Virtumonde and Virtumonde.prx

Status
Not open for further replies.
F

flyingdodo

New member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:52 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\alex\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] "C:\Program Files\D-Link\Air Utility\AirCFG.exe"
O4 - HKLM\..\Run: [ANIWZCSService] "C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CTEMON.EXE] "" /h
O4 - HKLM\..\Run: [20a8ad6c] rundll32.exe "C:\WINDOWS\system32\pfhtfoev.dll",b
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176159561968
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O20 - AppInit_DLLs: yvasre.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Turbine Message Service - Soundtrack (SoundtrackTurbineMessageService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe (file missing)
O23 - Service: Turbine Network Service - Soundtrack (SoundtrackTurbineNetworkService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5804 bytes

thanks
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

If you still need help, and you have read and followed the "Before you Post" directions, post a new HJT log since it has been five days, and I will take a look, please describe any recent symptoms

Thanks
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:53 PM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\alex\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] "C:\Program Files\D-Link\Air Utility\AirCFG.exe"
O4 - HKLM\..\Run: [ANIWZCSService] "C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CTEMON.EXE] "" /h
O4 - HKLM\..\Run: [20a8ad6c] rundll32.exe "C:\WINDOWS\system32\fmunpirl.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA6195] command /c del "C:\WINDOWS\system32\pfhtfoev.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2674] cmd /c del "C:\WINDOWS\system32\pfhtfoev.dll_old"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\RunOnce: [SpybotDeletingB1750] command /c del "C:\WINDOWS\system32\pfhtfoev.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7141] cmd /c del "C:\WINDOWS\system32\pfhtfoev.dll_old"
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176159561968
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O20 - AppInit_DLLs: vdfukl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Turbine Message Service - Soundtrack (SoundtrackTurbineMessageService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe (file missing)
O23 - Service: Turbine Network Service - Soundtrack (SoundtrackTurbineNetworkService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6239 bytes

symptoms are random popups while browsing the web, including yahoo finance, auto sales, random search engines, and many of these list the area that i live in/near. also several of them fail to load and looking at the url it's the same domain each time one fails to load.
Sometimes when i close all firefox windows the process will remain running in the task manager and continue to spit out popups, although there is never more than one popup at a time and usualy a 2-3 minute interval between them
 
If you still need help, and you have read and followed the "Before you Post"
Click to expand...

1) Instructions for locating HJT correctly.
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:03 AM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] "C:\Program Files\D-Link\Air Utility\AirCFG.exe"
O4 - HKLM\..\Run: [ANIWZCSService] "C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CTEMON.EXE] "" /h
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176159561968
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O20 - AppInit_DLLs: vdfukl.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Turbine Message Service - Soundtrack (SoundtrackTurbineMessageService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe (file missing)
O23 - Service: Turbine Network Service - Soundtrack (SoundtrackTurbineNetworkService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5695 bytes

just for personal clarification purpose, is the link you provided in post #3 any different from the one provided in the "before you post" page?
 
just for personal clarification purpose, is the link you provided in post #3 any different from the one provided in the "before you post" page?
Click to expand...
OK...just to clarify, since we are going to be working on your computer and it is essential we are carefull, post #3 was your post, I did not post anything in post#3. If you want to know if these links:
http://forums.spybot.info/showthread.php?t=288
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
with these instructions:
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis
Click to expand...
will, install HJT.exe here:
C:\Documents and Settings\alex\Desktop\HijackThis.exe
No, they will not, the .exe running from the Desktop has no folder to store backups they may be needed in an emergency. As a result, I have seen those backups get deleted off the Desktop. This link I provided is one of the three provided in "Before you Post".
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
That is a self-installer and I provide it when it appears a member is having difficulty locating HJT safely.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
 
Last edited:
ComboFix 09-01-13.03 - alex 2009-01-13 16:37:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.523 [GMT -5:00]
Running from: c:\documents and settings\alex\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.
ADS - system32: deleted 12 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\GetModule
c:\windows\system32\bbjlrlub.ini
c:\windows\system32\bdkdrktb.dll
c:\windows\system32\blpubrwd.dll
c:\windows\system32\cjcivirl.ini
c:\windows\system32\dgdmjrjn.ini
c:\windows\system32\dumphive.exe
c:\windows\system32\ecdixysa.dll
c:\windows\system32\eKRAcfii.ini
c:\windows\system32\eKRAcfii.ini2
c:\windows\system32\ephywnwj.ini
c:\windows\system32\ffrugsqw.ini
c:\windows\system32\ictmrkts.ini
c:\windows\system32\iifcARKe.dll
c:\windows\system32\imscjxss.ini
c:\windows\system32\isjxdrec.ini
c:\windows\system32\jukkwkkr.dll
c:\windows\system32\lalrdykf.dll
c:\windows\system32\lripnumf.ini
c:\windows\system32\lxyrvwel.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\nbhhuspp.ini
c:\windows\system32\nvthrj.dll
c:\windows\system32\odgpljss.ini
c:\windows\system32\ovalldpv.ini
c:\windows\system32\phigfqqf.ini
c:\windows\system32\ppsuhhbn.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\rnsoconh.ini
c:\windows\system32\rodxnkii.ini
c:\windows\system32\rqcqga.dll
c:\windows\system32\rthlnyuv.ini
c:\windows\system32\ruacejjt.ini
c:\windows\system32\shmrhg.dll
c:\windows\system32\slcanigd.ini
c:\windows\system32\slcebg.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\tgbuarya.ini
c:\windows\system32\tmp.reg
c:\windows\system32\txyuqrbg.ini
c:\windows\system32\uaqegnbn.ini
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vdfukl.dll
c:\windows\system32\veofthfp.ini
c:\windows\system32\wunjjdel.dll
c:\windows\system32\wuqivt.dll
c:\windows\system32\wvojtgbb.dll
c:\windows\system32\zonuda.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-13 08:49 . 2009-01-13 08:49 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 16:43 . 2009-01-12 16:44 <DIR> d-------- c:\windows\83F12F73D52E40C093B1463C311C4E17.TMP
2009-01-02 00:50 . 2007-06-19 23:35 24,096 --a------ c:\windows\system32\drivers\ts_lb.sys
2009-01-02 00:49 . 2009-01-12 22:13 <DIR> d-------- c:\program files\CommView
2009-01-02 00:49 . 2008-06-06 12:54 47,144 --a------ c:\windows\system32\tsnotify.dll
2009-01-02 00:49 . 2008-06-06 12:54 39,976 --a------ c:\windows\system32\drivers\tscomm.sys
2009-01-02 00:49 . 2006-12-07 22:04 19,240 --a------ c:\windows\system32\drivers\cv2k1.sys
2008-12-27 16:55 . 2008-04-13 14:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-27 16:55 . 2008-04-13 14:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-21 22:48 . 2008-12-21 22:48 41,842 --a------ c:\windows\system32\iifcAPjJ.dll
2008-12-20 15:39 . 2008-12-22 18:54 <DIR> d-------- c:\documents and settings\alex\VASSAL
2008-12-14 16:07 . 2008-12-14 16:08 <DIR> d-------- c:\program files\MilkShape 3D 1.8.4
2008-12-14 16:07 . 2008-12-14 16:12 <DIR> d-------- c:\documents and settings\alex\Application Data\MilkShape 3D 1.x.x
2008-12-14 00:42 . 2008-12-14 00:42 <DIR> d-------- c:\documents and settings\alex\.idlerc
2008-12-14 00:39 . 2008-12-14 00:39 <DIR> d-------- c:\program files\Blender Foundation
2008-12-14 00:39 . 2008-12-14 00:39 <DIR> d-------- c:\documents and settings\alex\Application Data\Blender Foundation
2008-12-14 00:37 . 2008-12-14 00:38 <DIR> d-------- C:\Python30
2008-12-13 20:03 . 2008-12-13 20:03 <DIR> dr-h----- c:\documents and settings\alex\Application Data\SecuROM
2008-12-13 19:47 . 2008-12-13 19:47 <DIR> d-------- c:\program files\Electronic Arts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 21:42 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-13 21:42 --------- d-----w c:\program files\Steam
2009-01-13 04:21 --------- d-----w c:\program files\World of Warcraft
2009-01-13 04:20 --------- d-----w c:\documents and settings\alex\Application Data\Azureus
2009-01-13 02:48 --------- d-----w c:\documents and settings\alex\Application Data\Microsoft Games
2008-12-31 23:15 --------- d-----w c:\program files\Apple Software Update
2008-12-31 23:14 --------- d-----w c:\program files\Common Files\Apple
2008-12-07 06:51 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-06 03:43 --------- d-----w c:\program files\ffdshow
2008-12-06 03:37 --------- d-----w c:\program files\QuickTime
2008-12-06 03:14 --------- d-----w c:\program files\GSpot
2008-12-03 20:37 --------- d-----w c:\program files\Azureus
2008-12-03 06:53 --------- d-----w c:\program files\Common Files\INCA Shared
2008-11-28 20:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 21:21 --------- d-----w c:\program files\Java
2008-11-26 21:05 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-23 23:04 --------- d-----w c:\documents and settings\alex\Application Data\OpenOffice.org
2008-11-23 23:01 --------- d-----w c:\program files\OpenOffice.org 3
2008-11-23 23:01 --------- d-----w c:\program files\JRE
2008-11-13 22:21 --------- d-----w c:\documents and settings\alex\Application Data\U3
2008-11-28 04:52 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-28 04:52 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-28 04:52 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-28 04:52 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-28 04:52 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-10-07 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-08-18 120640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"D-Link Air Utility"="c:\program files\D-Link\Air Utility\AirCFG.exe" [2003-09-03 3358720]
"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"TV Card Remote Control Device Monitor"="c:\windows\713xRMTMon.exe" [2006-10-11 352256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-06-11 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wuqivt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\iifcARKe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\griss_vigaskald\\half-life\\hl.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\q74jb83\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\q74jb83\\age of chivalry\\hl2.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38293:UDP"= 38293:UDP:Symantec - Intel PDS listening for Ping Packets
"2967:UDP"= 2967:UDP:Symantec - RTVScan request to Winsock
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 ts_lb;ts_lb;c:\windows\system32\drivers\ts_lb.sys [2009-01-02 24096]
R3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;c:\windows\system32\drivers\tscomm.sys [2009-01-02 39976]
R4 713xTVCard;SAA7130 TV Card;c:\windows\system32\drivers\SAA713x.sys [2007-06-30 279552]
R4 WDMTVTuner;Universal WDM TV Tuner;c:\windows\system32\drivers\WDMTuner.sys [2007-06-30 25984]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\drivers\cv2k1.sys [2009-01-02 19240]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\drivers\PRISMNDS.sys [2003-07-17 652288]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-08-18 153416]
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]
S3 SoundtrackTurbineMessageService;Turbine Message Service - Soundtrack;"c:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe" --> c:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe [?]
S3 SoundtrackTurbineNetworkService;Turbine Network Service - Soundtrack;"c:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe" --> c:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a22c6538-4c86-11dd-bfcf-000f3df76767}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc01bec3-e6bd-11db-8ef8-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{35785007-86A0-4FA0-93D5-EC4926967624} - c:\windows\system32\iifcARKe.dll
BHO-{dbc673a7-1377-4ca6-905d-478852c364b7} - c:\windows\system32\wuqivt.dll
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-fccdcBSi - fccdcBSi.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: free.aol.com
FF - ProfilePath - c:\documents and settings\alex\Application Data\Mozilla\Firefox\Profiles\nqz7o6y6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 16:42:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TV Card Remote Control Device Monitor = c:\windows\713xRMTMon.exe????w??????????T?a??B??x????????w??????????????x???????????x???????????????????????????????????x??? ????B??????????T?a?x???m?a?x??????????????|?B???w???????????????w???????????????????????????????????w??h????????????w??(????w????A????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-01-13 16:46:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 21:46:46

Pre-Run: 20,142,669,824 bytes free
Post-Run: 20,053,086,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

247 --- E O F --- 2008-11-26 21:19:59


*******************
*****uninstall list*****
*******************

AbcNavigator 2.0
AC3Filter (remove only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8
Adobe Shockwave Player
Age of Chivalry
Air Utility
ANIO Service
ANIWZCS Service
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Azureus Vuze
Battlefield 2(TM)
Blender (remove only)
C-Media WDM Audio Driver
CommView
Counter-Strike
Creative MediaSource
Creative System Information
Dark Messiah Might and Magic Single Player
Dawn of War Gold: Winter Assault
Day of Defeat: Source
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EPSON Photo Print
EPSON Smart Panel
EPSON TWAIN 5
ffdshow [rev 2033] [2008-07-05]
FLV Player 2.0, build 24
GameSpy Arcade
Google SketchUp 6
Google SketchUp 6
GSpot Codec Information Appliance
Half-Life
Half-Life: Blue Shift
HijackThis 2.0.2
honestech TVR
Hotfix for Windows XP (KB952287)
iTunes
Java(TM) 6 Update 10
Java(TM) 6 Update 2
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Lexmark Z600 Series
LiveUpdate 2.0 (Symantec Corporation)
Matrix Code Emulator 1.50
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Visual C++ 2005 Redistributable
MilkShape 3D 1.8.4
Mount&Blade
Mozilla Firefox (2.0.0.18)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
MSXML4 Parser
Nero 7 Essentials
neroxml
OpenOffice.org 3.0
Opposing Force
Paint.NET v3.36
Python 3.0
QuickTime
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SiS 900 PCI Fast Ethernet Adapter Driver
SiSAGP driver
Sound Blaster Live! 24-bit
Spybot - Search & Destroy
Steam
Symantec AntiVirus
TI Connect 1.6
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VC 9.0 Runtime
Ventrilo Client
Videora iPod Converter 0.91
Windows Imaging Component
Windows Live Messenger
Windows Media Format Runtime
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
XviD MPEG-4 Video Codec


**********************
****new hijack this log****
**********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:55 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] "C:\Program Files\D-Link\Air Utility\AirCFG.exe"
O4 - HKLM\..\Run: [ANIWZCSService] "C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176159561968
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O20 - AppInit_DLLs: wuqivt.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Turbine Message Service - Soundtrack (SoundtrackTurbineMessageService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe (file missing)
O23 - Service: Turbine Network Service - Soundtrack (SoundtrackTurbineNetworkService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6127 bytes
 
Thanks for returning your information, proceed carefully and in the numbered order.

1) Azureus <<< p2p programs must be uninstall, see this:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Click to expand...

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
c:\windows\system32\iifcAPjJ.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - AppInit_DLLs: wuqivt.dll <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks


This can be done as time permits, but it is important.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Azureus Vuze <<< uninstall...P2p program

Java(TM) 6 Update 10
Java(TM) 6 Update 2
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
All out of date and unsafe, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
 
ComboFix 09-01-13.03 - alex 2009-01-14 21:36:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.571 [GMT -5:00]
Running from: c:\documents and settings\alex\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\alex\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\iifcAPjJ.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iifcAPjJ.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-13 08:49 . 2009-01-13 08:49 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 16:43 . 2009-01-12 16:44 <DIR> d-------- c:\windows\83F12F73D52E40C093B1463C311C4E17.TMP
2009-01-02 00:50 . 2007-06-19 23:35 24,096 --a------ c:\windows\system32\drivers\ts_lb.sys
2009-01-02 00:49 . 2009-01-12 22:13 <DIR> d-------- c:\program files\CommView
2009-01-02 00:49 . 2008-06-06 12:54 47,144 --a------ c:\windows\system32\tsnotify.dll
2009-01-02 00:49 . 2008-06-06 12:54 39,976 --a------ c:\windows\system32\drivers\tscomm.sys
2009-01-02 00:49 . 2006-12-07 22:04 19,240 --a------ c:\windows\system32\drivers\cv2k1.sys
2008-12-27 16:55 . 2008-04-13 14:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-27 16:55 . 2008-04-13 14:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-20 15:39 . 2008-12-22 18:54 <DIR> d-------- c:\documents and settings\alex\VASSAL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 05:13 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-15 05:13 --------- d-----w c:\program files\Steam
2009-01-13 04:21 --------- d-----w c:\program files\World of Warcraft
2009-01-13 04:20 --------- d-----w c:\documents and settings\alex\Application Data\Azureus
2009-01-13 02:48 --------- d-----w c:\documents and settings\alex\Application Data\Microsoft Games
2008-12-31 23:15 --------- d-----w c:\program files\Apple Software Update
2008-12-31 23:14 --------- d-----w c:\program files\Common Files\Apple
2008-12-14 21:12 --------- d-----w c:\documents and settings\alex\Application Data\MilkShape 3D 1.x.x
2008-12-14 21:08 --------- d-----w c:\program files\MilkShape 3D 1.8.4
2008-12-14 05:39 --------- d-----w c:\program files\Blender Foundation
2008-12-14 05:39 --------- d-----w c:\documents and settings\alex\Application Data\Blender Foundation
2008-12-14 01:03 --------- d--h--r c:\documents and settings\alex\Application Data\SecuROM
2008-12-14 00:47 --------- d-----w c:\program files\Electronic Arts
2008-12-07 06:51 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-06 03:43 --------- d-----w c:\program files\ffdshow
2008-12-06 03:37 --------- d-----w c:\program files\QuickTime
2008-12-06 03:14 --------- d-----w c:\program files\GSpot
2008-12-03 06:53 --------- d-----w c:\program files\Common Files\INCA Shared
2008-11-28 20:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 21:21 --------- d-----w c:\program files\Java
2008-11-26 21:05 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-23 23:04 --------- d-----w c:\documents and settings\alex\Application Data\OpenOffice.org
2008-11-23 23:01 --------- d-----w c:\program files\OpenOffice.org 3
2008-11-23 23:01 --------- d-----w c:\program files\JRE
2008-11-28 04:52 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-28 04:52 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-28 04:52 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-28 04:52 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-28 04:52 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-10-07 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-08-18 120640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"D-Link Air Utility"="c:\program files\D-Link\Air Utility\AirCFG.exe" [2003-09-03 3358720]
"ANIWZCSService"="c:\program files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 32768]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"TV Card Remote Control Device Monitor"="c:\windows\713xRMTMon.exe" [2006-10-11 352256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-06-11 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\griss_vigaskald\\half-life\\hl.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\q74jb83\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\q74jb83\\age of chivalry\\hl2.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38293:UDP"= 38293:UDP:Symantec - Intel PDS listening for Ping Packets
"2967:UDP"= 2967:UDP:Symantec - RTVScan request to Winsock
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 ts_lb;ts_lb;c:\windows\system32\drivers\ts_lb.sys [2009-01-02 24096]
R3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;c:\windows\system32\drivers\tscomm.sys [2009-01-02 39976]
R4 713xTVCard;SAA7130 TV Card;c:\windows\system32\drivers\SAA713x.sys [2007-06-30 279552]
R4 WDMTVTuner;Universal WDM TV Tuner;c:\windows\system32\drivers\WDMTuner.sys [2007-06-30 25984]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\drivers\cv2k1.sys [2009-01-02 19240]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\drivers\PRISMNDS.sys [2003-07-17 652288]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-08-18 153416]
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]
S3 SoundtrackTurbineMessageService;Turbine Message Service - Soundtrack;"c:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe" --> c:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe [?]
S3 SoundtrackTurbineNetworkService;Turbine Network Service - Soundtrack;"c:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe" --> c:\program files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a22c6538-4c86-11dd-bfcf-000f3df76767}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc01bec3-e6bd-11db-8ef8-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: free.aol.com
FF - ProfilePath - c:\documents and settings\alex\Application Data\Mozilla\Firefox\Profiles\nqz7o6y6.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 00:14:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TV Card Remote Control Device Monitor = c:\windows\713xRMTMon.exe????w??????????T?a??B??x????????w??????????????x???????????x???????????????????????????????????x??? ????B??????????T?a?x???m?a?x??????????????|hB???w???????????????w???????????????????????????????????w??h????????????w??(????w????A????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-01-15 0:17:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 05:17:26
ComboFix2.txt 2009-01-13 21:46:53

Pre-Run: 20,026,322,944 bytes free
Post-Run: 20,014,256,128 bytes free

171 --- E O F --- 2008-11-26 21:19:59


~~~~mbam~~~~

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/15/2009 1:54:07 PM
mbam-log-2009-01-15 (13-54-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 114802
Time elapsed: 49 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\bdkdrktb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\blpubrwd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\iifcARKe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jukkwkkr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lalrdykf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvthrj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqcqga.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\slcebg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vdfukl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvojtgbb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zonuda.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP641\A0143795.dll (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP642\A0143820.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP653\A0147297.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP654\A0148296.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP665\A0149567.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149921.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149922.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149929.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149932.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149933.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149937.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149950.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149959.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E35B162A-7E24-4F68-9431-94EBF4736C07}\RP671\A0149945.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.


~~~~hijack this~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:52 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] "C:\Program Files\D-Link\Air Utility\AirCFG.exe"
O4 - HKLM\..\Run: [ANIWZCSService] "C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176159561968
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Turbine Message Service - Soundtrack (SoundtrackTurbineMessageService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe (file missing)
O23 - Service: Turbine Network Service - Soundtrack (SoundtrackTurbineNetworkService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6252 bytes


~~~~~~~~

the computer seems to be running execlent, no more web browser popups!
when i was running the malwarebytes tool, my antivirus which was running in the background, found 37 viruses...do you need me to post the names and file paths, or should i just delete the infected files?

thanks for all the help so far Pskelly
 
Thanks for returning your information and the feedback. I don't need to see what Symantec found, likely stuff we are going to deal with right now.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update Symantec and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Thanks for taking the time to let me know, safe surfing and Happy New Year:)
 
Status
Not open for further replies.
Back
Top