Page 1 of 6 12345 ... LastLast
Results 1 to 10 of 57

Thread: virtumonde got me too

  1. 2008-02-17, 04:25 #1
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default virtumonde got me too

    Help! I went to Kapersky and ran the scanner. It found 15 viruses and 135 (not sure) places. When it finished there was a notification at the bottom of the webpage stating "error on page". There was no button visible to save as text. Next, I ran spybot in safe mode and it found Virtumonde and several other items. I clicked fix problems and all came up with green check. I then rebooted back into windows and launced IE explorer 7 to dl Hijackthis. IE then opened up 14 windows. I ctrl-alt-del and shut down IE. I fired up Opera 9.24, dl'd HJT 2.0.2 and ran it. Here is the log: Thanks in advance!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:10:25 PM, on 2/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F3 - REG:win.ini: load=C:\WINDOWS\system32\oppop.exe
    F2 - REG:system.ini: UserInit=userinit.exe
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
    O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
    O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [d422d49c] rundll32.exe "C:\WINDOWS\system32\uwdnihak.dll",b
    O4 - HKLM\..\Run: [BMd711e700] Rundll32.exe "C:\WINDOWS\system32\qogdaoim.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - ?p=ZJfox000
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
    O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/down...auncherNew.cab
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/...cannerCtrl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...92/mcfscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5657 bytes
  2. 2008-02-19, 14:25 #2
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi didymustoo

    Rename HijackThis.exe to didymustoo.exe and post back a fresh HijackThis log, please
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  3. 2008-02-19, 14:34 #3
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default didymustoo.exe post

    Thanks for your help. I really appreciate it.

    Here is the listing of HJT renamed didymustoo.exe.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:29:02 AM, on 2/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Opera\Opera.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F3 - REG:win.ini: load=C:\WINDOWS\system32\oppop.exe
    F2 - REG:system.ini: UserInit=userinit.exe
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
    O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
    O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [d422d49c] rundll32.exe "C:\WINDOWS\system32\eyhltecu.dll",b
    O4 - HKLM\..\Run: [BMd711e700] Rundll32.exe "C:\WINDOWS\system32\iijfonay.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - ?p=ZJfox000
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
    O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/down...auncherNew.cab
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/...cannerCtrl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...92/mcfscan.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5624 bytes
  4. 2008-02-19, 14:54 #4
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Unfortunately it didn't went right.

    Rename HijackThis.exe to didymustoo.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to didymustoo.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  5. 2008-02-19, 15:22 #5
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    Oops sorry! I only renamed the shortcut the first time. Duh!. Here it is.

    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Opera\Opera.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRAM FILES\LOGITECH\VIDEO\FXSVR2.EXE
    C:\WINDOWS\SYSTEM32\LVCOMSX.EXE
    C:\Program Files\Trend Micro\HijackThis\didymustoo.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F3 - REG:win.ini: load=C:\WINDOWS\system32\oppop.exe
    F2 - REG:system.ini: UserInit=userinit.exe
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\FJW\Application Data\Mozilla\Profiles\default\brw22mi9.slt\prefs.js)
    O2 - BHO: (no name) - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {57CDE877-1115-4B40-8455-6D159A00CA36} - C:\WINDOWS\system32\oppop.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
    O2 - BHO: {6ac86db7-7385-301b-c404-be1d10e3c93c} - {c39c3e01-d1eb-404c-b103-58377bd68ca6} - C:\WINDOWS\system32\pohwibin.dll
    O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\wvuurpq.dll (file missing)
    O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
    O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [d422d49c] rundll32.exe "C:\WINDOWS\system32\eyhltecu.dll",b
    O4 - HKLM\..\Run: [BMd711e700] Rundll32.exe "C:\WINDOWS\system32\iijfonay.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Search - ?p=ZJfox000
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
    O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-36.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/down...auncherNew.cab
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/...cannerCtrl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...92/mcfscan.cab
    O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\
    O20 - Winlogon Notify: wvuurpq - wvuurpq.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6638 bytes
  6. 2008-02-19, 15:24 #6
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Yes, now it's better

    Is this up-to-date?

    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe

    1. Download combofix from any of these links and save it to Desktop:
    Link 1
    Link 2
    Link 3

    **Note: It is important that it is saved directly to your desktop**

    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.

    If you have problems with Combofix usage, see here

    Post:

    - a fresh HijackThis log
    - combofix report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  7. 2008-02-19, 16:00 #7
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    The HJT version I used was downloaded two days ago when I made my first post.

    Here is the combofix log. Note I had to break it into two posts to fit.

    ComboFix 08-02-19.2 - fjw 2008-02-19 8:43:24.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.678 [GMT -6:00]
    Running from: C:\Documents and Settings\fjw\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\guard.tmp
    C:\Documents and Settings\fjw\Application Data\ICROSO~1
    C:\Documents and Settings\fjw\Application Data\macromedia\Flash Player\#SharedObjects\K7BXFSVM\www.broadcaster.com
    C:\Documents and Settings\fjw\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\Documents and Settings\fjw\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    C:\Program Files\winupdate
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\start.exe
    C:\WINDOWS\SYSTEM32\000070.exe
    C:\WINDOWS\SYSTEM32\000080.exe
    C:\WINDOWS\SYSTEM32\akferhlk.ini
    C:\WINDOWS\system32\asgtxevg.dll
    C:\WINDOWS\system32\bvmivvlm.dll
    C:\WINDOWS\system32\cfwyjgkd.dll
    C:\WINDOWS\system32\cqmmbeyu.dll
    C:\WINDOWS\system32\ctfmon.exe.tmp
    C:\WINDOWS\system32\cunbxjyh.dll
    C:\WINDOWS\system32\dawlrvkx.dll
    C:\WINDOWS\system32\dhlytgul.dll
    C:\WINDOWS\SYSTEM32\druamxel.ini
    C:\WINDOWS\SYSTEM32\dryvguvn.ini
    C:\WINDOWS\SYSTEM32\ebafspdw.ini
    C:\WINDOWS\system32\ehvhsute.dll
    C:\WINDOWS\system32\enipjeie.dll
    C:\WINDOWS\system32\epmuqjre.dll
    C:\WINDOWS\system32\eyhltecu.dll
    C:\WINDOWS\system32\fgvgeoyw.dll
    C:\WINDOWS\system32\gqktdkul.dll
    C:\WINDOWS\SYSTEM32\gyqgrkyn.ini
    C:\WINDOWS\system32\htjqefbw.dll
    C:\WINDOWS\SYSTEM32\hwdxwbsn.ini
    C:\WINDOWS\SYSTEM32\hxqtkrje.ini
    C:\WINDOWS\system32\hyuluxek.dll
    C:\WINDOWS\system32\ibnxcxsu.dll
    C:\WINDOWS\system32\ifrobeor.dll
    C:\WINDOWS\SYSTEM32\iijcpufg.ini
    C:\WINDOWS\system32\iijfonay.dll
    C:\WINDOWS\system32\infidjge.dll
    C:\WINDOWS\SYSTEM32\jbtgrwlq.ini
    C:\WINDOWS\system32\jikklstw.dll
    C:\WINDOWS\system32\jjfyafpe.dll
    C:\WINDOWS\system32\jopiwaiu.dll
    C:\WINDOWS\system32\kaynflju.dll
    C:\WINDOWS\system32\kgqfyeng.dll
    C:\WINDOWS\system32\kpiygyod.dll
    C:\WINDOWS\SYSTEM32\ledbbvnc.ini
    C:\WINDOWS\system32\lexmaurd.dll
    C:\WINDOWS\SYSTEM32\lgxvyhov.ini
    C:\WINDOWS\system32\lixxmeks.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\mrjtduel.dll
    C:\WINDOWS\SYSTEM32\mrynfgiy.ini
    C:\WINDOWS\system32\nmrheveg.dll
    C:\WINDOWS\SYSTEM32\noiqhjda.ini
    C:\WINDOWS\system32\nojhboue.dll
    C:\WINDOWS\system32\nsbwxdwh.dll
    C:\WINDOWS\system32\okgterca.dll
    C:\WINDOWS\system32\omfsyygy.dll
    C:\WINDOWS\system32\onxlwkmd.dll
    C:\WINDOWS\system32\oppop.dll
    C:\WINDOWS\system32\oppop.exe
    C:\WINDOWS\system32\pohwibin.dll
    C:\WINDOWS\SYSTEM32\poppo.ini
    C:\WINDOWS\SYSTEM32\poppo.ini2
    C:\WINDOWS\system32\pvmfdxkx.dll
    C:\WINDOWS\system32\qogdaoim.dll
    C:\WINDOWS\SYSTEM32\qtvaitnp.ini
    C:\WINDOWS\system32\qvkdjrrn.dll
    C:\WINDOWS\system32\qwlbrbhh.dll
    C:\WINDOWS\system32\RCXD.tmp
    C:\WINDOWS\system32\rdjrctnw.dll
    C:\WINDOWS\system32\rplvmnnr.dll
    C:\WINDOWS\system32\rsapyvfp.dll
    C:\WINDOWS\system32\rvckajue.dll
    C:\WINDOWS\system32\sqhaxkas.dll
    C:\WINDOWS\system32\thvdfbkm.dll
    C:\WINDOWS\SYSTEM32\ucetlhye.ini
    C:\WINDOWS\system32\uguedion.dll
    C:\WINDOWS\SYSTEM32\uiawipoj.ini
    C:\WINDOWS\system32\uwjxnmwa.dll
    C:\WINDOWS\SYSTEM32\valgnqxf.ini
    C:\WINDOWS\system32\vaubnybh.dll
    C:\WINDOWS\system32\vkcnjxyt.dll
    C:\WINDOWS\system32\vmckrlyo.dll
    C:\WINDOWS\system32\vohyvxgl.dll
    C:\WINDOWS\system32\xcyeawxw.dll
    C:\WINDOWS\system32\xebrdxtv.dll
    C:\WINDOWS\SYSTEM32\xkxdfmvp.ini
    C:\WINDOWS\SYSTEM32\xqacmxny.ini
    C:\WINDOWS\system32\xqpvyafu.dll
    C:\WINDOWS\system32\ycariooq.dll
    C:\WINDOWS\system32\yhdnkuln.dll
    C:\WINDOWS\system32\yltfcxlb.dll
    C:\WINDOWS\winsysupd71.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


    ((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
    .

    2008-02-18 07:19 . 2008-02-18 07:19 <DIR> d--hs---- C:\FOUND.000
    2008-02-17 13:13 . 2008-02-18 13:14 2,034,575 ---hs---- C:\WINDOWS\SYSTEM32\oxyfjhwa.ini
    2008-02-16 21:09 . 2008-02-16 21:09 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-16 14:48 . 2008-02-16 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-02-16 14:47 . 2008-02-16 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
    2008-02-16 09:10 . 2008-02-17 13:11 2,396,761 ---hs---- C:\WINDOWS\SYSTEM32\kahindwu.ini
    2008-02-15 09:04 . 2008-02-18 13:10 6,014 --a------ C:\WINDOWS\BMd711e700.xml
    2008-02-15 09:04 . 2008-02-19 07:11 22 --a------ C:\WINDOWS\pskt.ini
    2008-02-15 08:33 . 2008-02-15 08:33 <DIR> d-------- C:\mGame
    2008-02-14 09:14 . 2008-02-15 07:22 1,944,987 ---hs---- C:\WINDOWS\SYSTEM32\tpkoyoea.ini
    2008-02-14 09:11 . 2008-02-14 09:12 2,061,204 ---hs---- C:\WINDOWS\SYSTEM32\jpiqejvx.ini
    2008-02-13 09:11 . 2008-02-14 07:12 2,507,492 ---hs---- C:\WINDOWS\SYSTEM32\tqhttets.ini
    2008-02-13 09:08 . 2008-02-13 09:08 2,140,513 ---hs---- C:\WINDOWS\SYSTEM32\pprijqhf.ini
    2008-02-12 09:11 . 2008-02-13 07:05 2,107,305 ---hs---- C:\WINDOWS\SYSTEM32\gxgjmrhb.ini
    2008-02-12 09:08 . 2008-02-12 09:08 2,119,031 ---hs---- C:\WINDOWS\SYSTEM32\chwxhmmf.ini
    2008-02-11 09:11 . 2008-02-12 07:11 2,075,362 ---hs---- C:\WINDOWS\SYSTEM32\xpdbncvm.ini
    2008-02-11 09:08 . 2008-02-11 09:09 2,092,109 ---hs---- C:\WINDOWS\SYSTEM32\xooaomjm.ini
    2008-02-10 09:10 . 2008-02-11 07:06 2,088,273 ---hs---- C:\WINDOWS\SYSTEM32\vsrrdylm.ini
    2008-02-10 09:07 . 2008-02-10 09:08 2,090,475 ---hs---- C:\WINDOWS\SYSTEM32\cirueasx.ini
    2008-02-09 09:09 . 2008-02-10 06:44 2,092,776 ---hs---- C:\WINDOWS\SYSTEM32\kltgfybn.ini
    2008-02-09 09:06 . 2008-02-09 09:07 2,095,002 ---hs---- C:\WINDOWS\SYSTEM32\ofxflobj.ini
    2008-02-08 09:12 . 2008-02-09 07:37 2,094,453 ---hs---- C:\WINDOWS\SYSTEM32\lkgjgnxy.ini
    2008-02-08 09:06 . 2008-02-08 09:06 2,098,133 ---hs---- C:\WINDOWS\SYSTEM32\xotboipg.ini
    2008-02-07 18:15 . 2008-02-07 18:15 67 --a------ C:\WINDOWS\101_ASB.INI
    2008-02-07 18:14 . 2008-02-07 18:14 <DIR> d-------- C:\DISNEY
    2008-02-07 09:11 . 2008-02-08 07:12 2,075,018 ---hs---- C:\WINDOWS\SYSTEM32\oufrpeds.ini
    2008-02-07 09:05 . 2008-02-07 09:05 2,077,268 ---hs---- C:\WINDOWS\SYSTEM32\xgqyrpni.ini
    2008-02-06 09:04 . 2008-02-07 09:04 2,080,720 ---hs---- C:\WINDOWS\SYSTEM32\tytemlnm.ini
    2008-02-05 09:08 . 2008-02-06 08:46 2,059,879 ---hs---- C:\WINDOWS\SYSTEM32\lujpuouu.ini
    2008-02-05 09:02 . 2008-02-05 09:04 2,061,632 ---hs---- C:\WINDOWS\SYSTEM32\puculuhy.ini
    2008-02-03 20:39 . 2008-02-05 08:57 2,058,177 ---hs---- C:\WINDOWS\SYSTEM32\btvxjnce.ini
    2008-02-03 20:33 . 2008-02-03 20:33 2,054,401 ---hs---- C:\WINDOWS\SYSTEM32\koxuytol.ini
    2008-02-02 21:39 . 2008-02-02 21:39 <DIR> d-------- C:\Documents and Settings\fjw\DoctorWeb
    2008-01-31 22:34 . 2008-01-31 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-01-31 20:34 . 2008-02-03 07:10 2,082,396 ---hs---- C:\WINDOWS\SYSTEM32\jinvuulv.ini
    2008-01-31 20:31 . 2008-01-31 20:32 1,959,292 ---hs---- C:\WINDOWS\SYSTEM32\rewjlbep.ini
    2008-01-31 07:49 . 2008-01-31 18:00 2,004,858 ---hs---- C:\WINDOWS\SYSTEM32\nkgudkqh.ini
    2008-01-31 07:43 . 2008-01-31 07:47 2,053,516 ---hs---- C:\WINDOWS\SYSTEM32\ytytwepr.ini
    2008-01-30 07:35 . 2008-01-31 07:42 2,095,133 ---hs---- C:\WINDOWS\SYSTEM32\oognqwkq.ini
    2008-01-25 16:27 . 2008-01-25 16:27 110 --a------ C:\WINDOWS\HandySnap.INI
    2008-01-22 22:01 . 2008-01-22 22:01 <DIR> d-------- C:\OutputFolder
    2008-01-22 21:59 . 2008-01-22 21:59 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-17 19:10 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon .exe
    2008-01-16 14:39 186,000 ----a-w C:\Documents and Settings\fjw\Application Data\GDIPFONTCACHEV1.DAT
    2008-01-14 13:49 155,648 ----a-w C:\WINDOWS\SYSTEM32\NeroCheck .exe
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
    2007-12-26 05:07 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
    2007-12-26 05:07 --------- d-----w C:\Program Files\Common Files\Real
    2007-12-26 05:03 --------- d-----w C:\Program Files\Best Buy Rhapsody
    2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
    2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mrxdav.sys
    2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
    2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
    2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
    2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
    2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
    2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
    2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\dllcache\oleaut32.dll
    2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\oleaut32.dll
    2006-12-23 16:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
    2006-01-11 02:13 159,312 ----a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
    2005-04-04 22:23 0 ---h--w C:\Program Files\AppUpdate.log
    2004-09-21 20:07 86,016 ----a-w C:\Program Files\SPInstall.exe
    2004-09-21 16:54 975 ----a-w C:\Program Files\ReadMe.txt
    2004-09-21 16:05 1,841 ----a-w C:\Program Files\PackingList.txt
    2004-09-21 15:36 908 ----a-w C:\Program Files\Setup.ini
    2004-09-21 15:36 19,443,744 ----a-w C:\Program Files\Data1.cab
    2004-09-21 15:36 1,591,952 ----a-w C:\Program Files\SundayPlus.msi
    2004-09-21 15:35 225,280 ----a-w C:\Program Files\SPSetupHelper.exe
    2004-09-15 02:35 49,152 ----a-w C:\Program Files\EnglishUI.dll
    2004-04-23 00:02 560 ----a-w C:\Program Files\Global.sw
    2004-01-10 02:34 266 --sh--w C:\Program Files\desktop.ini
    2003-02-25 15:04 4,632 ----a-w C:\Program Files\0x0409.ini
    2006-03-27 03:50 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
    2006-03-27 03:50 88 --sh--r C:\WINDOWS\SYSTEM32\D4B12B0226.sys
    .
    Code:
    <pre>
----a-w           155,648 2008-01-14 13:49:00  C:\WINDOWS\SYSTEM32\NeroCheck .exe
----a-w            15,360 2008-02-17 19:10:12  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w           158,208 2008-02-17 03:04:04  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w           649,728 2008-01-14 22:45:12  C:\Program Files\QuickTime\qttask    .exe
----a-w           649,728 2008-01-15 05:18:12  C:\Program Files\QuickTime\qttask     .exe
----a-w           649,728 2008-01-15 13:34:46  C:\Program Files\QuickTime\qttask      .exe
----a-w           649,728 2008-01-16 04:01:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           649,728 2008-01-16 13:52:08  C:\Program Files\QuickTime\qttask        .exe
----a-w           649,728 2008-01-17 13:34:58  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2008-01-17 13:35:46  C:\Program Files\QuickTime\qttask          .exe
----a-w         1,235,456 2008-01-15 05:18:08  C:\Program Files\FolderShare\FolderShare     .exe
----a-w         1,235,456 2008-01-15 13:34:42  C:\Program Files\FolderShare\FolderShare      .exe
----a-w         1,235,456 2008-01-16 04:01:30  C:\Program Files\FolderShare\FolderShare       .exe
----a-w         1,235,456 2008-01-16 13:52:06  C:\Program Files\FolderShare\FolderShare        .exe
----a-w         1,235,456 2008-01-17 13:34:56  C:\Program Files\FolderShare\FolderShare         .exe
----a-w         1,235,456 2008-01-18 13:01:00  C:\Program Files\FolderShare\FolderShare          .exe
----a-w         1,235,456 2008-01-19 05:28:52  C:\Program Files\FolderShare\FolderShare           .exe
----a-w         1,235,456 2008-01-19 14:49:44  C:\Program Files\FolderShare\FolderShare            .exe
----a-w         1,235,456 2008-01-19 22:07:26  C:\Program Files\FolderShare\FolderShare             .exe
----a-w         1,235,456 2008-01-20 13:05:32  C:\Program Files\FolderShare\FolderShare              .exe
----a-w         1,235,456 2008-01-21 00:57:40  C:\Program Files\FolderShare\FolderShare               .exe
----a-w         1,235,456 2008-01-21 13:45:58  C:\Program Files\FolderShare\FolderShare                .exe
----a-w         1,235,456 2008-01-22 13:30:02  C:\Program Files\FolderShare\FolderShare                 .exe
----a-w         1,235,456 2008-01-24 13:23:50  C:\Program Files\FolderShare\FolderShare                  .exe
----a-w         1,235,456 2008-01-25 13:12:52  C:\Program Files\FolderShare\FolderShare                   .exe
----a-w         1,235,456 2008-01-26 14:00:48  C:\Program Files\FolderShare\FolderShare                    .exe
----a-w         1,235,456 2008-01-27 13:10:08  C:\Program Files\FolderShare\FolderShare                     .exe
----a-w         1,235,456 2008-01-28 00:02:38  C:\Program Files\FolderShare\FolderShare                      .exe
----a-w         1,235,456 2008-01-29 13:21:38  C:\Program Files\FolderShare\FolderShare                       .exe
----a-w         1,235,456 2008-01-30 13:26:08  C:\Program Files\FolderShare\FolderShare                        .exe
----a-w         1,235,456 2008-01-30 15:22:54  C:\Program Files\FolderShare\FolderShare                         .exe
----a-w         1,235,456 2008-01-30 16:10:46  C:\Program Files\FolderShare\FolderShare                          .exe
----a-w         1,235,456 2008-01-31 12:52:42  C:\Program Files\FolderShare\FolderShare                           .exe
----a-w         1,235,456 2008-01-31 13:46:00  C:\Program Files\FolderShare\FolderShare                            .exe
----a-w         1,235,456 2008-02-01 04:46:42  C:\Program Files\FolderShare\FolderShare                             .exe
----a-w         1,235,456 2008-02-01 13:14:42  C:\Program Files\FolderShare\FolderShare                              .exe
----a-w         1,235,456 2008-02-02 13:54:24  C:\Program Files\FolderShare\FolderShare                               .exe
----a-w         1,235,456 2008-02-02 16:06:34  C:\Program Files\FolderShare\FolderShare                                .exe
----a-w         1,235,456 2008-02-02 23:20:48  C:\Program Files\FolderShare\FolderShare                                 .exe
----a-w         1,235,456 2008-02-03 00:33:20  C:\Program Files\FolderShare\FolderShare                                  .exe
----a-w         1,235,456 2008-02-03 03:53:04  C:\Program Files\FolderShare\FolderShare                                   .exe
----a-w         1,235,456 2008-02-03 13:09:24  C:\Program Files\FolderShare\FolderShare                                    .exe
----a-w         1,235,456 2008-02-04 13:50:12  C:\Program Files\FolderShare\FolderShare                                     .exe
----a-w         1,235,456 2008-02-05 14:56:58  C:\Program Files\FolderShare\FolderShare                                      .exe
----a-w         1,235,456 2008-02-05 18:28:32  C:\Program Files\FolderShare\FolderShare                                       .exe
----a-w         1,235,456 2008-02-06 14:46:12  C:\Program Files\FolderShare\FolderShare                                        .exe
----a-w         1,235,456 2008-02-06 16:40:16  C:\Program Files\FolderShare\FolderShare                                         .exe
----a-w         1,235,456 2008-02-06 17:39:54  C:\Program Files\FolderShare\FolderShare                                          .exe
----a-w         1,235,456 2008-02-07 13:29:04  C:\Program Files\FolderShare\FolderShare                                           .exe
----a-w         1,235,456 2008-02-08 13:12:16  C:\Program Files\FolderShare\FolderShare                                            .exe
----a-w         1,235,456 2008-02-09 13:36:42  C:\Program Files\FolderShare\FolderShare                                             .exe
----a-w         1,235,456 2008-02-10 12:43:56  C:\Program Files\FolderShare\FolderShare                                              .exe
----a-w         1,235,456 2008-02-11 13:05:44  C:\Program Files\FolderShare\FolderShare                                               .exe
----a-w         1,235,456 2008-02-12 13:11:24  C:\Program Files\FolderShare\FolderShare                                                .exe
----a-w         1,235,456 2008-02-13 13:05:02  C:\Program Files\FolderShare\FolderShare                                                 .exe
----a-w         1,235,456 2008-02-14 01:54:00  C:\Program Files\FolderShare\FolderShare                                                  .exe
----a-w         1,235,456 2008-02-14 13:11:14  C:\Program Files\FolderShare\FolderShare                                                   .exe
----a-w         1,235,456 2008-02-15 13:22:34  C:\Program Files\FolderShare\FolderShare                                                    .exe
----a-w         1,235,456 2008-02-16 14:04:36  C:\Program Files\FolderShare\FolderShare                                                     .exe
----a-w         1,235,456 2008-02-16 16:48:18  C:\Program Files\FolderShare\FolderShare                                                      .exe
----a-w         1,235,456 2008-02-16 19:32:28  C:\Program Files\FolderShare\FolderShare                                                       .exe
----a-w         1,235,456 2008-02-16 20:49:34  C:\Program Files\FolderShare\FolderShare                                                        .exe
----a-w         1,743,360 2008-01-14 22:45:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w         1,372,160 2008-01-17 13:35:48  C:\Program Files\TGTSoft\StyleXP\StyleXP  .exe
----a-w         1,694,208 2008-02-14 00:24:30  C:\Program Files\Messenger\msmsgs .exe
</pre>
  8. 2008-02-19, 16:01 #8
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    Section two of combofix log:


    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
    @={7D688A77-C613-11D0-999B-00C04FD655E1}

    [HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
    2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:07 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
    "nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
    "Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
    "ATIPTA"="atiptaxx.exe" [2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe]

    C:\Documents and Settings\fjw\Start Menu\Programs\Startup\
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-01-08 21:22:17 2746104]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "<NO NAME>"= 00000000
    "NoFavoritesMenu"= 01000000
    "NoLogoff"= 0 (0x0)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "<NO NAME>"= 00000000
    "NoFavoritesMenu"= 01000000
    "NoActiveDesktopChanges"= 0 (0x0)
    "NoLogoff"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurpq]
    wvuurpq.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK]
    backup=C:\WINDOWS\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Encoder Agent.lnk]
    backup=C:\WINDOWS\pss\Encoder Agent.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
    --a------ 2001-09-27 01:39 245760 C:\WINDOWS\SYSTEM32\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AuthConsoleStart]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d422d49c]
    C:\WINDOWS\system32\ynxmcaqx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
    --a------ 2006-10-26 21:03 278528 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESP]
    --a------ 2006-07-30 12:09 63008 C:\Program Files\Cox\Applications\app\start.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FolderShare]
    --a------ 2008-02-16 14:49 1235456 C:\Program Files\FolderShare\FolderShare .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    --a------ 2003-03-26 05:34 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-06-10 10:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-06-10 10:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    C:\WINDOWS\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
    C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobipocket Reader Notifications]
    --a------ 2006-06-20 16:54 57344 C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2008-02-13 18:24 2226688 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-17 07:35 282624 C:\Program Files\QuickTime\qttask .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    --a------ 2008-02-16 14:49 2441216 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarSkin]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
    --a------ 2008-01-17 07:35 1372160 C:\Program Files\TGTSoft\StyleXP\StyleXP .exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2007-05-14 17:22 35328 C:\Program Files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "UPS"=3 (0x3)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    "LogitechSoftwareUpdate"="C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    "SiS Tray"=C:\WINDOWS\SYSTEM32\sistray.exe
    "StillImageMonitor"=C:\WINDOWS\SYSTEM32\stimon.exe

    R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-01 19:16]
    R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-27 00:32]
    S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
    S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Gpotato\Flyff\GameGuard\dump_wmimmc.sys []
    S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]
    S3 XDva090;XDva090;C:\WINDOWS\system32\XDva090.sys []


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]
    rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_08B0&MI_01\1USB&VID_046D&PID_08B0&INST_0

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-19 08:53:06
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
    -> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    .
    **************************************************************************
    .
    Completion time: 2008-02-19 8:55:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-02-19 14:54:58
    .
    2008-02-15 05:58:29 --- E O F ---
  9. 2008-02-19, 16:10 #9
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    No, I mean Command Antivirus. Is it up-to-date?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  10. 2008-02-19, 16:32 #10
    didymustoo
    didymustoo is offline
    Member
    Join Date
    Feb 2008
    Posts
    41

    Default

    Oops again! No it probably is not.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules