Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Virtumonde remove

  1. 2008-12-04, 15:48 #1
    kroki
    kroki is offline
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Unhappy Virtumonde remove

    Hi,
    I've been battling a virtumonde infection on my computer,for the last few days,and I don't know what can I do,to remove this malware.Please help me,and best regards for all Spy team.
    My HJT log
    **************
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:37:24 PM, on 12/4/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
    O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [FreeCall] "c:\program files\freecall.com\freecall\freecall.exe" -nosplash -minimized
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport în Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_18\bin\npjava131_18.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_18\bin\npjava131_18.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.straja.ro/plugin/h263ctrl.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)

    --
    End of file - 6911 bytes
  2. 2008-12-06, 11:52 #2
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi kroki

    Rename HijackThis.exe to kroki.exe and post back a fresh HijackThis log, please
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  3. 2008-12-07, 14:45 #3
    kroki
    kroki is offline
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default

    Hi Shaba!
    My new kroki.exe log file:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:39:20 PM, on 12/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [FreeCall] "c:\program files\freecall.com\freecall\freecall.exe" -nosplash -minimized
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport în Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_18\bin\npjava131_18.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_18\bin\npjava131_18.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.straja.ro/plugin/h263ctrl.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)

    --
    End of file - 6616 bytes
  4. 2008-12-07, 15:02 #4
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Unfortunately it didn't go right:

    Rename HijackThis.exe to kroki.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to kroki.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  5. 2008-12-08, 10:54 #5
    kroki
    kroki is offline
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default Sorry

    Hi Shaba!
    Sorry for that incorect rename.Now I do it how you show.I hope is correct.Thanks again.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:46:11 AM, on 12/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\kroki.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {33177AB2-E1B3-4196-834A-A9101584578B} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {A4FBCAB7-6563-46DD-BB41-4776A3CE868A} - C:\WINDOWS\system32\xxyawuRK.dll
    O2 - BHO: (no name) - {EDDE9FA4-12A9-4952-B254-514F0BDF16C8} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [FreeCall] "c:\program files\freecall.com\freecall\freecall.exe" -nosplash -minimized
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport în Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_18\bin\npjava131_18.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_18\bin\npjava131_18.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.straja.ro/plugin/h263ctrl.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: wvUmjIby - wvUmjIby.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)

    --
    End of file - 7612 bytes


    All the best for you!
  6. 2008-12-08, 11:56 #6
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes now it is correct

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  7. 2008-12-08, 15:49 #7
    kroki
    kroki is offline
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default The new log

    Hi Shaba!

    After hard work,I made it,well this is the ComboFix log file:
    ComboFix 08-12-07.01 - Istvan 2008-12-08 16:26:56.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT 2:00]
    Running from: c:\documents and settings\Istvan\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\KRuwayxx.ini
    c:\windows\system32\KRuwayxx.ini2
    c:\windows\system32\mcrh.tmp
    c:\windows\system32\xxyawuRK.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
    .

    2008-12-04 15:51 . 2008-12-04 15:51 <DIR> d-------- c:\program files\Trend Micro
    2008-12-03 12:19 . 2008-12-03 12:19 <DIR> d-------- c:\program files\Runtime Software
    2008-12-03 12:19 . 2008-12-03 12:19 <DIR> d-------- c:\documents and settings\Istvan\WINDOWS
    2008-12-03 12:19 . 1999-03-23 10:12 299,520 --a------ c:\windows\uninst.exe
    2008-11-29 14:34 . 2008-11-29 14:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-11-26 17:29 . 2004-08-04 03:07 13,463,552 --a------ c:\windows\system32\dllcache\hwxjpn.dll
    2008-11-26 17:28 . 2004-08-04 03:07 1,677,824 --a------ c:\windows\system32\dllcache\chsbrkr.dll
    2008-11-26 17:27 . 2004-08-04 03:07 2,134,528 --a------ c:\windows\system32\dllcache\smtpsnap.dll
    2008-11-26 17:24 . 2008-11-26 17:24 488 -rah----- c:\windows\system32\logonui.exe.manifest
    2008-11-26 17:23 . 2008-11-26 17:23 749 -rah----- c:\windows\WindowsShell.Manifest
    2008-11-26 17:23 . 2008-11-26 17:23 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
    2008-11-26 17:23 . 2008-11-26 17:23 749 -rah----- c:\windows\system32\sapi.cpl.manifest
    2008-11-26 17:23 . 2008-11-26 17:23 749 -rah----- c:\windows\system32\nwc.cpl.manifest
    2008-11-26 17:23 . 2008-11-26 17:23 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
    2008-11-26 17:21 . 2004-08-04 03:07 65,978 --a------ c:\windows\Soap Bubbles.bmp
    2008-11-26 17:21 . 2004-08-04 03:07 65,954 --a------ c:\windows\Prairie Wind.bmp
    2008-11-26 17:21 . 2004-08-04 03:07 65,832 --a------ c:\windows\Santa Fe Stucco.bmp
    2008-11-26 17:21 . 2004-08-04 03:07 26,680 --a------ c:\windows\River Sumida.bmp
    2008-11-26 17:21 . 2004-08-04 03:07 26,582 --a------ c:\windows\Greenstone.bmp
    2008-11-26 17:21 . 2004-08-04 03:07 17,362 --a------ c:\windows\Rhododendron.bmp
    2008-11-26 17:21 . 2004-08-04 03:07 17,336 --a------ c:\windows\Gone Fishing.bmp
    2008-11-26 17:21 . 2004-08-04 03:07 16,730 --a------ c:\windows\FeatherTexture.bmp
    2008-11-26 17:10 . 2008-11-26 17:10 <DIR> d--hs---- C:\FOUND.002
    2008-11-26 17:03 . 2004-08-04 03:07 1,086,058 -ra------ c:\windows\SETA2.tmp
    2008-11-26 17:03 . 2004-08-04 03:07 1,042,903 -ra------ c:\windows\SET9F.tmp
    2008-11-26 17:03 . 2004-08-04 03:07 24,661 --a------ c:\windows\system32\spxcoins.dll
    2008-11-26 17:03 . 2004-08-04 03:07 13,753 -ra------ c:\windows\SETAE.tmp
    2008-11-26 17:03 . 2004-08-04 03:07 13,312 --a------ c:\windows\system32\irclass.dll
    2008-11-26 17:03 . 2004-08-04 03:07 13,312 --a------ c:\windows\system32\dllcache\irclass.dll
    2008-11-25 18:29 . 2008-11-25 18:29 <DIR> d-------- c:\documents and settings\Istvan\Application Data\CyberLink
    2008-11-25 18:29 . 2008-11-25 18:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
    2008-11-25 18:28 . 2008-11-26 12:40 29,480 --a------ c:\windows\system32\msxml3a.dll
    2008-11-25 18:26 . 2008-11-25 18:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Temp
    2008-11-25 13:32 . 2008-11-25 18:37 21,840 --a------ c:\windows\system32\SIntfNT.dll
    2008-11-25 13:32 . 2008-11-25 18:37 17,212 --a------ c:\windows\system32\SIntf32.dll
    2008-11-25 13:32 . 2008-11-25 18:37 12,067 --a------ c:\windows\system32\SIntf16.dll
    2008-11-25 13:10 . 2008-11-25 13:10 <DIR> d-------- c:\program files\DAEMON Tools Lite
    2008-11-25 13:06 . 2008-11-25 13:06 <DIR> d-------- c:\documents and settings\Istvan\Application Data\DAEMON Tools
    2008-11-25 13:06 . 2008-11-25 13:06 717,296 --a------ c:\windows\system32\drivers\sptd.sys
    2008-11-16 17:31 . 2008-11-16 17:31 <DIR> d-------- c:\documents and settings\Istvan\Application Data\InstallShield Installation Information

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-03 10:07 29,392 ----a-w c:\windows\system32\drivers\secdrv.sys
    2008-11-26 15:39 3,416 ----a-w c:\windows\system32\PerfStringBackup.TMP
    2008-09-28 17:01 98,304 ----a-w c:\windows\system32\qttask.exe
    2008-03-23 10:35 27,600 ----a-w c:\documents and settings\Istvan\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
    "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
    "QuickTime Task"="c:\windows\system32\qttask.exe" [2008-09-28 98304]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.yv12"= c:\progra~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
    "vidc.iyuv"= c:\progra~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
    "vidc.yvu9"= c:\progra~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
    "vidc.uyvy"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
    "vidc.yuy2"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
    "vidc.yvyu"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
    "vidc.xvid"= xvid.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\BCDC++\\DCPlusPlus.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
    "c:\\Program Files\\Java\\j2re1.4.1_01\\BIN\\JAVAW.EXE"=
    "d:\\jocuri\\MOoHa\\mohaa on 192.168.0.100\\moh_Breakthrough_server.exe"=
    "d:\\jocuri\\MOoHa\\mohaa on 192.168.0.100\\moh_spearhead.exe"=
    "d:\\jocuri\\MOoHa\\mohaa on 192.168.0.100\\GH.exe"=
    "c:\\Program Files\\PCTV4Me\\PCTV4Me.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "d:\\jocuri\\MOoHa\\mohaa on 192.168.0.100\\MOHAA_server.exe"=

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-01 111184]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-01 20560]
    S3 S3SAVAGE4M;S3SAVAGE4M;c:\windows\system32\DRIVERS\s3sav4m.sys [2006-08-30 77824]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{33177AB2-E1B3-4196-834A-A9101584578B} - (no file)
    BHO-{A4FBCAB7-6563-46DD-BB41-4776A3CE868A} - c:\windows\system32\xxyawuRK.dll
    BHO-{EDDE9FA4-12A9-4952-B254-514F0BDF16C8} - (no file)
    HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    HKCU-Run-FreeCall - c:\program files\freecall.com\freecall\freecall.exe
    HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    Notify-WgaLogon - (no file)
    Notify-wvUmjIby - wvUmjIby.dll


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?.home=ytie
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: E&xport în Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: ÓñÈÌؾ«ÁéÏÂÔØ(&B)
    FireFox -: Profile - c:\documents and settings\Istvan\Application Data\Mozilla\Firefox\Profiles\j2cu89wx.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
    FF -: plugin - c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
    FF -: plugin - c:\program files\ACE Mega CoDecS Pack\SystemS\RealMedia\Browser\plugins\nppl3260.dll
    FF -: plugin - c:\program files\ACE Mega CoDecS Pack\SystemS\RealMedia\Browser\plugins\nprpjplug.dll
    FF -: plugin - c:\program files\Java\j2re1.4.1_01\bin\NPJava11.dll
    FF -: plugin - c:\program files\Java\j2re1.4.1_01\bin\NPJava12.dll
    FF -: plugin - c:\program files\Java\j2re1.4.1_01\bin\NPJava13.dll
    FF -: plugin - c:\program files\Java\j2re1.4.1_01\bin\NPJava32.dll
    FF -: plugin - c:\program files\Java\j2re1.4.1_01\bin\NPJPI141_01.dll
    FF -: plugin - c:\program files\Java\j2re1.4.1_01\bin\NPOJI610.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPBOARDS.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava11.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava12.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava131_18.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPJava32.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npoji600.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npvlc.dll
    FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-08 16:33:15
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(660)
    c:\windows\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SYSTEM32\ATI2EVXX.EXE
    c:\program files\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
    c:\program files\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    c:\windows\SYSTEM32\ATI2EVXX.EXE
    c:\windows\SYSTEM32\WSCNTFY.EXE
    c:\program files\ALWIL SOFTWARE\AVAST4\ASHDISP.EXE
    c:\program files\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\PLAYLIST.EXE
    c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
    c:\program files\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP
    .
    **************************************************************************
    .
    Completion time: 2008-12-08 16:35:46 - machine was rebooted [Istvan]
    ComboFix-quarantined-files.txt 2008-12-08 14:35:44

    Pre-Run: 2,215,555,072 bytes free
    Post-Run: 2,202,148,864 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

    187

    And this is the another new kroki.exe log file:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:40:24 PM, on 12/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\kroki.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport în Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_18\bin\npjava131_18.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_18\bin\npjava131_18.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.straja.ro/plugin/h263ctrl.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)

    --
    End of file - 6837 bytes

    I hope everything is OK.Thanks a lot,and all the best for you!
    p.s.Sorry,I don't have succes with install Recovery Console.I do it all what I read in site,but I don't have succes.
    If I have problems for this inconvenient,the final step is:Format disc,and reinstal Windows,and all programs what I have.
  8. 2008-12-08, 16:18 #8
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.

    You will now be presented with a screen similar to the one below:



    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  9. 2008-12-09, 16:31 #9
    kroki
    kroki is offline
    Junior Member
    Join Date
    Dec 2008
    Posts
    8

    Default Requested list

    Hi Shaba!

    Here is the requested list:
    ACE Mega CoDecS Pack
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 8.1.3
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    avast! Antivirus
    BCDC++ 0.706bx
    BitSpirit v2.6.3 Final Release
    BSPlayer
    DFX for Winamp
    Disc2Phone
    DivX Pro Codec Adware
    Easy CD & DVD Creator 6
    ffdshow (remove only)
    Google Gmail Notifier
    HijackThis 2.0.2
    Java 2 Runtime Environment Standard Edition v1.3.1_18
    Java 2 Runtime Environment, SE v1.4.1_01
    Java Web Start
    Joost (tm) Beta 1.0.8
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0
    Microsoft Office XP Professional
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.0.1)
    Norton Spyware Scan provided by Yahoo!
    PCTV4Me (remove only)
    Quintessential Player
    RealPlayer
    Security Update for Windows XP (KB923789)
    Skype™ 3.8
    Sony Ericsson PC Suite
    Spybot - Search & Destroy
    Szótár program eltávolítása
    Szótár program eltávolítása
    Tip-Top program eltávolítása
    Titok program eltávolítása
    Torrent Harvester
    Total Commander (Remove or Repair)
    VideoLAN VLC media player 0.8.2
    Winamp (remove only)
    WinAVIVideoConverter
    Windows Media Format Runtime
    Windows Media Player Firefox Plugin
    WinRAR archiver
    XviD MPEG-4 Codec
    Yahoo! Anti-Spy
    Yahoo! Browser Services
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
    Yahoo! Search Protection
    Yahoo! Toolbar

    Best regards!
  10. 2008-12-09, 16:32 #10
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    uTorrent
    BCDC++ 0.706bx
    BitSpirit v2.6.3 Final Release

    I'd like you to read the this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

    Please run a new uninstall list scan when finished and post the log back here.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules