Need help with Malware Problem: Virtumonde

Rudy,

Go to My Computer > your C:\ drive and look for Combofix.txt, you should have a two of them, right click each one and go to Properties and open the one with this date --> 2007-11-22 21:59 Copy and Paste it into this thread.

Ken
 
ComboFix 07-11-19.3 - Admin 2007-11-22 21:55:35.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.209 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-22 13:20 <DIR> d-------- C:\VundoFix Backups
2007-11-21 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 17:07 118 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-21 15:21 80,960 --a------ C:\WINDOWS\system32\mxbhubgd.dll
2007-11-21 14:59 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 14:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-21 14:27 80,960 --a------ C:\WINDOWS\system32\xpywlfue.dll
2007-11-21 14:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-21 13:21 80,960 --a------ C:\WINDOWS\system32\wxbtuanx.dll
2007-11-09 08:30 583,921 ---hs---- C:\WINDOWS\system32\lwgipqfa.ini
2007-11-09 08:30 88,128 --a------ C:\WINDOWS\system32\afqpigwl.dll
2007-11-09 08:28 77,888 --a------ C:\WINDOWS\system32\kpfxenfo.dll
2007-11-09 08:24 71,232 --a------ C:\WINDOWS\system32\xkiijiyf.exe
2007-11-09 08:22 <DIR> d-------- C:\Program Files\QdrModule
2007-11-09 08:22 441,950 ---hs---- C:\WINDOWS\system32\lnmoq.bak2
2007-11-09 08:22 145,984 --a------ C:\WINDOWS\system32\rxqnbksa.dll
2007-11-08 10:50 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-24 20:57 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-24 20:19 6,465 ---hs---- C:\WINDOWS\system32\lnmoq.bak1
2007-10-24 20:18 437,315 ---hs---- C:\WINDOWS\system32\lnmoq.ini
2007-10-24 20:16 92 --a------ C:\WINDOWS\system32\sznf.ascii
2007-10-24 20:15 14 --a------ C:\WINDOWS\system32\din.ip
2007-10-24 20:15 4 --a------ C:\WINDOWS\system32\navwanvd.ini
2007-10-24 20:15 2 --a------ C:\WINDOWS\system32\lt.res
2007-10-24 20:13 12,217 --a------ C:\WINDOWS\system32\winlogon.scr
2007-10-24 20:13 12,217 ---hs---- C:\Documents and Settings\Mom and Dad\winmain.exe
2007-10-24 20:13 3,739 --a------ C:\WINDOWS\system32\sft.res

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 20:24 --------- d-----w C:\Program Files\SpywareGuard
2007-11-21 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 20:06 --------- d-----w C:\Program Files\Dell
2007-11-21 20:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 20:05 --------- d-----w C:\Program Files\CyberLink
2007-11-08 15:54 --------- d-----w C:\Documents and Settings\Admin\Application Data\Lavasoft
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-17 19:04 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-10-17 19:03 --------- d-----w C:\Program Files\Sonic
2007-10-17 19:02 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-17 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-17 18:06 --------- d-----w C:\Program Files\Google
2007-10-17 17:54 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-17 17:24 --------- d-----w C:\Program Files\Java
2007-10-17 17:23 --------- d-----w C:\Program Files\Common Files\Java
2007-10-16 04:43 --------- d-----w C:\Program Files\Trend Micro
2007-10-15 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-15 23:22 --------- d-----w C:\Program Files\Yahoo!
2007-10-15 23:22 --------- d-----w C:\Program Files\Common Files\Scanner
2007-09-27 11:03 --------- d-----w C:\Documents and Settings\Jen\Application Data\Viewpoint
2007-09-23 18:18 --------- d-----w C:\Documents and Settings\Mom and Dad\Application Data\Walgreens
2007-08-17 00:39 61,648 ----a-w C:\Documents and Settings\Mom and Dad\Application Data\GDIPFONTCACHEV1.DAT
2007-03-16 16:42 53,848 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2006-09-09 00:55 0 ---ha-w C:\Documents and Settings\Jen\hpothb07.dat
2006-08-20 23:26 0 ---ha-w C:\Documents and Settings\Mom and Dad\hpothb07.dat
2006-01-18 01:37 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-12-27 16:21 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2005-12-27 15:03 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-12-27 15:03 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2001-11-19 17:14 61,440 ----a-w C:\WINDOWS\inf\i386\gl.dll
2001-10-29 19:30 245,760 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-17 22:43 32,768 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
2005-07-29 20:24 472 --sha-r C:\WINDOWS\QWRtaW4\kqlQuqb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 16:35]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 21:10]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-20 23:48]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 16:15]
"PrintServer Diagnostic"="C:\Program Files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 17:09]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-04-16 07:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-02 10:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 12:44]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-20 23:41:47]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
C:\WINDOWS\system32\NavLogon.dll 2004-12-30 14:19 55104 C:\WINDOWS\system32\NavLogon.dll

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2006-06-01 13:10:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY38L133BDK5.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7700#MY38L133BDK5
"2007-11-22 18:09:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2007-11-23 02:48:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 21:58:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-22 21:59:35
C:\ComboFix2.txt ... 2007-11-22 13:37
.
--- E O F ---
 
I can do another scan, it doesnt take long. Before every time I did a scan the log would come up automatically, and I would copy that right to the thread. Im sorry about the frustration.
 
Hello Rudy,

Sorry your having problems, why don't you do this, lets get rid of Combofix and all its related folders and then download a new copy as its updated on a regular basis. But do it this way first.

  • Go to Start > Run and copy and paste ComboFix /u into the box
  • Make sure there's a space between Combofix and /
  • Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Delete these if still present but they should be gone.

C:\QooBox
C:\Combofix.txt




Please download OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\mxbhubgd.dll
    C:\WINDOWS\system32\xpywlfue.dll
    C:\WINDOWS\system32\wxbtuanx.dll
    C:\WINDOWS\system32\lwgipqfa.ini
    C:\WINDOWS\system32\afqpigwl.dll
    C:\WINDOWS\system32\kpfxenfo.dll
    C:\WINDOWS\system32\xkiijiyf.exe
    C:\WINDOWS\system32\lnmoq.bak2
    C:\WINDOWS\system32\lnmoq.bak1
    C:\WINDOWS\system32\lnmoq.ini
    C:\WINDOWS\system32\rxqnbksa.dll
    C:\WINDOWS\system32\navwanvd.ini
    Click to expand...
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt


Now go ahead and download and run Combofix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Post the OtMoveIt log , the Combofix log and a new HJT log please.
 
ComboFix

ComboFix 07-11-19.3 - Admin 2007-11-24 23:34:02.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.274 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-22 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-22 22:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-22 22:07 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2007-11-22 22:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-21 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-21 17:07 118 --a------ C:\WINDOWS\system32\MRT.INI
2007-11-21 14:59 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 14:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-21 14:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-09 08:22 <DIR> d-------- C:\Program Files\QdrModule
2007-11-08 10:50 4 --a------ C:\WINDOWS\system32\stfv.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 20:24 --------- d-----w C:\Program Files\SpywareGuard
2007-11-21 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 20:06 --------- d-----w C:\Program Files\Dell
2007-11-21 20:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 20:05 --------- d-----w C:\Program Files\CyberLink
2007-11-08 15:54 --------- d-----w C:\Documents and Settings\Admin\Application Data\Lavasoft
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 01:13 12,217 --sh--w C:\Documents and Settings\Mom and Dad\winmain.exe
2007-10-25 01:13 12,217 ----a-w C:\WINDOWS\system32\winlogon.scr
2007-10-17 19:04 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-10-17 19:03 --------- d-----w C:\Program Files\Sonic
2007-10-17 19:02 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-10-17 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-17 18:06 --------- d-----w C:\Program Files\Google
2007-10-17 17:54 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-17 17:24 --------- d-----w C:\Program Files\Java
2007-10-17 17:23 --------- d-----w C:\Program Files\Common Files\Java
2007-10-16 04:43 --------- d-----w C:\Program Files\Trend Micro
2007-10-15 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-15 23:22 --------- d-----w C:\Program Files\Yahoo!
2007-10-15 23:22 --------- d-----w C:\Program Files\Common Files\Scanner
2007-09-27 11:03 --------- d-----w C:\Documents and Settings\Jen\Application Data\Viewpoint
2007-08-17 00:39 61,648 ----a-w C:\Documents and Settings\Mom and Dad\Application Data\GDIPFONTCACHEV1.DAT
2007-03-16 16:42 53,848 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2006-09-09 00:55 0 ---ha-w C:\Documents and Settings\Jen\hpothb07.dat
2006-08-20 23:26 0 ---ha-w C:\Documents and Settings\Mom and Dad\hpothb07.dat
2006-01-18 01:37 0 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-12-27 16:21 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2005-12-27 15:03 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-12-27 15:03 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Guest\hpothb07.dat
2005-12-27 15:02 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2001-11-19 17:14 61,440 ----a-w C:\WINDOWS\inf\i386\gl.dll
2001-10-29 19:30 245,760 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-17 22:43 32,768 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-01-31 16:35]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-31 21:10]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-07-20 23:48]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 01:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 09:14]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 16:23]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 16:15]
"PrintServer Diagnostic"="C:\Program Files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 17:09]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-04-16 07:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-02 10:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 17:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 12:44]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-20 23:41:47]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
C:\WINDOWS\system32\NavLogon.dll 2004-12-30 14:19 55104 C:\WINDOWS\system32\NavLogon.dll

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 pmxscan;Visioneer USB Kernel;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2006-06-01 13:10:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY38L133BDK5.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7700#MY38L133BDK5
"2007-11-23 18:09:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2007-11-23 17:32:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 23:36:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 23:37:18
.
--- E O F ---

moveit

File/Folder C:\WINDOWS\system32\mxbhubgd.dll not found.
File/Folder C:\WINDOWS\system32\xpywlfue.dll not found.
File/Folder C:\WINDOWS\system32\wxbtuanx.dll not found.
File/Folder C:\WINDOWS\system32\lwgipqfa.ini not found.
File/Folder C:\WINDOWS\system32\afqpigwl.dll not found.
File/Folder C:\WINDOWS\system32\kpfxenfo.dll not found.
File/Folder C:\WINDOWS\system32\xkiijiyf.exe not found.
File/Folder C:\WINDOWS\system32\lnmoq.bak2 not found.
File/Folder C:\WINDOWS\system32\lnmoq.bak1 not found.
File/Folder C:\WINDOWS\system32\lnmoq.ini not found.
File/Folder C:\WINDOWS\system32\rxqnbksa.dll not found.
File/Folder C:\WINDOWS\system32\navwanvd.ini not found.

Created on 11/24/2007 23:41:28
 
HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:40 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://email4.uncg.edu/iNotes6W.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55507D14-C1D1-4B48-9F57-C5978A5DC283}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{92DA3937-7E5D-4F39-9EA9-5579387A0907}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C104B33D-A78E-460C-80C5-5DE03268C98F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10572 bytes

On the moveit log I originally copied the wrong thing, exited the program, so I ran it again with the same files you gave me and I posted the results in the thread, sorry about that.
 
Hello Rudy,

It looks like we had a little mix up on the Combofix logs but it all looks good. It appears that Combofix removed those files but you just posted the wrong log, not to worry, this stuff does get confusing. OtMoveIt could not find those files because Combofix removed them and they are no longer present. :bigthumb:

The rest of your HJT log looks fine :bigthumb: How are things running now??
 
everything is running good, although under windows security it still says my antivirus is off, I cant figure out how to put it back on. And it also has the exclamation point infront of it.

So what programs should I keep and which should I remove. I imagine I wont need combofix, OTMoveit, vundofix, and HiJackThis. How about the super antispyware?

Thankyou so much for all your help, Im really gonna try hard to keep this thing clean.
 
Rudy,

Try going to Start> Control Panel> Security Center and click on Change the Way Security Center Alerts Me and take the Checkmark out of Anti Virus. BUT make sure your Anti Virus software is up to date.


I am providing you with links to read about staying secure along with some free programs to install. Keep in mind that you only need ONE Anti Virus Program and only ONE Firewall running. Anymore is overkill and will cause you some problems.


Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.
Click to expand...



Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.5
    Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  • Spyware Blaster It will prevent most spyware from ever being installed.
  • Spyware Guard It offers realtime protection from spyware installation attempts.
  • IE-Spyad
    IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
    (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 2.0 It has more features and is a lot more secure than IE. It is a very easy and
    painless download and install, it will no way interfere with IE, you can use them both.
  • Zone Alarm Here is a free Firewall from Zone Labs, I
    wouldn't access the internet without it.

Glad we could help

Safe Surfn
Ken
 
You must log in or register to reply here.
Back
Top