Rundll32.exe change

E

evirus

New member
i keep getting the same thing over and over from S&D's tea timer
category: system startup global entry
change: value added
entry: BM174bcbb0
old data:
new data:Rundll32.exe "C:\windows\system32\jtmtnaww.dll",s

hijack this keeps crashing when i hit save log, but here is the entry that obviously corrasponds; 04-HKLM\..\Run:[BM174bcbb0]Rundll32.exe "C:\windows\system32\jtmtnaww.dll",s

if tried deleting the DLL but it just comes back with a different name.
 
hi

you have malware.

post a reference point: a hjt log:

HiJackThis log - Trend Micro HijackThis 2.0.2

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in your next reply.

shelf life
 
shelf life said:
hi

you have malware.

post a reference point: a hjt log:

HiJackThis log - Trend Micro HijackThis 2.0.2

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in your next reply.

shelf life
Click to expand...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:50 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM174bcbb0] Rundll32.exe "C:\WINDOWS\system32\aatylivn.dll",s
O4 - HKLM\..\RunOnce: [EBURUN0] D:\RISEOF~2\msxmlenu.msi /Q
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [norton32] norton32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [norton32] norton32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [norton32] norton32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [norton32] norton32.exe (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135525352675
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: USB Ware - {E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6731 bytes
 
hi evirus,

before using hjt please disable spybots tea timer, when done you can re-enable it: How??:
SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

-----------------------------------------
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKUS\S-1-5-18\..\Run: [norton32] norton32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [norton32] norton32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [norton32] norton32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [norton32] norton32.exe (User 'Default user')
----------------------------------------
next: combofix:

Download combofix from one of these links and save it to Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

as a precaution, before using combofix:


1. * Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
* Click on this link below to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
* Remember to re enable the protection again afterwards before connecting to the net

link:
http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

* IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
* If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log.

shelf life
 
Running from: D:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BM174bcbb0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\setup.exe
C:\WINDOWS\system32\jlnnn.ini
C:\WINDOWS\system32\jlnnn.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mprqr.ini
C:\WINDOWS\system32\mprqr.ini2
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqrpm.dll

----- BITS: Possible infected sites -----

hxxp://view.afzr.net
hxxp://site.com
.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-17 21:58 . 2008-03-17 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-13 17:28 . 2008-03-13 17:28 467,439 --a------ C:\ScreenShot9.jpg
2008-03-13 17:26 . 2008-03-13 17:28 <DIR> d-------- C:\Documents and Settings\main\.gimp-2.4
2008-03-13 17:24 . 2008-03-13 17:24 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-03-13 09:55 . 2008-03-17 22:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-13 09:55 . 2008-03-13 09:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-22 11:09 . 2008-02-22 11:09 92 --a------ C:\WINDOWS\wininit.ini
2008-02-22 10:49 . 2008-02-22 10:31 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-22 10:49 . 2008-02-22 10:49 2,538 --a------ C:\WINDOWS\unins000.dat
2008-02-19 07:28 . 2008-02-19 07:28 <DIR> d-------- C:\Documents and Settings\main\Application Data\Sierra Entertainment
2008-02-19 07:26 . 2008-02-19 07:26 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-02-19 07:26 . 2008-02-19 07:26 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-02-19 07:25 . 2008-02-19 07:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 10:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-18 00:23 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-17 23:08 --------- d-----w C:\Documents and Settings\main\Application Data\Microsoft Games
2008-03-17 22:57 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-14 17:07 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-14 00:18 --------- d-----w C:\Program Files\MilkShape3D Viewer OCX
2008-03-14 00:15 --------- d-----w C:\Documents and Settings\main\Application Data\Yahoo!
2008-03-13 22:28 --------- d-----w C:\Documents and Settings\main\Application Data\gtk-2.0
2008-02-22 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 15:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-22 13:51 --------- d-----w C:\Documents and Settings\main\Application Data\AVG7
2008-02-22 03:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 08:34 --------- d-----w C:\Documents and Settings\main\Application Data\IGN_DLM
2008-02-14 01:39 --------- d-----w C:\Documents and Settings\main\Application Data\Move Networks
2008-02-11 01:09 --------- d-----w C:\Documents and Settings\main\Application Data\Hewlett-Packard
2008-02-11 01:06 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-11 01:06 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-02-08 03:27 --------- d-----w C:\Program Files\GetRight
2008-02-04 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-02-04 13:59 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-31 02:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-01-31 02:42 --------- d-----w C:\Program Files\DivX
2007-12-27 14:28 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-27 14:25 15,600 ----a-w C:\WINDOWS\gdrv.sys
2006-02-09 19:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-05-08 06:26 8,076,976 ----a-w C:\Program Files\winamp503_ambulance.exe
2004-02-17 21:15 340 ----a-w C:\Program Files\INSTALL.LOG
2003-12-18 17:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-11-30 16:23 5,296,922 ----a-w C:\Program Files\windowblinds410_public.exe
2003-09-03 13:46 10,960 ----a-w C:\Program Files\EULA.txt
2003-09-01 18:17 64,464 ----a-w C:\Documents and Settings\main\Application Data\GDIPFONTCACHEV1.DAT
2005-05-13 22:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 16:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 02:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-07-14 17:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2005-12-23 01:23 816,640 --sha-r C:\WINDOWS\system32\smab.dll
2005-02-28 18:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57464A1A-5F04-45C8-874C-96EFDDE61B4F}]
C:\WINDOWS\system32\nnnlj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48 157592]
"igndlm.exe"="C:\Program Files\FilePlanet\Download Manager\DLM.exe" [2007-03-05 12:57 1103480]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 12:26 7700480]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56 158208]
"BM174bcbb0"="C:\WINDOWS\system32\aatylivn.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 04:12 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 17:41:38 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\System32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdcbb]
ddcdcbb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM174bcbb0]
C:\WINDOWS\system32\jtmtnaww.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nrds]
C:\WINDOWS\SSTEM3~1\nopdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 12:26 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-19 12:26 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-19 12:26 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-07-15 01:07 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"D:\\shoutcast server\\SHOUTcast\\sc_serv.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\steam\\Steam.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\team fortress classic\\hl.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\counter-strike\\hl.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\half-life\\hl.exe"=
"C:\\Program Files\\xchat\\xchat.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\half-life 2 deathmatch\\hl2.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"D:\\Battlefield 1942\\BF1942.exe"=
"C:\\WINDOWS\\system32\\wjview.exe"=
"C:\\Program Files\\oDC\\oDC.exe"=
"D:\\Diablo\\Diablo.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\Battlefield 2\\BF2.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\half-life 2\\hl2.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"D:\\Civ4\\Civilization4.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"D:\\Age of Empires III\\age3.exe"=
"D:\\Starcraft\\StarCraft.exe"=
"D:\\FlightGear\\bin\\Win32\\fgfs.exe"=
"D:\\Starcraft\\GundamCentury.exe"=
"D:\\Starcraft Shareware(ED)\\Starcraft.exe"=
"D:\\Space Empires IV Gold\\Se4.exe"=
"D:\\Blockland\\Blockland.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Rise of Nations\\rise.exe"=
"D:\\Rise Of Legends Demo\\legends.exe"=
"D:\\Homeworld\\homeworld.exe"=
"D:\\A Tale in the Desert\\eclientc.exe"=
"D:\\Gunz\\GunzLauncher.exe"=
"D:\\Gunz\\Gunz.exe"=
"C:\\Program Files\\Media Player Classic\\mplayerc.exe"=
"D:\\Command and Conquer Generals\\game.dat"=
"D:\\Rise of Nations\\nations.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\half-life blue shift\\hl.exe"=
"D:\\World of Warcraft\\Repair.exe"=
"D:\\Freeciv209\\civserver.exe"=
"D:\\WorldInConflict\\wic.exe"=
"D:\\World in Conflict - DEMO\\wic.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\steam\\SteamApps\\evirustheslaye\\team fortress 2\\hl2.exe"=
"D:\\World in Conflict\\wic.exe"=
"D:\\World in Conflict\\wic_online.exe"=
"D:\\World in Conflict\\wic_ds.exe"=
"D:\\Empire Earth III Public Demo\\EE3.exe"=
"D:\\Defcon\\defcon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:TCP"= 8000:TCP:winamp

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe" []
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;C:\WINDOWS\system32\drivers\nvhda32.sys [2007-07-16 11:38]
R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-04-13 23:07]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 15:05]
S2 BULKUSB;D-Link DMP-110 NtJCMp3.Sys MP3 USB driver;C:\WINDOWS\system32\Drivers\NtJCMp3.sys []
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2005-06-15 10:01]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2004-03-12 19:38]
S3 aaudstum;aaudstum;C:\DOCUME~1\main\LOCALS~1\Temp\aaudstum.sys []
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 07:48]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 07:19]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-12-27 09:25]
S3 nctlsb16;nctlsb16;C:\DOCUME~1\main\LOCALS~1\Temp\nctlsb16.sys []
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2005-06-15 10:01]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 15:05]
S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys [2005-01-26 17:00]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-05-07 13:47]
S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\yukonx86.sys [2003-12-22 17:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5aa446b0-5473-11d8-acbb-806d6172696f}]
\Shell\AutoRun\command - E:\AutoRunMorrowind.exe
\Shell\install\command - E:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{778bc083-b88b-11dc-a8e2-000000000000}]
\Shell\AutoRun\command - F:\autorun.exe

*Newly Created Service* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\53339e76-8c3d-4ccd-857c-41a3de9309e0]
C:\WINDOWS\system32\dodomcc.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 00:23:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-11 01:09:08 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1202692140.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 08:54:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2008-03-18 8:59:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-18 13:58:58
(character limit)
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:09 AM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57464A1A-5F04-45C8-874C-96EFDDE61B4F} - C:\WINDOWS\system32\nnnlj.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM174bcbb0] Rundll32.exe "C:\WINDOWS\system32\aatylivn.dll",s
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135525352675
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ddcdcbb - ddcdcbb.dll (file missing)
O22 - SharedTaskScheduler: USB Ware - {E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6872 bytes
 
hi evirus,

ok good. just for good measure lets run vundofix also:

download and run vundofix.exe:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

post the vundo log and a new hjt log please. looking better in your end now??
 
You must log in or register to reply here.
Back
Top