Virtumode still present even after reformating

Status
Not open for further replies.
I

IromK

New member
I got Virtumonde bad last week but my computer was a mess so rather than going through the tedious steps to remove it I just reformatted everything. I ran spybot on a squeaky clean computer and Virtumonde popped up.

here's my HJT log - any help VASTLY appreciated

Logfile of HijackThis v1.99.1
Scan saved at 7:51:27 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
D:\Steam\Steam.exe
C:\WINDOWS\System32\svchost.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {32150D92-7BDD-4A96-B15C-364BEEA21E48} - C:\WINDOWS\system32\mlJBSKBS.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\SDHelper.dll
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\wvUlkLby.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [581896b0] rundll32.exe "C:\WINDOWS\system32\npvkhven.dll",b
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Spybot\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7055] command /c del "C:\WINDOWS\system32\mlJBSKBS.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1080] cmd /c del "C:\WINDOWS\system32\mlJBSKBS.dll_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "D:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1899] command /c del "C:\WINDOWS\system32\mlJBSKBS.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9570] cmd /c del "C:\WINDOWS\system32\mlJBSKBS.dll_old"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: wvUlkLby - C:\WINDOWS\SYSTEM32\wvUlkLby.dll
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

so rather than going through the tedious steps to remove it I just reformatted everything
Click to expand...
1) You still have a Vundo infection and Vundo or nothing else will last through a reformat. That process wipes the hard drive completely clean. You may want to view this information to find out just what you did:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

is virtumonde exploding or something? almost the entire first page is virtumonde problems.
Click to expand...
2) Considered rouge adware, it is by far the most numerous infection presently, Google for more information if you want it.

3) Your version of HJT is out of date, the instructions for the correction verion are in the directions and posted when you need them in this topic.

4) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log <<< using the instructions below.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

5) Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks
 
combofix

ComboFix 08-06-20.1 - Michael 2008-06-20 20:08:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1431 [GMT -7:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5b2ba52c.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bpcdqufs.ini
C:\WINDOWS\system32\claelsjy.ini
C:\WINDOWS\system32\dshmsgsc.ini
C:\WINDOWS\system32\GOruCfhk.ini
C:\WINDOWS\system32\GOruCfhk.ini2
C:\WINDOWS\system32\hgGxWoOf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nevhkvpn.ini
C:\WINDOWS\system32\nnnmkHBq.dll
C:\WINDOWS\system32\qBHkmnnn.ini
C:\WINDOWS\system32\qBHkmnnn.ini2
C:\WINDOWS\system32\qoMETLfg.dll
C:\WINDOWS\system32\SBKSBJlm.ini
C:\WINDOWS\system32\SBKSBJlm.ini2
C:\WINDOWS\system32\wvUlkLby.dll
C:\WINDOWS\system32\xEOrttwa.ini
C:\WINDOWS\system32\xEOrttwa.ini2
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-20 20:14 . 2008-06-20 20:14 110,419 --a------ C:\WINDOWS\BM5b2ba52c.xml
2008-06-20 20:14 . 2008-06-20 20:14 22 --a------ C:\WINDOWS\pskt.ini
2008-06-20 20:07 . 2008-06-20 20:07 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Apple Computer
2008-06-20 20:05 . 2008-06-20 20:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-20 20:05 . 2008-06-20 20:06 <DIR> d-------- C:\Program Files\iTunes
2008-06-20 20:05 . 2008-06-20 20:05 <DIR> d-------- C:\Program Files\iPod
2008-06-20 20:04 . 2008-06-20 20:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-20 17:47 . 2008-06-20 17:47 79,872 --a------ C:\WINDOWS\system32\csgsmhsd.dll
2008-06-20 17:46 . 2008-06-20 17:46 99,328 --a------ C:\WINDOWS\system32\egspfivn.dll
2008-06-20 17:46 . 2008-06-20 17:46 90,624 --a------ C:\WINDOWS\system32\achphqad.dll
2008-06-20 16:26 . 2008-06-20 16:26 79,872 --a------ C:\WINDOWS\system32\yjslealc.dll
2008-06-20 16:23 . 2008-06-20 16:23 99,328 --a------ C:\WINDOWS\system32\wdoedsdo.dll
2008-06-20 16:23 . 2008-06-20 16:23 90,624 --a------ C:\WINDOWS\system32\fitpoadc.dll
2008-06-20 15:22 . 2008-06-20 15:22 99,328 --a------ C:\WINDOWS\system32\dsunqgbw.dll
2008-06-20 15:19 . 2008-06-20 15:19 79,872 --a------ C:\WINDOWS\system32\sfuqdcpb.dll
2008-06-20 15:16 . 2008-06-20 15:16 90,624 --a------ C:\WINDOWS\system32\nfxerlbe.dll
2008-06-19 20:07 . 2008-06-19 20:07 <DIR> d---s---- C:\Documents and Settings\Michael\UserData
2008-06-19 19:39 . 2008-06-20 16:20 613 --a------ C:\WINDOWS\wininit.ini
2008-06-19 19:09 . 2008-06-20 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 18:51 . 2008-06-19 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-19 18:41 . 2008-06-19 18:41 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-06-19 18:37 . 2008-06-19 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-06-19 18:20 . 2008-06-19 18:20 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-19 17:53 . 2008-06-20 20:05 <DIR> d-------- C:\Program Files\Bonjour
2008-06-19 17:48 . 2008-06-19 17:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-19 14:08 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-06-19 14:08 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-06-19 14:07 . 2008-06-19 14:07 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-19 13:47 . 2008-06-19 13:47 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DAEMON Tools
2008-06-19 13:47 . 2008-06-19 13:47 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-19 13:32 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-06-19 13:32 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-06-19 12:03 . 2008-06-19 12:03 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-06-19 11:58 . 2008-06-19 12:04 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Winamp
2008-06-19 00:37 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 00:35 . 2006-10-13 03:23 163,584 -----c--- C:\WINDOWS\system32\dllcache\nwrdr.sys
2008-06-19 00:35 . 2006-10-13 05:35 142,336 -----c--- C:\WINDOWS\system32\dllcache\nwprovau.dll
2008-06-19 00:35 . 2006-10-13 05:35 65,536 -----c--- C:\WINDOWS\system32\dllcache\nwwks.dll
2008-06-18 02:20 . 2008-06-18 02:20 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DivX
2008-06-17 15:12 . 2008-06-17 15:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-17 15:02 . 2007-10-25 20:36 8,454,656 -----c--- C:\WINDOWS\system32\dllcache\shell32.dll
2008-06-17 15:02 . 2006-12-19 11:16 333,824 -----c--- C:\WINDOWS\system32\dllcache\wiaservc.dll
2008-06-17 15:02 . 2006-08-14 03:34 332,928 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-06-17 15:02 . 2006-08-16 02:37 225,664 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-17 15:02 . 2006-12-19 14:52 134,656 -----c--- C:\WINDOWS\system32\dllcache\shsvcs.dll
2008-06-17 15:02 . 2006-08-16 04:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-06-17 15:01 . 2008-03-19 02:47 1,845,248 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-06-17 15:01 . 2006-12-14 06:45 981,760 -----c--- C:\WINDOWS\system32\dllcache\mfc42u.dll
2008-06-17 15:01 . 2007-03-08 08:36 577,536 -----c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-06-17 15:01 . 2007-10-30 10:20 360,064 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-17 15:01 . 2007-02-05 13:17 185,344 -----c--- C:\WINDOWS\system32\dllcache\upnphost.dll
2008-06-17 15:01 . 2006-06-22 03:47 181,248 -----c--- C:\WINDOWS\system32\dllcache\rasmans.dll
2008-06-17 15:01 . 2007-12-18 02:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-06-17 15:01 . 2006-05-19 05:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-06-17 15:01 . 2007-03-08 08:36 40,960 -----c--- C:\WINDOWS\system32\dllcache\mf3216.dll
2008-06-17 14:59 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-17 14:58 . 2006-05-05 02:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-06-17 14:58 . 2008-02-19 23:51 282,624 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2008-06-17 14:58 . 2006-05-05 02:47 174,592 -----c--- C:\WINDOWS\system32\dllcache\rdbss.sys
2008-06-17 13:50 . 2008-06-17 13:50 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-06-17 13:50 . 2008-06-17 13:50 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-06-17 13:47 . 2008-06-17 13:48 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-06-17 13:47 . 2008-06-17 13:47 <DIR> d-------- C:\Program Files\Realtek
2008-06-17 07:08 . 2008-06-17 07:08 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-06-17 06:45 . 2008-06-17 06:45 <DIR> d-------- C:\Program Files\QuickTime
2008-06-17 06:45 . 2008-06-17 06:45 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-17 06:45 . 2008-06-20 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-17 06:45 . 2008-06-17 06:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-17 06:31 . 2008-06-17 06:31 <DIR> d-------- C:\Program Files\uTorrent
2008-06-17 06:31 . 2008-06-20 18:00 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\uTorrent
2008-06-17 06:13 . 2008-06-19 11:59 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-06-17 06:11 . 2008-06-17 06:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-17 06:10 . 2004-08-04 00:56 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-06-17 06:10 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002238_.tmp
2008-06-17 06:09 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-17 06:08 . 2008-06-17 06:08 <DIR> d-------- C:\WINDOWS\EHome
2008-06-17 05:42 . 2008-06-17 05:42 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-17 05:26 . 2008-06-17 05:26 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Talkback
2008-06-17 05:26 . 2008-06-17 05:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-17 04:48 . 2008-06-17 04:48 <DIR> d-------- C:\Program Files\Western Digital
2008-06-17 04:48 . 2008-06-19 18:45 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-17 04:48 . 2008-06-17 04:48 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\AdobeUM
2008-06-17 04:47 . 2008-06-17 04:47 <DIR> d-------- C:\apps
2008-06-17 04:46 . 2008-06-17 04:46 <DIR> d-------- C:\WINDOWS\Cache
2008-06-17 04:36 . 2008-06-17 04:36 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-06-17 04:29 . 2008-06-17 04:29 <DIR> d-------- C:\WINDOWS\vnDrvBas
2008-06-17 04:29 . 2005-11-17 15:46 337,320 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-06-17 04:29 . 2006-10-27 16:26 69,632 -ra------ C:\WINDOWS\system32\vuins32.dll
2008-06-17 04:29 . 2007-04-17 11:58 42,496 -ra------ C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-06-17 04:17 . 2008-06-17 04:17 <DIR> d-------- C:\WINDOWS\system32\EVGA
2008-06-17 04:17 . 2008-06-17 13:47 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-17 04:17 . 2007-05-11 06:03 8,429,568 --a------ C:\WINDOWS\system32\nvcpl.dll
2008-06-17 04:17 . 2007-05-11 06:03 6,738,432 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-06-17 04:17 . 2007-05-11 06:03 6,221,824 --a------ C:\WINDOWS\system32\nvdisps.dll
2008-06-17 04:17 . 2007-05-11 06:03 5,439,488 --a------ C:\WINDOWS\system32\nvdispsr.dll
2008-06-17 04:17 . 2007-05-11 06:03 5,421,312 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-06-17 04:17 . 2007-05-11 06:03 3,284,992 --a------ C:\WINDOWS\system32\nvgames.dll
2008-06-17 04:17 . 2007-05-11 06:03 3,231,744 --a------ C:\WINDOWS\system32\nvgamesr.dll
2008-06-17 04:17 . 2007-05-11 06:03 352,256 --a------ C:\WINDOWS\system32\nvapi.dll
2008-06-17 04:17 . 2007-05-11 06:03 37,888 --a------ C:\WINDOWS\system32\nvcodins.dll
2008-06-17 04:17 . 2007-05-11 06:03 37,888 --a------ C:\WINDOWS\system32\nvcod.dll
2008-05-30 10:22 . 2008-05-30 10:22 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 10:22 . 2008-05-30 10:22 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-30 10:22 . 2008-05-30 10:22 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-30 10:19 . 2008-05-30 10:19 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-30 10:19 . 2008-05-30 10:19 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 20:47 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-17 11:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-17 10:22 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 01:10 4,752,384 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-30 17:22 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-30 17:22 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-30 17:22 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-28 21:52 16,862,720 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-02 16:27 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C30244B-302D-4506-AF63-FEE045C9B739}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21A65F88-A8F7-4A6C-BA7C-E4E1339629B4}]
C:\WINDOWS\system32\awttrOEx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32150D92-7BDD-4A96-B15C-364BEEA21E48}]
C:\WINDOWS\system32\mlJBSKBS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DE5EED5-078A-42F1-A8D4-65DA2CCC696C}]
C:\WINDOWS\system32\khfCurOG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7E4CE1-8CBA-44A6-956F-462A667D3286}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="D:\Steam\Steam.exe" [2008-06-17 13:58 1271032]
"SpybotSD TeaTimer"="D:\Spybot\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-05-11 06:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-05-11 06:03 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 14:52 16862720 C:\WINDOWS\RTHDCPL.exe]
"WinampAgent"="D:\Winamp\winampa.exe" [2008-04-01 11:49 36352]
"DAEMON Tools-1033"="D:\Daemon Tools\daemon.exe" [2004-08-22 17:05 81920]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"581896b0"="C:\WINDOWS\system32\csgsmhsd.dll" [2008-06-20 17:47 79872]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"BM5b2ba52c"="C:\WINDOWS\system32\achphqad.dll" [2008-06-20 17:46 90624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlkLby]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Steam\\steamapps\\jaltimier@fuse.net\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 11:58]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 20:14:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\BM5b2ba52c.xml 110419 bytes
C:\WINDOWS\system32\dshmsgsc.ini 294 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-20 20:18:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 03:17:48

Pre-Run: 12,227,121,152 bytes free
Post-Run: 12,550,533,120 bytes free

227 --- E O F --- 2008-06-20 21:40:33


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:15 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\Winamp\winampa.exe
D:\Daemon Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21A65F88-A8F7-4A6C-BA7C-E4E1339629B4} - C:\WINDOWS\system32\awttrOEx.dll (file missing)
O2 - BHO: (no name) - {32150D92-7BDD-4A96-B15C-364BEEA21E48} - C:\WINDOWS\system32\mlJBSKBS.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\SDHelper.dll
O2 - BHO: (no name) - {7DE5EED5-078A-42F1-A8D4-65DA2CCC696C} - C:\WINDOWS\system32\khfCurOG.dll (file missing)
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [581896b0] rundll32.exe "C:\WINDOWS\system32\csgsmhsd.dll",b
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM5b2ba52c] Rundll32.exe "C:\WINDOWS\system32\achphqad.dll",s
O4 - HKCU\..\Run: [Steam] "D:\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4455 bytes
 
Thanks for returning your information, read and follow the directions carefully and in the numbered order.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

(follow the CFScript directions carefully)

Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\csgsmhsd.dll
C:\WINDOWS\system32\achphqad.dll
C:\WINDOWS\system32\egspfivn.dll
C:\WINDOWS\system32\yjslealc.dll
C:\WINDOWS\system32\wdoedsdo.dll
C:\WINDOWS\system32\fitpoadc.dll
C:\WINDOWS\system32\dsunqgbw.dll
C:\WINDOWS\system32\sfuqdcpb.dll
C:\WINDOWS\system32\nfxerlbe.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C30244B-302D-4506-AF63-FEE045C9B739}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21A65F88-A8F7-4A6C-BA7C-E4E1339629B4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32150D92-7BDD-4A96-B15C-364BEEA21E48}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DE5EED5-078A-42F1-A8D4-65DA2CCC696C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7E4CE1-8CBA-44A6-956F-462A667D3286}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlkLby]

Save this as CFScript

CFScript.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some items may be gone, removed by CFScript)

O2 - BHO: (no name) - {21A65F88-A8F7-4A6C-BA7C-E4E1339629B4} - C:\WINDOWS\system32\awttrOEx.dll (file missing)
O2 - BHO: (no name) - {32150D92-7BDD-4A96-B15C-364BEEA21E48} - C:\WINDOWS\system32\mlJBSKBS.dll (file missing)
O2 - BHO: (no name) - {7DE5EED5-078A-42F1-A8D4-65DA2CCC696C} - C:\WINDOWS\system32\khfCurOG.dll (file missing)
O4 - HKLM\..\Run: [581896b0] rundll32.exe "C:\WINDOWS\system32\csgsmhsd.dll",b
O4 - HKLM\..\Run: [BM5b2ba52c] Rundll32.exe "C:\WINDOWS\system32\achphqad.dll",s

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log from CFScript, a new HJT log and some feedback from you. How is the computer running now?

Thanks

I will not respond again before AM EST
 
CF

ComboFix 08-06-20.1 - Michael 2008-06-20 21:02:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1580 [GMT -7:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\achphqad.dll
C:\WINDOWS\system32\csgsmhsd.dll
C:\WINDOWS\system32\dsunqgbw.dll
C:\WINDOWS\system32\egspfivn.dll
C:\WINDOWS\system32\fitpoadc.dll
C:\WINDOWS\system32\nfxerlbe.dll
C:\WINDOWS\system32\sfuqdcpb.dll
C:\WINDOWS\system32\wdoedsdo.dll
C:\WINDOWS\system32\yjslealc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5b2ba52c.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\achphqad.dll
C:\WINDOWS\system32\csgsmhsd.dll
C:\WINDOWS\system32\dsunqgbw.dll
C:\WINDOWS\system32\egspfivn.dll
C:\WINDOWS\system32\fitpoadc.dll
C:\WINDOWS\system32\nfxerlbe.dll
C:\WINDOWS\system32\sfuqdcpb.dll
C:\WINDOWS\system32\wdoedsdo.dll
C:\WINDOWS\system32\yjslealc.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-20 20:20 . 2008-06-20 20:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-20 20:15 . 2008-06-20 20:57 474 ---hs---- C:\WINDOWS\system32\dshmsgsc.ini
2008-06-20 20:07 . 2008-06-20 20:07 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Apple Computer
2008-06-20 20:05 . 2008-06-20 20:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-20 20:05 . 2008-06-20 20:06 <DIR> d-------- C:\Program Files\iTunes
2008-06-20 20:05 . 2008-06-20 20:05 <DIR> d-------- C:\Program Files\iPod
2008-06-20 20:04 . 2008-06-20 20:04 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-19 20:07 . 2008-06-19 20:07 <DIR> d---s---- C:\Documents and Settings\Michael\UserData
2008-06-19 19:39 . 2008-06-20 16:20 613 --a------ C:\WINDOWS\wininit.ini
2008-06-19 19:09 . 2008-06-20 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 18:51 . 2008-06-19 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-19 18:41 . 2008-06-19 18:41 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-06-19 18:37 . 2008-06-19 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-06-19 18:20 . 2008-06-19 18:20 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-19 17:53 . 2008-06-20 20:05 <DIR> d-------- C:\Program Files\Bonjour
2008-06-19 17:48 . 2008-06-19 17:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-19 14:08 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-06-19 14:08 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-06-19 14:07 . 2008-06-19 14:07 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-19 13:47 . 2008-06-19 13:47 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DAEMON Tools
2008-06-19 13:47 . 2008-06-19 13:47 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-19 13:32 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-06-19 13:32 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-06-19 12:03 . 2008-06-19 12:03 <DIR> d-------- C:\Program Files\Common Files\NSV
2008-06-19 11:58 . 2008-06-19 12:04 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Winamp
2008-06-19 00:37 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 00:35 . 2006-10-13 03:23 163,584 -----c--- C:\WINDOWS\system32\dllcache\nwrdr.sys
2008-06-19 00:35 . 2006-10-13 05:35 142,336 -----c--- C:\WINDOWS\system32\dllcache\nwprovau.dll
2008-06-19 00:35 . 2006-10-13 05:35 65,536 -----c--- C:\WINDOWS\system32\dllcache\nwwks.dll
2008-06-18 02:20 . 2008-06-18 02:20 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\DivX
2008-06-17 15:12 . 2008-06-17 15:12 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-17 15:02 . 2007-10-25 20:36 8,454,656 -----c--- C:\WINDOWS\system32\dllcache\shell32.dll
2008-06-17 15:02 . 2006-12-19 11:16 333,824 -----c--- C:\WINDOWS\system32\dllcache\wiaservc.dll
2008-06-17 15:02 . 2006-08-14 03:34 332,928 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-06-17 15:02 . 2006-08-16 02:37 225,664 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-17 15:02 . 2006-12-19 14:52 134,656 -----c--- C:\WINDOWS\system32\dllcache\shsvcs.dll
2008-06-17 15:02 . 2006-08-16 04:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-06-17 15:01 . 2008-03-19 02:47 1,845,248 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-06-17 15:01 . 2006-12-14 06:45 981,760 -----c--- C:\WINDOWS\system32\dllcache\mfc42u.dll
2008-06-17 15:01 . 2007-03-08 08:36 577,536 -----c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-06-17 15:01 . 2007-10-30 10:20 360,064 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-17 15:01 . 2007-02-05 13:17 185,344 -----c--- C:\WINDOWS\system32\dllcache\upnphost.dll
2008-06-17 15:01 . 2006-06-22 03:47 181,248 -----c--- C:\WINDOWS\system32\dllcache\rasmans.dll
2008-06-17 15:01 . 2007-12-18 02:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-06-17 15:01 . 2006-05-19 05:59 111,616 -----c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-06-17 15:01 . 2007-03-08 08:36 40,960 -----c--- C:\WINDOWS\system32\dllcache\mf3216.dll
2008-06-17 14:59 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-17 14:58 . 2006-05-05 02:41 453,120 -----c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-06-17 14:58 . 2008-02-19 23:51 282,624 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2008-06-17 14:58 . 2006-05-05 02:47 174,592 -----c--- C:\WINDOWS\system32\dllcache\rdbss.sys
2008-06-17 13:50 . 2008-06-17 13:50 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-06-17 13:50 . 2008-06-17 13:50 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-06-17 13:47 . 2008-06-17 13:48 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-06-17 13:47 . 2008-06-17 13:47 <DIR> d-------- C:\Program Files\Realtek
2008-06-17 07:08 . 2008-06-17 07:08 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-06-17 06:45 . 2008-06-17 06:45 <DIR> d-------- C:\Program Files\QuickTime
2008-06-17 06:45 . 2008-06-17 06:45 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-17 06:45 . 2008-06-20 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-17 06:45 . 2008-06-17 06:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-17 06:31 . 2008-06-17 06:31 <DIR> d-------- C:\Program Files\uTorrent
2008-06-17 06:31 . 2008-06-20 18:00 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\uTorrent
2008-06-17 06:13 . 2008-06-19 11:59 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-06-17 06:11 . 2008-06-17 06:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-17 06:10 . 2004-08-04 00:56 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-06-17 06:10 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002238_.tmp
2008-06-17 06:09 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-17 06:08 . 2008-06-17 06:08 <DIR> d-------- C:\WINDOWS\EHome
2008-06-17 05:42 . 2008-06-17 05:42 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-17 05:26 . 2008-06-17 05:26 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Talkback
2008-06-17 05:26 . 2008-06-17 05:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-17 04:48 . 2008-06-17 04:48 <DIR> d-------- C:\Program Files\Western Digital
2008-06-17 04:48 . 2008-06-19 18:45 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-17 04:48 . 2008-06-17 04:48 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\AdobeUM
2008-06-17 04:47 . 2008-06-17 04:47 <DIR> d-------- C:\apps
2008-06-17 04:46 . 2008-06-17 04:46 <DIR> d-------- C:\WINDOWS\Cache
2008-06-17 04:36 . 2008-06-17 04:36 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-06-17 04:29 . 2008-06-17 04:29 <DIR> d-------- C:\WINDOWS\vnDrvBas
2008-06-17 04:29 . 2005-11-17 15:46 337,320 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-06-17 04:29 . 2006-10-27 16:26 69,632 -ra------ C:\WINDOWS\system32\vuins32.dll
2008-06-17 04:29 . 2007-04-17 11:58 42,496 -ra------ C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-06-17 04:17 . 2008-06-17 04:17 <DIR> d-------- C:\WINDOWS\system32\EVGA
2008-06-17 04:17 . 2008-06-17 13:47 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-17 04:17 . 2007-05-11 06:03 8,429,568 --a------ C:\WINDOWS\system32\nvcpl.dll
2008-06-17 04:17 . 2007-05-11 06:03 6,738,432 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-06-17 04:17 . 2007-05-11 06:03 6,221,824 --a------ C:\WINDOWS\system32\nvdisps.dll
2008-06-17 04:17 . 2007-05-11 06:03 5,439,488 --a------ C:\WINDOWS\system32\nvdispsr.dll
2008-06-17 04:17 . 2007-05-11 06:03 5,421,312 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-06-17 04:17 . 2007-05-11 06:03 3,284,992 --a------ C:\WINDOWS\system32\nvgames.dll
2008-06-17 04:17 . 2007-05-11 06:03 3,231,744 --a------ C:\WINDOWS\system32\nvgamesr.dll
2008-06-17 04:17 . 2007-05-11 06:03 352,256 --a------ C:\WINDOWS\system32\nvapi.dll
2008-06-17 04:17 . 2007-05-11 06:03 37,888 --a------ C:\WINDOWS\system32\nvcodins.dll
2008-06-17 04:17 . 2007-05-11 06:03 37,888 --a------ C:\WINDOWS\system32\nvcod.dll
2008-05-30 10:22 . 2008-05-30 10:22 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 10:22 . 2008-05-30 10:22 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-30 10:22 . 2008-05-30 10:22 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-30 10:19 . 2008-05-30 10:19 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-30 10:19 . 2008-05-30 10:19 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 20:47 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-17 11:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-17 10:22 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 01:10 4,752,384 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-30 17:22 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-30 17:22 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-30 17:22 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-28 21:52 16,862,720 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-02 16:27 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-20_20.17.39.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-21 03:13:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-21 04:05:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="D:\Steam\Steam.exe" [2008-06-17 13:58 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-05-11 06:03 8429568]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-05-11 06:03 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-28 14:52 16862720 C:\WINDOWS\RTHDCPL.exe]
"WinampAgent"="D:\Winamp\winampa.exe" [2008-04-01 11:49 36352]
"DAEMON Tools-1033"="D:\Daemon Tools\daemon.exe" [2004-08-22 17:05 81920]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"581896b0"="C:\WINDOWS\system32\csgsmhsd.dll" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"BM5b2ba52c"="C:\WINDOWS\system32\achphqad.dll" [ ]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Steam\\steamapps\\jaltimier@fuse.net\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 11:58]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 21:06:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-20 21:10:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 04:10:37
ComboFix2.txt 2008-06-21 03:18:07

Pre-Run: 12,511,997,952 bytes free
Post-Run: 12,511,514,624 bytes free

213 --- E O F --- 2008-06-20 21:40:33


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:11 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\Winamp\winampa.exe
D:\Daemon Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Steam\Steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Spybot\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\SDHelper.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "D:\Steam\Steam.exe" -silent
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3838 bytes

spybot says I'm free of Vundo

might I ask how exactly you were able to determine the malicious bits of software? I greatly appreciate the help, my friend.
 
Thanks for returning your information, before I look at your HJT log, you asked:
might I ask how exactly you were able to determine the malicious bits of software? I greatly appreciate the help, my friend.
Click to expand...
We do have tools created mostly by the malware community (like combofix) but much comes from the fact I have spent a lot of time in the last ten years learning how to identify malware.

D:\Steam\Steam.exe <<< just to be sure, this looks strange the way it is installed, can you assure me it is a valid, safe program?

Before we can move on, we have this bridge to cross:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif


Thanks...Phil
 
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.
 
Status
Not open for further replies.
Back
Top