Looks like Virtumonde got on here and won't go away :(

Status
Not open for further replies.
C

CraniumX

New member
Help is greatly appreciated. I sure can't seem to kick this thing's butt on my own. Random pop-ups seem to just happen.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:35 PM, on 6/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\JetMailMonitor\JetMM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {6fefe65d-c7f0-aa19-0fa4-78d8cd44ba70} - {07ab44dc-8d87-4af0-91aa-0f7cd56efef6} - C:\WINDOWS\system32\jtkxjmwj.dll
O2 - BHO: (no name) - {1163E1C5-5E01-4DA9-A213-2F51B6F9683D} - (no file)
O2 - BHO: (no name) - {2DF7A34E-D47C-46A4-B446-298704313D06} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DA8D715-1510-45B3-9496-1783926B4033} - C:\WINDOWS\system32\qoMeEULB.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D0335330-6173-47B6-A34F-D38A3A89E1D6} - C:\WINDOWS\system32\pmnmjIBT.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: jetMailMonitor.lnk = C:\Program Files\JetMailMonitor\JetMM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213636516984
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DF883A6-29EC-417F-8546-D6D669E98E3D}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll,wbsys.dll,
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5062 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

It looks like you have at least multiple infections, Vundo and you are probably hacked by Ukrainian criminals.

1) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log.

(wait until you finish to posts reports and logs)

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the report from Fixwareout, the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
 
Okay, the computer's disconnected from the internet. Haven't used any programs since my last post at least, because I knew this crap seems to just keep coming back. Here are the logs you requested:

Username "Cranium X" - 06/18/2008 10:26:26 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"JMB36X IDE Setup"="C:\\WINDOWS\\RaidTool\\xInsIDE.exe"
"36X Raid Configurer"="C:\\WINDOWS\\system32\\xRaidSetup.exe boot"
"GEST"="="
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AVG8_TRAY"="C:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_06\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~





ComboFix 08-06-16.5 - Cranium X 2008-06-18 10:30:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3170 [GMT -4:00]
Running from: C:\Documents and Settings\Cranium X\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb7748ce8.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\jtkxjmwj.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\olvmkifj.dll
C:\WINDOWS\system32\TBIjmnmp.ini
C:\WINDOWS\system32\TBIjmnmp.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-18 10:26 . 2008-06-18 10:28 <DIR> d-------- C:\fixwareout
2008-06-17 22:40 . 2008-06-17 22:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 22:40 . 2008-06-17 22:40 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Malwarebytes
2008-06-17 22:40 . 2008-06-17 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 22:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 22:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 22:38 . 2008-06-17 22:38 <DIR> d-------- C:\VundoFix Backups
2008-06-17 22:00 . 2008-06-17 22:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 20:33 . 2008-06-17 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Empyre Group
2008-06-17 20:32 . 2008-06-17 20:32 <DIR> d-------- C:\Program Files\Dillie-O Digital
2008-06-17 20:32 . 2008-06-17 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dillie-O Digital
2008-06-17 19:56 . 2008-06-18 10:29 104 --a------ C:\WINDOWS\system32\NvApps.xml
2008-06-17 14:58 . 2008-06-17 14:58 <DIR> d-------- C:\WINDOWS\Sun
2008-06-17 12:51 . 2008-06-17 22:19 499 --a------ C:\WINDOWS\wininit.ini
2008-06-17 12:38 . 2008-06-17 12:38 <DIR> d-------- C:\Program Files\Empyre Group
2008-06-16 18:18 . 2008-06-16 18:18 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\InstallShield Installation Information
2008-06-16 18:17 . 2008-06-16 18:17 <DIR> d-------- C:\Program Files\Unreal Tournament 3 Demo
2008-06-16 18:16 . 2008-06-16 18:16 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-06-16 18:16 . 2008-06-16 18:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 18:16 . 2008-06-16 18:16 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-16 14:45 . 2008-06-16 14:45 0 --------- C:\WINDOWS\WB.ini
2008-06-16 14:34 . 2008-06-16 14:34 <DIR> d-------- C:\Program Files\Stardock
2008-06-16 14:34 . 2008-04-26 16:14 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-06-16 14:30 . 2008-06-17 23:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-16 14:13 . 2008-06-16 14:18 <DIR> d-------- C:\Program Files\Winamp
2008-06-16 14:13 . 2008-06-16 14:25 1,065 --a------ C:\WINDOWS\winamp.ini
2008-06-16 14:05 . 2008-06-16 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-16 13:55 . 2008-06-16 13:55 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-16 13:54 . 2008-06-16 22:11 <DIR> d-------- C:\BitTorrent Files
2008-06-16 13:46 . 2008-06-17 10:48 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Azureus
2008-06-16 13:46 . 2008-06-16 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-16 13:46 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 13:45 . 2008-06-16 13:55 <DIR> d-------- C:\Program Files\Java
2008-06-16 13:45 . 2008-06-16 13:45 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-16 13:43 . 2008-06-17 10:48 <DIR> d-------- C:\Program Files\Azureus
2008-06-16 13:25 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-16 13:25 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-16 13:25 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-16 13:25 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-16 13:25 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-16 13:25 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-16 13:25 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-16 13:25 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-16 13:25 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-16 13:20 . 2008-06-16 13:21 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-06-16 13:20 . 2008-04-14 08:30 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-16 13:20 . 2008-04-14 08:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-16 13:17 . 2008-06-16 13:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-16 13:17 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-16 13:15 . 2008-06-16 13:15 <DIR> d--hs---- C:\Documents and Settings\Cranium X\UserData
2008-06-16 13:15 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-16 13:15 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-16 13:15 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-16 13:15 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-16 13:15 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-16 13:06 . 2008-06-16 13:06 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\ACD Systems
2008-06-16 13:04 . 2008-06-16 13:04 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-06-16 13:04 . 2008-06-16 13:04 <DIR> d-------- C:\Program Files\ACD Systems
2008-06-16 13:04 . 2008-06-16 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-16 13:03 . 2008-06-16 13:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-16 13:03 . 2008-06-16 13:03 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-06-16 12:34 . 2008-06-16 12:36 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-16 12:34 . 2008-06-16 12:34 <DIR> d-------- C:\Program Files\Ahead
2008-06-16 12:34 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-06-16 12:34 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-06-16 12:34 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-06-16 12:34 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-06-16 12:34 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-06-16 12:34 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-06-16 12:31 . 2008-06-16 12:31 <DIR> d-------- C:\Program Files\simplemu
2008-06-15 23:48 . 2008-06-18 10:17 12 --a------ C:\WINDOWS\dirsaver.ini
2008-06-15 23:18 . 2008-06-15 23:18 5,049,472 --a------ C:\WINDOWS\Dancing Lizard Gals.scr
2008-06-15 23:12 . 2008-06-18 00:01 <DIR> d-------- C:\Program Files\Trillian
2008-06-15 23:02 . 2008-06-15 23:04 <DIR> d-------- C:\WINDOWS\Icons
2008-06-15 22:55 . 2008-06-15 22:55 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-15 22:55 . 2008-06-15 22:56 <DIR> d-------- C:\WINDOWS\NV39921524.TMP
2008-06-15 22:54 . 2008-06-15 22:54 <DIR> d-------- C:\NVIDIA
2008-06-15 22:52 . 2008-06-15 22:52 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-06-15 22:39 . 2008-06-15 22:41 <DIR> d-------- C:\Program Files\eMule
2008-06-14 20:24 . 2008-06-16 23:22 <DIR> d-------- C:\Emulators
2008-06-14 18:27 . 2008-06-14 18:27 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-14 18:27 . 2008-06-14 18:27 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Media Player Classic
2008-06-14 17:24 . 2008-06-14 17:24 <DIR> d-------- C:\Program Files\CCleaner
2008-06-14 17:22 . 2008-06-14 17:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-14 17:22 . 2008-06-14 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 17:18 . 2008-06-18 09:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-14 17:18 . 2008-06-14 17:18 <DIR> d-------- C:\Program Files\AVG
2008-06-14 17:18 . 2008-06-14 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-14 17:18 . 2008-06-14 17:18 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-14 17:18 . 2008-06-14 17:18 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-14 17:18 . 2008-06-14 17:18 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-14 16:51 . 2008-06-14 16:54 <DIR> d-------- C:\Program Files\JetMailMonitor
2008-06-14 16:50 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-06-14 16:50 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-06-14 16:35 . 2008-06-14 16:35 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Talkback
2008-06-14 16:34 . 2008-06-18 10:18 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-06-14 16:34 . 2008-06-18 10:18 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Thunderbird
2008-06-14 16:08 . 2008-06-14 16:08 <DIR> d-------- C:\Logs
2008-06-14 15:45 . 2008-06-14 15:45 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-14 15:10 . 2008-04-14 00:15 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-14 14:31 . 2007-08-13 19:21 1,351,254 --a------ C:\WINDOWS\iObject.bmp
2008-06-14 14:15 . 2008-06-14 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-14 14:12 . 2008-06-14 14:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-14 13:54 . 2008-06-14 13:54 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-14 13:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-14 13:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-14 13:47 . 2008-04-14 00:15 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-14 13:47 . 2008-04-14 00:15 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-06-14 11:26 . 2008-06-14 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\media center programs
2008-06-14 03:06 . 2008-06-17 20:57 <DIR> d-------- C:\Program Files\World of Warcraft
2008-06-14 03:06 . 2008-06-14 03:06 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 01:02 --------- d-----w C:\Program Files\Steam
2008-06-14 20:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 14:36 --------- d-----w C:\Program Files\Funcom
2008-06-14 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Funcom
2008-06-14 06:48 --------- d-----w C:\Program Files\Realtek
2008-06-14 06:48 --------- d-----w C:\Documents and Settings\Cranium X\Application Data\InstallShield
2008-06-14 06:47 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-06-14 06:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-14 06:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-14 06:43 --------- d-----w C:\Program Files\Intel
2008-06-14 06:32 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 02:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-06-15 17:29 23,552 ----a-w C:\Program Files\mozilla firefox\plugins\DrvMgt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DA8D715-1510-45B3-9496-1783926B4033}]
C:\WINDOWS\system32\qoMeEULB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0335330-6173-47B6-A34F-D38A3A89E1D6}]
C:\WINDOWS\system32\pmnmjIBT.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 02:31 16857600 C:\WINDOWS\RTHDCPL.exe]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 02:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-08-29 04:55 1966080]
"GEST"="=" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-14 17:18 1177368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
jetMailMonitor.lnk - C:\Program Files\JetMailMonitor\JetMM.exe [2008-06-14 16:51:10 651264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-06-16 15:16 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b447bf74]
C:\WINDOWS\system32\orqrjcof.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMb7748ce8]
C:\WINDOWS\system32\vnkwgadb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-14 17:18]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-14 17:18]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-14 17:18]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-14 17:18]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-06-14 02:47]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 10:33:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-18 10:35:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 14:35:21

Pre-Run: 564,134,313,984 bytes free
Post-Run: 564,171,665,408 bytes free

226




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:47 AM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\JetMailMonitor\JetMM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DA8D715-1510-45B3-9496-1783926B4033} - C:\WINDOWS\system32\qoMeEULB.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D0335330-6173-47B6-A34F-D38A3A89E1D6} - C:\WINDOWS\system32\pmnmjIBT.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: jetMailMonitor.lnk = C:\Program Files\JetMailMonitor\JetMM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213636516984
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DF883A6-29EC-417F-8546-D6D669E98E3D}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4648 bytes
 
Thanks for returning your information, read and follow all instructions carefully.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DA8D715-1510-45B3-9496-1783926B4033}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0335330-6173-47B6-A34F-D38A3A89E1D6}]

Folder::
C:\fixwareout
C:\VundoFix Backups

Save this as CFScript

CFScript.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the reports)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(leave the first item if you set it that way)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

(items may be gone, removed by the CFScript)

O2 - BHO: (no name) - {5DA8D715-1510-45B3-9496-1783926B4033} - C:\WINDOWS\system32\qoMeEULB.dll (file missing)
O2 - BHO: (no name) - {D0335330-6173-47B6-A34F-D38A3A89E1D6} - C:\WINDOWS\system32\pmnmjIBT.dll (file missing)
O4 - HKLM\..\Run: [GEST] =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DF883A6-29EC-417F-8546-D6D669E98E3D}: NameServer = 208.67.222.222,208.67.220.220

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log from CFScript, a new HJT log and some feedback from you. How is the computer running.

Thanks
 
I've ran the system online for about an hour now, just general webbrowsing, and nothing has popped up yet, so looks like it might be fixed. Here are the updated logs:


ComboFix 08-06-16.5 - Cranium X 2008-06-18 12:45:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3167 [GMT -4:00]
Running from: C:\Documents and Settings\Cranium X\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cranium X\Desktop\CFScript
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fixwareout
C:\fixwareout\dnsbak.reg
C:\fixwareout\FindT\clsid.bak
C:\fixwareout\FindT\dumphive.exe
C:\fixwareout\FindT\FixWareOut.reg
C:\fixwareout\FindT\nircmd.exe
C:\fixwareout\FindT\patterns.txt
C:\fixwareout\FindT\rbot.bat
C:\fixwareout\FindT\RestartIt.exe
C:\fixwareout\FindT\runback.txt
C:\fixwareout\FindT\runs.vbs
C:\fixwareout\FindT\swreg.exe
C:\fixwareout\FindT\vfind.exe
C:\fixwareout\FindT\XP-2K2.cmd
C:\fixwareout\FixIt.BAT
C:\fixwareout\report.txt
C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 22:40 . 2008-06-17 22:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 22:40 . 2008-06-17 22:40 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Malwarebytes
2008-06-17 22:40 . 2008-06-17 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 22:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 22:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 22:00 . 2008-06-17 22:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 20:33 . 2008-06-17 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Empyre Group
2008-06-17 20:32 . 2008-06-17 20:32 <DIR> d-------- C:\Program Files\Dillie-O Digital
2008-06-17 20:32 . 2008-06-17 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dillie-O Digital
2008-06-17 19:56 . 2008-06-18 10:34 104 --a------ C:\WINDOWS\system32\NvApps.xml
2008-06-17 14:58 . 2008-06-17 14:58 <DIR> d-------- C:\WINDOWS\Sun
2008-06-17 12:51 . 2008-06-17 22:19 499 --a------ C:\WINDOWS\wininit.ini
2008-06-17 12:38 . 2008-06-17 12:38 <DIR> d-------- C:\Program Files\Empyre Group
2008-06-16 18:18 . 2008-06-16 18:18 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\InstallShield Installation Information
2008-06-16 18:17 . 2008-06-16 18:17 <DIR> d-------- C:\Program Files\Unreal Tournament 3 Demo
2008-06-16 18:16 . 2008-06-16 18:16 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-06-16 18:16 . 2008-06-16 18:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-16 18:16 . 2008-06-16 18:16 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-16 14:45 . 2008-06-16 14:45 0 --------- C:\WINDOWS\WB.ini
2008-06-16 14:34 . 2008-06-16 14:34 <DIR> d-------- C:\Program Files\Stardock
2008-06-16 14:34 . 2008-04-26 16:14 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-06-16 14:30 . 2008-06-17 23:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-16 14:13 . 2008-06-16 14:18 <DIR> d-------- C:\Program Files\Winamp
2008-06-16 14:13 . 2008-06-16 14:25 1,065 --a------ C:\WINDOWS\winamp.ini
2008-06-16 14:05 . 2008-06-16 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-16 13:55 . 2008-06-16 13:55 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-16 13:54 . 2008-06-16 22:11 <DIR> d-------- C:\BitTorrent Files
2008-06-16 13:46 . 2008-06-17 10:48 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Azureus
2008-06-16 13:46 . 2008-06-16 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-16 13:46 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 13:45 . 2008-06-16 13:55 <DIR> d-------- C:\Program Files\Java
2008-06-16 13:45 . 2008-06-16 13:45 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-16 13:43 . 2008-06-17 10:48 <DIR> d-------- C:\Program Files\Azureus
2008-06-16 13:25 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-16 13:25 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-16 13:25 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-16 13:25 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-16 13:25 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-16 13:25 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-16 13:25 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-16 13:25 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-16 13:25 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-16 13:20 . 2008-06-16 13:21 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-06-16 13:20 . 2008-04-14 08:30 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-16 13:20 . 2008-04-14 08:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-16 13:17 . 2008-06-16 13:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-16 13:17 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-16 13:15 . 2008-06-16 13:15 <DIR> d--hs---- C:\Documents and Settings\Cranium X\UserData
2008-06-16 13:15 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-16 13:15 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-16 13:15 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-16 13:15 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-16 13:15 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-16 13:06 . 2008-06-16 13:06 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\ACD Systems
2008-06-16 13:04 . 2008-06-16 13:04 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-06-16 13:04 . 2008-06-16 13:04 <DIR> d-------- C:\Program Files\ACD Systems
2008-06-16 13:04 . 2008-06-16 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-16 13:03 . 2008-06-16 13:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-16 13:03 . 2008-06-16 13:03 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-06-16 12:34 . 2008-06-16 12:36 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-16 12:34 . 2008-06-16 12:34 <DIR> d-------- C:\Program Files\Ahead
2008-06-16 12:34 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-06-16 12:34 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-06-16 12:34 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-06-16 12:34 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-06-16 12:34 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-06-16 12:34 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-06-16 12:31 . 2008-06-16 12:31 <DIR> d-------- C:\Program Files\simplemu
2008-06-15 23:48 . 2008-06-18 10:17 12 --a------ C:\WINDOWS\dirsaver.ini
2008-06-15 23:18 . 2008-06-15 23:18 5,049,472 --a------ C:\WINDOWS\Dancing Lizard Gals.scr
2008-06-15 23:12 . 2008-06-18 00:01 <DIR> d-------- C:\Program Files\Trillian
2008-06-15 23:02 . 2008-06-15 23:04 <DIR> d-------- C:\WINDOWS\Icons
2008-06-15 22:55 . 2008-06-15 22:55 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-15 22:55 . 2008-06-15 22:56 <DIR> d-------- C:\WINDOWS\NV39921524.TMP
2008-06-15 22:54 . 2008-06-15 22:54 <DIR> d-------- C:\NVIDIA
2008-06-15 22:52 . 2008-06-15 22:52 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-06-15 22:39 . 2008-06-15 22:41 <DIR> d-------- C:\Program Files\eMule
2008-06-14 20:24 . 2008-06-16 23:22 <DIR> d-------- C:\Emulators
2008-06-14 18:27 . 2008-06-14 18:27 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-14 18:27 . 2008-06-14 18:27 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Media Player Classic
2008-06-14 17:24 . 2008-06-14 17:24 <DIR> d-------- C:\Program Files\CCleaner
2008-06-14 17:22 . 2008-06-14 17:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-14 17:22 . 2008-06-14 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 17:18 . 2008-06-18 09:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-14 17:18 . 2008-06-14 17:18 <DIR> d-------- C:\Program Files\AVG
2008-06-14 17:18 . 2008-06-14 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-14 17:18 . 2008-06-14 17:18 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-14 17:18 . 2008-06-14 17:18 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-14 17:18 . 2008-06-14 17:18 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-14 16:51 . 2008-06-14 16:54 <DIR> d-------- C:\Program Files\JetMailMonitor
2008-06-14 16:50 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-06-14 16:50 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-06-14 16:35 . 2008-06-14 16:35 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Talkback
2008-06-14 16:34 . 2008-06-18 10:18 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-06-14 16:34 . 2008-06-18 10:18 <DIR> d-------- C:\Documents and Settings\Cranium X\Application Data\Thunderbird
2008-06-14 16:08 . 2008-06-14 16:08 <DIR> d-------- C:\Logs
2008-06-14 15:45 . 2008-06-14 15:45 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-14 15:10 . 2008-04-14 00:15 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-14 14:31 . 2007-08-13 19:21 1,351,254 --a------ C:\WINDOWS\iObject.bmp
2008-06-14 14:15 . 2008-06-14 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-14 14:12 . 2008-06-14 14:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-14 13:54 . 2008-06-14 13:54 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-14 13:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-14 13:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-14 13:47 . 2008-04-14 00:15 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-14 13:47 . 2008-04-14 00:15 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-06-14 11:26 . 2008-06-14 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\media center programs
2008-06-14 03:06 . 2008-06-17 20:57 <DIR> d-------- C:\Program Files\World of Warcraft
2008-06-14 03:06 . 2008-06-14 03:06 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 01:02 --------- d-----w C:\Program Files\Steam
2008-06-14 20:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 14:36 --------- d-----w C:\Program Files\Funcom
2008-06-14 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Funcom
2008-06-14 06:48 --------- d-----w C:\Program Files\Realtek
2008-06-14 06:48 --------- d-----w C:\Documents and Settings\Cranium X\Application Data\InstallShield
2008-06-14 06:47 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-06-14 06:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-14 06:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-14 06:43 --------- d-----w C:\Program Files\Intel
2008-06-14 06:32 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 21:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 74,240 ----a-w C:\WINDOWS\system32\usbui.dll
2008-04-14 09:42 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
2008-04-14 09:41 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll
2008-04-14 05:42 74,752 ----a-w C:\WINDOWS\system32\storprop.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2006-06-15 17:29 23,552 ----a-w C:\Program Files\mozilla firefox\plugins\DrvMgt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 02:31 16857600 C:\WINDOWS\RTHDCPL.exe]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 02:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-08-29 04:55 1966080]
"GEST"="=" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-14 17:18 1177368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
jetMailMonitor.lnk - C:\Program Files\JetMailMonitor\JetMM.exe [2008-06-14 16:51:10 651264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-06-16 15:16 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b447bf74]
C:\WINDOWS\system32\orqrjcof.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMb7748ce8]
C:\WINDOWS\system32\vnkwgadb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-14 17:18]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-14 17:18]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-14 17:18]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-14 17:18]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-06-14 02:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 12:46:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-18 12:46:49
ComboFix-quarantined-files.txt 2008-06-18 16:46:45
ComboFix2.txt 2008-06-18 14:35:24

Pre-Run: 564,148,228,096 bytes free
Post-Run: 564,135,190,528 bytes free

235





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:39 PM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\JetMailMonitor\JetMM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: jetMailMonitor.lnk = C:\Program Files\JetMailMonitor\JetMM.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213636516984
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4272 bytes
 
Thanks for returning your information and the feedback, that sounds good, just a little more to do then, this is the next bridge we need to cross.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif


Thanks...Phil
 
I installed it via the installation CD instead of using ComboFix, so I didn't get the log. Funny how I've had the CD for so long and never realized you could put it onto the hard drive, instead of just booting into it with the CD itself, heh. Anyway, go on to the next step, please.
 
Here is some information about RC, I personally believe Microsoft should be installing it by default.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654

Remove combofix:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


You have MBAM onboard, run a scan and post the log for me to view.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
Hmmm, it found one thing apparently. Haven't installed or uninstalled anything except what you said to.



Malwarebytes' Anti-Malware 1.17
Database version: 865

4:20:32 PM 6/18/2008
mbam-log-6-18-2008 (16-20-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 80274
Time elapsed: 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
It is just a leftover in the registry. Why did you choose to take no action? Run MBAM again and delete or at least quarantine the item.

Thanks
 
I actually did remove it, I just posted the wrong log, oops. The one I posted I saved to the desktop for easier access instead of the default place for the logs and didn't save the one after removing. Thanks for all the help, it's much appreciated.
 
Status
Not open for further replies.
Back
Top