . 2008-01-24 22:45 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
    2008-01-24 21:01 . 2008-01-24 22:45 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
    2008-01-24 21:01 . 2008-01-24 22:45 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
    2008-01-24 20:47 . 2008-01-26 23:05 <DIR> d-------- C:\Program Files\Diablo II
    2008-01-23 19:02 . 2008-01-27 16:38 <DIR> d-------- C:\Program Files\Steam
    2008-01-23 18:32 . 2008-01-24 21:39 <DIR> d-------- C:\Program Files\Diablo II Shareware
    2008-01-21 02:40 . 2003-07-20 12:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
    2008-01-21 02:40 . 2005-01-04 03:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
    2008-01-21 02:20 . 2008-01-21 02:20 <DIR> d-------- C:\Nexon
    2008-01-17 23:59 . 2008-01-19 20:32 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-01-13 14:16 . 2008-01-13 14:16 66,936 --ahs---- C:\WINDOWS\dlinfo_0.drv
    2008-01-13 14:15 . 2008-01-13 14:15 61,440 --a------ C:\WINDOWS\diabunin.exe
    2008-01-12 19:33 . 2008-01-12 19:33 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2008-01-12 19:33 . 2008-01-12 19:33 <DIR> d-------- C:\Program Files\Ahead
    2008-01-12 19:33 . 2004-07-20 17:24 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
    2008-01-12 19:33 . 2004-07-20 17:24 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
    2008-01-12 19:33 . 2004-07-20 17:24 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
    2008-01-12 19:33 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
    2008-01-12 19:33 . 2004-07-20 17:24 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
    2008-01-12 19:33 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
    2008-01-12 19:33 . 2004-03-03 21:30 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
    2008-01-12 19:33 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
    2008-01-12 19:33 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
    2008-01-12 19:33 . 2004-03-03 21:30 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
    2008-01-12 19:07 . 2008-01-13 14:15 86,528 --a------ C:\WINDOWS\bnetunin.exe
    2008-01-12 19:07 . 2008-01-12 19:07 61,440 --a------ C:\WINDOWS\diabswun.exe
    2008-01-09 20:56 . 2008-01-09 20:56 <DIR> d-------- C:\Program Files\Audacity
    2008-01-01 13:52 . 2004-03-22 18:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
    2008-01-01 13:52 . 2008-01-01 13:52 376 --a------ C:\WINDOWS\ODBC.INI
    2008-01-01 13:51 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\Microsoft.NET
    2008-01-01 13:51 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
    2008-01-01 13:50 . 2008-01-01 13:51 <DIR> d-------- C:\WINDOWS\SHELLNEW

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-27 05:05 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
    2008-01-21 02:12 --------- d-----w C:\Program Files\World of Warcraft
    2007-12-05 06:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-05 06:05 --------- d-----w C:\Program Files\GameTap
    2007-11-27 01:00 --------- d-----w C:\Program Files\Ares
    2007-11-11 09:08 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
    2007-11-06 03:28 4,692,992 ----a-w C:\Program Files\NETGEAR WG311v2 802.11g Wireless PCI Adapter.msi
    2007-11-06 03:28 4,107 ----a-w C:\Program Files\0x0409.ini
    2004-07-02 18:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
    2004-06-18 05:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
    2004-04-04 19:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
    2004-04-04 19:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
    2004-02-04 18:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
    2004-02-04 18:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-27_13.11.30.95 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
    + 2008-01-27 22:39:34 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-27 22:39:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-27 22:39:34 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-27 22:39:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-27 22:39:34 3,620,864 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
    + 2008-01-27 22:39:34 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    - 2008-01-27 18:52:26 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-01-27 19:20:44 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-01-27 18:52:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-01-27 19:20:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2008-01-27 18:52:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-27 19:20:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    - 2007-11-11 09:07:58 11,842 ----a-w C:\WINDOWS\system32\Lang\Arabic.bin
    + 2008-01-27 21:18:22 11,842 ----a-w C:\WINDOWS\system32\Lang\Arabic.bin
    - 2007-11-11 09:07:58 13,831 ----a-w C:\WINDOWS\system32\Lang\Danish.bin
    + 2008-01-27 21:18:22 13,831 ----a-w C:\WINDOWS\system32\Lang\Danish.bin
    - 2007-11-11 09:07:58 14,470 ----a-w C:\WINDOWS\system32\Lang\Dutch.bin
    + 2008-01-27 21:18:22 14,470 ----a-w C:\WINDOWS\system32\Lang\Dutch.bin
    - 2007-11-11 09:07:58 12,032 ----a-w C:\WINDOWS\system32\Lang\English.bin
    + 2008-01-27 21:18:22 12,032 ----a-w C:\WINDOWS\system32\Lang\English.bin
    - 2007-11-11 09:07:58 15,325 ----a-w C:\WINDOWS\system32\Lang\French.bin
    + 2008-01-27 21:18:22 15,325 ----a-w C:\WINDOWS\system32\Lang\French.bin
    - 2007-11-11 09:07:58 14,873 ----a-w C:\WINDOWS\system32\Lang\German.bin
    + 2008-01-27 21:18:22 14,873 ----a-w C:\WINDOWS\system32\Lang\German.bin
    - 2007-11-11 09:07:58 13,966 ----a-w C:\WINDOWS\system32\Lang\Greek.bin
    + 2008-01-27 21:18:22 13,966 ----a-w C:\WINDOWS\system32\Lang\Greek.bin
    - 2007-11-11 09:07:58 15,718 ----a-w C:\WINDOWS\system32\Lang\Italian.bin
    + 2008-01-27 21:18:22 15,718 ----a-w C:\WINDOWS\system32\Lang\Italian.bin
    - 2007-11-11 09:07:58 13,345 ----a-w C:\WINDOWS\system32\Lang\Japanese.bin
    + 2008-01-27 21:18:22 13,345 ----a-w C:\WINDOWS\system32\Lang\Japanese.bin
    - 2007-11-11 09:07:58 11,498 ----a-w C:\WINDOWS\system32\Lang\Korean.bin
    + 2008-01-27 21:18:22 11,498 ----a-w C:\WINDOWS\system32\Lang\Korean.bin
    - 2007-11-11 09:07:58 13,431 ----a-w C:\WINDOWS\system32\Lang\Polish.bin
    + 2008-01-27 21:18:22 13,431 ----a-w C:\WINDOWS\system32\Lang\Polish.bin
    - 2007-11-11 09:07:58 13,746 ----a-w C:\WINDOWS\system32\Lang\Portuguese_Brazilian.bin
    + 2008-01-27 21:18:22 13,746 ----a-w C:\WINDOWS\system32\Lang\Portuguese_Brazilian.bin
    - 2007-11-11 09:07:58 14,634 ----a-w C:\WINDOWS\system32\Lang\Portuguese_Default.bin
    + 2008-01-27 21:18:22 14,634 ----a-w C:\WINDOWS\system32\Lang\Portuguese_Default.bin
    - 2007-11-11 09:07:58 15,050 ----a-w C:\WINDOWS\system32\Lang\Russian.bin
    + 2008-01-27 21:18:22 15,050 ----a-w C:\WINDOWS\system32\Lang\Russian.bin
    - 2007-11-11 09:07:58 9,484 ----a-w C:\WINDOWS\system32\Lang\SimChin.bin
    + 2008-01-27 21:18:22 9,484 ----a-w C:\WINDOWS\system32\Lang\SimChin.bin
    - 2007-11-11 09:07:58 15,409 ----a-w C:\WINDOWS\system32\Lang\Spanish.bin
    + 2008-01-27 21:18:22 15,409 ----a-w C:\WINDOWS\system32\Lang\Spanish.bin
    - 2007-11-11 09:07:58 13,560 ----a-w C:\WINDOWS\system32\Lang\SWEDISH.bin
    + 2008-01-27 21:18:22 13,560 ----a-w C:\WINDOWS\system32\Lang\SWEDISH.bin
    - 2007-11-11 09:07:58 12,247 ----a-w C:\WINDOWS\system32\Lang\Thai.bin
    + 2008-01-27 21:18:22 12,247 ----a-w C:\WINDOWS\system32\Lang\Thai.bin
    - 2007-11-11 09:07:58 10,111 ----a-w C:\WINDOWS\system32\Lang\TradChin.bin
    + 2008-01-27 21:18:22 10,111 ----a-w C:\WINDOWS\system32\Lang\TradChin.bin
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-11-06 19:51 3810544]
    "RemoteControl"="" []
    "MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18 1670144]
    "ares"="C:\Program Files\Ares\Ares.exe" [2007-11-23 10:18 962560]
    "Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-23 19:17 1266936]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-03-09 01:29 7561216]
    "nwiz"="nwiz.exe" []
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-03-09 01:29 86016]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "RemoteCenter"="" []
    "SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 12:32:18 450560]

    R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM3.sys [2007-11-05 21:28]
    S2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-10-31 05:14]
    S3 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys [2004-05-02 02:47]
    S3 mdxgthkn;mdxgthkn;C:\DOCUME~1\Alzarial\LOCALS~1\Temp\mdxgthkn.sys []

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-27 16:40:51
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-27 16:41:09
    ComboFix-quarantined-files.txt 2008-01-27 22:41:02
    ComboFix2.txt 2008-01-27 19:25:14
    .
    2007-11-14 21:08:43 --- E O F ---

  8. #8
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello,

    I see no reason for not downloading SP2. You can open IE and go to Tools> Windows Updates or you can go directly to this site and download it, they ever offer free support for installing SP2 if you have issues. You can even order a free CD from Microsoft.

    http://www.microsoft.com/windowsxp/sp2/default.mspx
    http://support.microsoft.com/default...r=windowsxpsp2 <-- Contact a support person


    Your log looks fine So this is as far as I can go as this forum is for Malware Removal Only


    Windows Tech Support Forums



    It's Not Always Malware

    Speedup Windows

    Windows Tips





    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •