virtumonde and smitfraud... please help

Status
Not open for further replies.
J

jmj3000

New member
spybot keeps telling me i have smitfraud and virtumonde... i need these cleaned so my sister can use this computer for school

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:51 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BMef4d1a99] Rundll32.exe "C:\WINDOWS\system32\dpxdrbeu.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3941 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

3) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
 
went to castlecops and viewed their malware removal guide when i had access to a clean computer, tried everything there, just making sure everything is gone, sorry if i end up wasting your time

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:43 AM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 3923 bytes

ComboFix 08-08-21.02 - Administrator 2008-08-22 6:05:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.195 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\YNWXWDTG\interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\YNWXWDTG\interclick.com\ud.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\begfjfou.dll
C:\WINDOWS\system32\configure.exe
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\iqtpptum.ini
C:\WINDOWS\system32\jyjvovwf.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\rownw64p.exe
C:\WINDOWS\system32\wbjwctko.ini
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.

2008-08-22 05:31 . 2008-08-22 05:50 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-22 01:31 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-08-21 19:25 . 2008-08-21 19:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-08-21 19:20 . 2008-08-21 19:23 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-08-21 19:13 . 2008-08-21 19:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-21 19:13 . 2008-08-21 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-21 19:13 . 2008-08-21 19:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-21 19:13 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-21 19:13 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-21 17:59 . 2008-08-21 18:03 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-21 04:40 . 2008-08-21 04:40 <DIR> d-------- C:\Program Files\CCleaner
2008-08-21 00:02 . 1998-02-13 14:30 143,872 --a------ C:\WINDOWS\system32\iacenc.dll
2008-08-21 00:02 . 1997-06-13 08:56 56,832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2008-08-21 00:02 . 1997-11-06 12:53 27,648 --a------ C:\WINDOWS\system32\ir50_lcs.dll
2008-08-21 00:02 . 2008-08-21 00:02 5,952 --a------ C:\WINDOWS\system32\CDUninst.isu
2008-08-20 23:58 . 1997-08-27 09:53 391,168 --a------ C:\WINDOWS\system32\i263_32.drv
2008-08-20 23:58 . 1999-07-27 17:13 13,312 --a------ C:\WINDOWS\system32\vp3clean.exe
2008-08-20 23:57 . 2008-08-20 23:57 <DIR> d-------- C:\Program Files\Common Files\Intel Shared
2008-08-20 23:57 . 1999-07-27 17:11 795,548 --a------ C:\WINDOWS\system32\ica2.dll
2008-08-20 23:57 . 1997-04-23 16:30 119,808 --a------ C:\WINDOWS\system32\g723.acm
2008-08-20 23:57 . 1999-07-27 17:14 50,176 --a------ C:\WINDOWS\system32\_islxx.lrc
2008-08-20 23:57 . 1999-07-27 16:59 17,920 --a------ C:\WINDOWS\system32\324aud32.dll
2008-08-20 23:56 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-08-20 23:53 . 1999-03-02 02:13 99,760 --a------ C:\WINDOWS\system32\MMail32.OCX
2008-08-20 23:53 . 1998-04-07 15:32 48,640 --a------ C:\WINDOWS\system32\inetwh32.dll
2008-08-20 23:50 . 1999-05-13 16:23 184,832 --a------ C:\WINDOWS\system32\icam2ext.dll
2008-08-20 23:46 . 1998-08-27 00:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2008-08-20 23:46 . 1998-08-20 07:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-08-20 23:46 . 1998-09-02 04:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-08-20 23:45 . 2008-08-20 23:45 <DIR> d-------- C:\Program Files\Intel
2008-08-20 23:45 . 1998-09-02 04:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-08-20 23:45 . 1998-09-02 04:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-08-20 23:45 . 1998-08-17 05:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-08-20 23:45 . 1998-08-17 05:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-08-20 23:45 . 1998-08-17 05:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-08-20 23:45 . 2008-08-20 23:45 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2008-08-20 23:45 . 2008-08-20 23:45 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2008-08-20 23:43 . 1998-10-02 19:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-08-20 02:16 . 2008-08-20 02:16 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-08-20 02:09 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-08-20 02:09 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-08-20 02:07 . 2001-08-17 14:05 141,056 --a------ C:\WINDOWS\system32\drivers\Icam3.sys
2008-08-19 22:02 . 2008-08-19 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 14:28 . 2008-08-18 14:28 <DIR> d-------- C:\Program Files\Safer Networking
2008-08-18 10:21 . 2008-08-21 06:27 409 --a------ C:\WINDOWS\wininit.ini
2008-08-18 03:04 . 2008-08-20 17:18 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 03:04 . 2008-08-22 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-18 02:53 . 2008-08-18 02:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-18 02:53 . 2008-08-18 02:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-18 02:52 . 2008-08-18 02:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-17 05:16 . 2008-08-17 05:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-17 04:53 . 2008-08-17 04:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-17 03:41 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-17 01:40 . 2008-08-17 01:40 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-08-16 21:22 . 2008-08-22 00:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-16 20:49 . 2008-08-17 14:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-16 20:49 . 2008-08-17 14:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-16 10:52 . 2008-08-16 10:52 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-16 10:52 . 2008-08-16 10:52 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-16 10:51 . 2008-08-16 10:51 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-16 10:51 . 2008-08-16 10:51 <DIR> d-------- C:\Program Files\AVG
2008-08-16 10:51 . 2008-08-17 03:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-16 10:51 . 2008-08-16 10:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-08-16 10:21 . 2008-08-16 10:21 153,484 --a------ C:\WINDOWS\system32\g40.exe
2008-08-16 06:03 . 2008-08-21 18:56 <DIR> d--hs---- C:\Documents and Settings\Administrator\!
2008-08-16 06:02 . 2008-08-16 06:02 <DIR> d-------- C:\WINDOWS\system32\unt
2008-08-16 06:02 . 2008-08-17 14:27 <DIR> d-------- C:\WINDOWS\system32\gps
2008-08-16 06:02 . 2008-08-17 14:27 <DIR> d-------- C:\WINDOWS\system32\fx
2008-08-16 06:02 . 2008-08-16 06:02 <DIR> d-------- C:\Temp\epr1
2008-08-16 06:02 . 2008-08-22 06:05 <DIR> d-------- C:\Temp
2008-08-16 05:59 . 2008-08-18 05:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-08-16 05:58 . 2008-08-19 19:55 <DIR> d-------- C:\Program Files\LimeWire
2008-08-16 05:02 . 2004-08-03 23:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-08-16 05:02 . 2004-08-03 23:15 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-08-16 05:02 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-08-16 05:02 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2008-08-16 05:02 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-08-16 05:02 . 2004-08-03 23:07 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-08-16 05:00 . 2008-08-16 05:00 <DIR> d-------- C:\Program Files\SigmaTel
2008-08-16 05:00 . 2008-08-16 05:00 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-16 05:00 . 2004-11-15 15:37 264,440 --a------ C:\WINDOWS\system32\drivers\stac97.sys
2008-08-16 05:00 . 2004-08-03 23:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-08-16 05:00 . 2004-08-03 23:15 145,792 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-08-16 05:00 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-08-16 05:00 . 2004-08-04 00:56 130,048 --a--c--- C:\WINDOWS\system32\dllcache\ksproxy.ax
2008-08-16 05:00 . 2004-07-20 10:14 102,481 --a------ C:\WINDOWS\system32\stac97.cpl
2008-08-16 05:00 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-08-16 05:00 . 2004-08-03 23:08 60,288 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-08-16 05:00 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-08-16 05:00 . 2004-08-04 00:56 4,096 --a--c--- C:\WINDOWS\system32\dllcache\ksuser.dll
2008-08-16 04:03 . 2008-08-16 04:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-16 04:03 . 2008-08-16 04:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Pogo Games
2008-08-16 03:59 . 2008-08-16 03:59 <DIR> d-------- C:\Program Files\Oberon Media
2008-08-16 03:53 . 2008-08-17 03:15 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-08-16 03:33 . 2008-08-16 03:33 <DIR> d-------- C:\WINDOWS\Sun
2008-08-16 03:32 . 2008-08-16 03:32 <DIR> d-------- C:\Program Files\Java
2008-08-16 03:32 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-16 03:31 . 2008-08-16 03:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-16 01:51 . 2008-08-16 01:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-16 01:49 . 2008-08-16 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-16 01:48 . 2008-08-16 01:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-16 01:42 . 2008-08-16 01:42 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-16 01:42 . 2008-08-16 03:52 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-08-16 01:41 . 2008-08-16 01:41 <DIR> d-------- C:\Program Files\MSN Messenger
2008-08-16 01:34 . 2008-08-16 01:34 <DIR> d-------- C:\Program Files\Google
2008-08-16 01:31 . 2008-08-16 01:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-08-16 01:30 . 2008-08-22 05:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-16 01:30 . 2008-08-16 01:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-08-16 01:29 . 2008-08-16 01:29 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-08-16 01:29 . 2008-08-16 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-08-16 01:29 . 2008-08-16 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-08-16 01:28 . 2008-08-16 01:31 <DIR> d-------- C:\Program Files\AIM6
2008-08-16 01:28 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-16 01:28 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-16 01:28 . 2008-08-16 01:31 383 --ah----- C:\IPH.PH
2008-08-16 01:23 . 2008-08-16 03:12 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-16 01:23 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-16 01:15 . 2004-02-25 16:37 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-08-16 01:09 . 2008-08-16 04:59 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-08-16 01:09 . 2008-08-16 01:09 <DIR> d-------- C:\Dell
2008-08-16 01:09 . 2004-07-09 16:41 983,040 --------- C:\WINDOWS\system32\BCMWLCPL.CPL
2008-08-16 01:09 . 2004-06-25 18:15 909,312 --------- C:\WINDOWS\system32\AegisE5.dll
2008-08-16 01:09 . 2004-07-09 16:41 643,072 --------- C:\WINDOWS\system32\BCMWLTRY.EXE
2008-08-16 01:09 . 2004-06-25 18:15 315,392 --------- C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-08-16 01:09 . 2004-06-25 18:15 139,264 --------- C:\WINDOWS\system32\BCMWLU00.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 03:06 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 11:21 50472]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"MSACM.G723"= g723.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BMef4d1a99"=Rundll32.exe "C:\WINDOWS\system32\wphjtpkm.dll",s
"ec7e2905"=rundll32.exe "C:\WINDOWS\system32\mutpptqi.dll",b
"{E2-29-9A-AA-DW}"=C:\WINDOWS\system32\rownw64p.exe DWram03FF

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-16 10:52]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-16 10:52]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]
S4 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-16 10:51]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2E3FEB9C-41F2-4A57-9AA8-5656C0A38E94} - C:\WINDOWS\system32\comsvc.dll
HKLM-Run-avgnt - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
HKLM-Run-BMef4d1a99 - C:\WINDOWS\system32\pqnfojdn.dll
Notify-vtUklihE - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mtdui0sr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 06:10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-22 6:15:58 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-08-22 10:15:52

Pre-Run: 71,732,903,424 bytes free
Post-Run: 71,677,643,264 bytes free

244 --- E O F --- 2008-08-22 05:31:53
 
Thanks for being honest and CastleCops is one of the best, I used to help there, but never seem to have the time anymore. I am seeing no malware in the HJT log? Are you having any issues? If not, you have MBAM onboard, no need to download it again, just show me a log like this:

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

If you wish to expedite matters, this will be the next step:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

RC1-4.gif


Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif


Thanks
 
i have the cd at home, will install the RC there... here is the MalwareBytes log

Malwarebytes' Anti-Malware 1.25
Database version: 1076
Windows 5.1.2600 Service Pack 2

2:06:21 PM 8/22/2008
mbam-log-08-22-2008 (14-06-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 42083
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Remove combofix from your computer:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Status
Not open for further replies.
Back
Top