I have a malware virus/trojan, Virtumonde (I'm pretty sure)
Hello, what a blessing to have found this site! I have been trying for two weeks with Norton 360 and SpyBot S&D to rid myself of this trojan. I followed all directions and have both the Kaspersky Log and the HJT log. I believe I received this trojan by receiving an infected EXE file from BitTorrent. Shame on me. I'm going to attempt to past the logs in the next two or more posts.
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:55 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMbf20e593] Rundll32.exe "C:\WINDOWS\system32\baihentp.dll",s
O4 - HKLM\..\Run: [bc13d60f] rundll32.exe "C:\WINDOWS\system32\mwwsmkbl.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://mail.rpmsfa.com/dwa7W.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
--
End of file - 9484 bytes
Kaspersky Log Part A
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 18, 2008 4:47:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 572476
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Z:\
Scan Statistics:
Total number of scanned objects: 206800
Number of viruses found: 10
Number of infected objects: 95
Number of suspicious objects: 0
Duration of the scan process: 02:27:28
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\004F0B06.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\52B6B67A.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Wade\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Ebay.dbx/[From "eBay Member: cosmicdust" <member@ebay.com>][Date Sun, 19 Jun 2005 12:17:14 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Ebay.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED/setup.exe/klrudi.exe Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED/setup.exe Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Wade\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Wade\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Wade\Local Settings\History\History.IE5\MSHist012008021820080219\index.dat Object is locked skipped
C:\Documents and Settings\Wade\Local Settings\Temporary Internet Files\Content.IE5\2UBLSP7S\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Wade\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Wade\Local Settings\Temporary Internet Files\Content.IE5\Q2O33D3T\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Wade\Local Settings\Temporary Internet Files\Content.IE5\W60DX5KB\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Wade\My Documents\My Downloads\Adobe_Acrobat_Professional-8.10 Inc-Crack+Activation\Acrobat Pro 8.1.exe/data0000.cab/wr-1-922.exe Infected: Trojan-Downloader.Win32.Small.hsg skipped
C:\Documents and Settings\Wade\My Documents\My Downloads\Adobe_Acrobat_Professional-8.10 Inc-Crack+Activation\Acrobat Pro 8.1.exe/data0000.cab/ACROBA~1.EXE/data0000.cab/is151287.exe Infected: Trojan-Downloader.Win32.Small.hwe skipped
C:\Documents and Settings\Wade\My Documents\My Downloads\Adobe_Acrobat_Professional-8.10 Inc-Crack+Activation\Acrobat Pro 8.1.exe/data0000.cab/ACROBA~1.EXE/data0000.cab Infected: Trojan-Downloader.Win32.Small.hwe skipped
C:\Documents and Settings\Wade\My Documents\My Downloads\Adobe_Acrobat_Professional-8.10 Inc-Crack+Activation\Acrobat Pro 8.1.exe/data0000.cab/ACROBA~1.EXE Infected: Trojan-Downloader.Win32.Small.hwe skipped
C:\Documents and Settings\Wade\My Documents\My Downloads\Adobe_Acrobat_Professional-8.10 Inc-Crack+Activation\Acrobat Pro 8.1.exe/data0000.cab Infected: Trojan-Downloader.Win32.Small.hwe skipped
C:\Documents and Settings\Wade\My Documents\My Downloads\Adobe_Acrobat_Professional-8.10 Inc-Crack+Activation\Acrobat Pro 8.1.exe Rsrc-Package: infected - 5 skipped
C:\Documents and Settings\Wade\ntuser.dat Object is locked skipped
C:\Documents and Settings\Wade\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
Kaspersky Log Part B
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP384\A0016638.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP386\A0016674.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP389\A0016718.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP389\A0016885.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP389\A0016987.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP392\A0017063.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP392\A0017064.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP393\A0018130.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP393\A0018151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP394\A0018225.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP395\A0018261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018310.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018311.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018313.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018314.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018315.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018316.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018370.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP396\A0018371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gip skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019511.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019512.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019513.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019514.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019515.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019516.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019517.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019518.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP398\A0019519.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP400\A0019589.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP400\A0019668.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP401\A0019707.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP401\A0019868.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP402\A0019870.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP403\A0019889.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP403\A0020782.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP404\A0020869.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP404\A0020870.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP404\A0020871.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP404\A0020872.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP404\A0020874.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP405\A0021909.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP405\A0021910.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP407\A0022001.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP407\A0022002.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP408\A0022038.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP408\A0022039.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP408\A0022040.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP408\A0022041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP408\A0022043.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.imh skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP408\A0022046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.imh skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP408\A0022048.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.imh skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP410\A0022162.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP410\A0022191.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP410\A0022192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP410\A0022193.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP410\A0022194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP410\A0022200.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP412\A0022393.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{E3C16646-C5CB-4E22-810C-2FC3FB85C95C}\RP412\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4F21A1AE-CEAB-4ABB-AFC8-A60C84666739}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\awtstrr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dro skipped
C:\WINDOWS\system32\bbapggnv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped
C:\WINDOWS\system32\gpcsalct.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ietathsa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\pwxtoguu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\qqnxlryx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\vtutt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\waljfavm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wwvihppq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Temp\JETC12F.tmp Object is locked skipped
C:\WINDOWS\Temp\JETC1AC.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF Object is locked skipped
G:\Mirror Subvolume\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Ebay.dbx/[From "eBay Member: cosmicdust" <member@ebay.com>][Date Sun, 19 Jun 2005 12:17:14 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
G:\Mirror Subvolume\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Ebay.dbx Mail MS Outlook 5: infected - 1 skipped
G:\Mirror Subvolume\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED/setup.exe/klrudi.exe Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
G:\Mirror Subvolume\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED/setup.exe Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
G:\Mirror Subvolume\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
G:\Mirror Subvolume\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx Mail MS Outlook 5: infected - 3 skipped
G:\N360_BACKUP\Drive_C\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Ebay.dbx/[From "eBay Member: cosmicdust" <member@ebay.com>][Date Sun, 19 Jun 2005 12:17:14 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
G:\N360_BACKUP\Drive_C\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Ebay.dbx Mail MS Outlook 5: infected - 1 skipped
G:\N360_BACKUP\Drive_C\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED/setup.exe/klrudi.exe Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
G:\N360_BACKUP\Drive_C\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED/setup.exe Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
G:\N360_BACKUP\Drive_C\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx/[From "Berry, Wade" <wberry@tycoint.com>][Date Tue, 16 Jul 2002 17:55:59 -0400]/UNNAMED Infected: not-a-virus:Porn-Dialer.Win32.ALifeDialer skipped
G:\N360_BACKUP\Drive_C\Documents and Settings\Wade\Local Settings\Application Data\Identities\{4C26E1D0-E9CD-42DC-905B-545515F1B506}\Microsoft\Outlook Express\Wade.dbx Mail MS Outlook 5: infected - 3 skipped
Scan process completed.
Hi
Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file -> wadeaberry.exe. Post a fresh hjt log after renaming is done
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
thankyou thankyou thankyou!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:54 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\wadeaberry.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {033472AB-C75E-4AC8-981D-5EA28497E164} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0C9C5C6E-DA28-4F37-89C4-2E30284562FB} - C:\WINDOWS\system32\geeby.dll (file missing)
O2 - BHO: (no name) - {121CE289-1CC9-4630-B5B5-974D2B95C4BC} - (no file)
O2 - BHO: (no name) - {13DB4BF2-12A4-4BED-A9C5-0D71E55C5CE2} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {22CBF42A-F793-4404-8371-13FE4C2B4B5D} - (no file)
O2 - BHO: DWABrowserHlprObj Class - {2709D830-B643-4e72-9A1E-701CFFFCF30C} - C:\WINDOWS\system32\dwabho.dll
O2 - BHO: (no name) - {36BCB183-CCCE-4346-BB7F-3E0E01D36017} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: {0b24e46e-7114-5088-7ce4-3a42fddad015} - {510daddf-24a3-4ec7-8805-4117e64e42b0} - C:\WINDOWS\system32\fjdpyapi.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5EC255BE-3D33-4C99-B37C-47073D83AD8A} - (no file)
O2 - BHO: (no name) - {69EA7AA4-E29C-490C-B029-FABF5B2DE9A0} - (no file)
O2 - BHO: (no name) - {6A6781B4-3DBE-4A9A-95B3-CA561198F83D} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O2 - BHO: (no name) - {6D7BCFE4-7A65-46C5-AD64-E489E7651F66} - (no file)
O2 - BHO: (no name) - {6E776592-7B14-4F2E-9AAE-5E40D12A5F6B} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {85354F3F-04B1-4FDE-8A62-938A77EB299E} - (no file)
O2 - BHO: (no name) - {8CD034DD-E9AD-47D3-8689-51886345799C} - C:\WINDOWS\system32\awtstrr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {B407EF18-CF00-4243-A422-5296E30D7658} - (no file)
O2 - BHO: (no name) - {B495F876-4719-4552-8B42-108D06EFDD37} - (no file)
O2 - BHO: (no name) - {B51A8AA2-F27F-4A56-9769-491B1E80FB58} - (no file)
O2 - BHO: (no name) - {B7109C48-773A-4472-B991-09A694331587} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {BAF6489D-349D-458B-AFD8-92D6856F59F6} - C:\WINDOWS\system32\mljgg.dll
O2 - BHO: (no name) - {C6605DA9-682B-4BCE-B36D-31F4C9AED2E2} - (no file)
O2 - BHO: (no name) - {CCD6B05D-5281-4D66-92EC-89159B441BED} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: (no name) - {D2828FE5-6477-4EA6-B37C-1375A9AB0AEC} - (no file)
O2 - BHO: (no name) - {E34AD678-BE8A-4930-BF73-FEF7A90FF70E} - (no file)
O2 - BHO: (no name) - {EA3A28AA-C658-41F2-BF92-1DAC83133118} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {EE81C86D-7B10-41CC-AD41-78E46604F81F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMbf20e593] Rundll32.exe "C:\WINDOWS\system32\baihentp.dll",s
O4 - HKLM\..\Run: [bc13d60f] rundll32.exe "C:\WINDOWS\system32\mwwsmkbl.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://mail.rpmsfa.com/dwa7W.cab
O20 - Winlogon Notify: awtstrr - C:\WINDOWS\SYSTEM32\awtstrr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
--
End of file - 12887 bytes
Hi
1. Download this file -
combofix.exe to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Here is the ComboFix Log
ComboFix 08-02-23.2 - Wade 2008-02-23 8:45:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1484 [GMT -6:00]
Running from: C:\Documents and Settings\Wade\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\apyoluoq.ini
C:\WINDOWS\system32\awtstrr.dll
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\fparcuek.ini
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\ghyhaokh.ini
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini2
C:\WINDOWS\system32\gpcsalct.dll
C:\WINDOWS\system32\hsvrutql.ini
C:\WINDOWS\system32\ietathsa.dll
C:\WINDOWS\system32\jkpnmgap.ini
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini2
C:\WINDOWS\system32\jpinqybc.ini
C:\WINDOWS\system32\keucrapf.dll
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\lbkmswwm.ini
C:\WINDOWS\system32\lcnvxjev.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgwlnfld.ini
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mvafjlaw.ini
C:\WINDOWS\system32\nirdtvot.ini
C:\WINDOWS\system32\nuwelsdp.ini
C:\WINDOWS\system32\pwxtoguu.dll
C:\WINDOWS\system32\qpphivww.ini
C:\WINDOWS\system32\qpqss.ini
C:\WINDOWS\system32\qpqss.ini2
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\sabqkcbs.dll
C:\WINDOWS\system32\ssqrphoq.ini
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ufsgaigc.ini
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\ututv.ini2
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\vceqoalw.ini
C:\WINDOWS\system32\waljfavm.dll
C:\WINDOWS\system32\windoqwd.ini
C:\WINDOWS\system32\wwvihppq.dll
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini2
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.
2008-02-18 18:18 . 2008-02-22 17:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 12:28 . 2008-02-18 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 12:28 . 2008-02-18 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 12:15 . 2008-02-18 12:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-18 12:15 . 2008-02-18 12:15 3,444 --a------ C:\WINDOWS\unins000.dat
2008-02-14 19:44 . 2008-02-14 19:46 <DIR> d-------- C:\Documents and Settings\Anaise\Application Data\Creative
2008-02-14 08:42 . 2008-02-14 11:41 354 --ahs---- C:\WINDOWS\system32\pmhohixn.ini
2008-02-12 08:57 . 2008-02-12 08:57 2,443,359 --ahs---- C:\WINDOWS\system32\ygjqtdwf.ini
2008-02-11 10:21 . 2008-02-11 10:21 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-11 09:55 . 2008-02-11 09:55 <DIR> d-------- C:\Documents and Settings\Wade\Application Data\Talkback
2008-02-11 09:55 . 2008-02-11 09:55 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-01 13:02 . 2008-02-02 13:02 354 --ahs---- C:\WINDOWS\system32\dljhvudb.ini
2008-01-31 21:31 . 2008-01-31 21:32 354 --ahs---- C:\WINDOWS\system32\hxllfwxc.ini
2008-01-31 20:31 . 2008-01-31 20:31 294 --ahs---- C:\WINDOWS\system32\trygfnji.ini
2008-01-31 19:45 . 2008-01-30 19:47 414 --ahs---- C:\WINDOWS\system32\kvbwodho.ini
2008-01-31 11:57 . 2008-01-30 15:56 294 --ahs---- C:\WINDOWS\system32\excfbeeh.ini
2008-01-30 20:03 . 2008-01-31 11:50 294 --ahs---- C:\WINDOWS\system32\pscqewxh.ini
2008-01-30 17:39 . 2008-01-29 17:41 294 --ahs---- C:\WINDOWS\system32\dvuhhtxe.ini
2008-01-30 16:06 . 2008-01-31 19:44 354 --ahs---- C:\WINDOWS\system32\trtphpva.ini
2008-01-30 16:06 . 2008-01-30 16:06 294 --ahs---- C:\WINDOWS\system32\excfbeeh.tmp
2008-01-30 08:27 . 2008-02-18 12:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-30 08:27 . 2008-02-18 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-30 07:02 . 2008-01-30 07:02 294 --ahs---- C:\WINDOWS\system32\qrqjgtsy.ini
2008-01-29 20:51 . 2008-01-29 23:08 294 --ahs---- C:\WINDOWS\system32\jcdmwtbt.ini
2008-01-29 17:53 . 2008-01-29 17:54 354 --ahs---- C:\WINDOWS\system32\enqowbme.ini
2008-01-29 13:28 . 2008-02-23 08:55 31,056 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.rfx
2008-01-29 13:28 . 2008-02-23 08:55 31,056 --a------ C:\WINDOWS\system32\BMXState-{00000004-00000000-00000002-00001102-00000004-20061102}.rfx
2008-01-29 13:28 . 2008-02-23 08:55 30,528 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000004-00000000-00000002-00001102-00000004-20061102}.rfx
2008-01-29 13:28 . 2008-02-23 08:55 30,528 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000004-00000000-00000002-00001102-00000004-20061102}.rfx
2008-01-29 13:28 . 2008-02-23 08:56 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-29 13:28 . 2008-02-23 08:55 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2008-01-29 13:28 . 2008-02-23 08:55 384 --a------ C:\WINDOWS\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2008-01-29 12:56 . 2008-02-08 11:35 22 --a------ C:\WINDOWS\pskt.ini
2008-01-24 13:58 . 2008-01-24 13:58 <DIR> d-------- C:\Program Files\UnH Solutions
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 14:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-13 23:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-04 16:54 --------- d-----w C:\Program Files\Norton 360
2008-01-19 16:12 --------- d-----w C:\Documents and Settings\Wade\Application Data\LimeWire
2008-01-15 15:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 11:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 00:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-14 23:15 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-28 11:09 83,440 ----a-w C:\WINDOWS\system32\dwabho.dll
2007-11-10 02:10 58,728 ----a-w C:\WINDOWS\Fonts\scriptina.zip
2007-11-10 02:10 27,040 ----a-w C:\WINDOWS\Fonts\brankovic.zip
2007-11-10 02:10 18,062 ----a-w C:\WINDOWS\Fonts\cheri.zip
2002-05-20 13:19 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-05-16 13:22 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2002-05-16 13:21 286,720 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2002-05-16 13:20 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-03 23:29 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C9C5C6E-DA28-4F37-89C4-2E30284562FB}]
C:\WINDOWS\system32\geeby.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A6781B4-3DBE-4A9A-95B3-CA561198F83D}]
C:\WINDOWS\system32\vtsqr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E776592-7B14-4F2E-9AAE-5E40D12A5F6B}]
C:\WINDOWS\system32\ssqpq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7109C48-773A-4472-B991-09A694331587}]
C:\WINDOWS\system32\ddcyy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCD6B05D-5281-4D66-92EC-89159B441BED}]
C:\WINDOWS\system32\vtutu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA3A28AA-C658-41F2-BF92-1DAC83133118}]
C:\WINDOWS\system32\awvtu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 19:55 68856]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-08-06 10:12 1192960]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2007-08-06 10:14 1492480]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00 45056]
"CTHelper"="CTHELPER.EXE" [2004-03-10 19:50 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"WD Button Manager"="WDBtnMgr.exe" [2007-04-10 20:37 335872 C:\WINDOWS\system32\WDBtnMgr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-11 16:11 4612096]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 13:49 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-11-22 13:48 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 13:50 49152]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-05-20 07:17 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 04:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"BMbf20e593"="C:\WINDOWS\system32\baihentp.dll" [ ]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bc13d60f]
C:\WINDOWS\system32\wylahnty.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMbf20e593]
C:\WINDOWS\system32\baihentp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-14 19:55 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"bc13d60f"=rundll32.exe "C:\WINDOWS\system32\wylahnty.dll",b
"SetIcon"=\Program Files\WDC\SetIcon.exe
"BMbf20e593"=Rundll32.exe "C:\WINDOWS\system32\baihentp.dll",s
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"41793:TCP"= 41793:TCP:Gnutella OUT
"41793:UDP"= 41793:UDP:Gnutella IN
"23688:TCP"= 23688:TCP:BitComet 23688 TCP
"23688:UDP"= 23688:UDP:BitComet 23688 UDP
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" [2007-08-06 10:12]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 13:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-23 14:56:32 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-02-23 14:56:33 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-01-29 18:56:41 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 08:57:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\HPHipm11.exe
.
**************************************************************************
.
Completion time: 2008-02-23 9:03:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 15:03:33
.
2008-01-24 16:04:04 --- E O F ---
Hi
Disable Spybot's TeaTimer
- Run Spybot-S&D in Advanced Mode
- If it is not already set to do this, go to the Mode menu
select
Advanced Mode
- On the left hand side, click on Tools
- Then click on the Resident icon in the list
- Uncheck
Resident TeaTimer
and OK any prompts.- Restart your computer
Open notepad and copy/paste the text in the quotebox below into it:
Code:File:: C:\WINDOWS\system32\pmhohixn.ini C:\WINDOWS\system32\ygjqtdwf.ini C:\WINDOWS\system32\dljhvudb.ini C:\WINDOWS\system32\hxllfwxc.ini C:\WINDOWS\system32\trygfnji.ini C:\WINDOWS\system32\kvbwodho.ini C:\WINDOWS\system32\excfbeeh.ini C:\WINDOWS\system32\pscqewxh.ini C:\WINDOWS\system32\dvuhhtxe.ini C:\WINDOWS\system32\trtphpva.ini C:\WINDOWS\system32\excfbeeh.tmp C:\WINDOWS\system32\qrqjgtsy.ini C:\WINDOWS\system32\jcdmwtbt.ini C:\WINDOWS\system32\enqowbme.ini Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C9C5C6E-DA28-4F37-89C4-2E30284562FB}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A6781B4-3DBE-4A9A-95B3-CA561198F83D}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E776592-7B14-4F2E-9AAE-5E40D12A5F6B}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7109C48-773A-4472-B991-09A694331587}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCD6B05D-5281-4D66-92EC-89159B441BED}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA3A28AA-C658-41F2-BF92-1DAC83133118}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BMbf20e593"=- [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bc13d60f] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMbf20e593] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "bc13d60f"=- "BMbf20e593"=-
Save this as
CFScript
Refering to the picture above, drag CFScript into ComboFix.exe
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky online scanner and post back its report, combofix log and a fresh hjt log.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
OK, Will do
Shall I also disable Norton 360? In addition to the Fresh HJT and Kaspersky logs, should the ComboFix log be fresh (I'm assuming so, but you weren't specific)?
Posting Permissions
