Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Help!


  • Please log in to reply
4 replies to this topic

#1 LadyButterfly8i8

LadyButterfly8i8

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 31 July 2007 - 07:37 PM

I have deleted most of the registries, but not all, aparently... I've dwnloaded HijackThis! but am unfamiliar with all the virtumonde files and entries etc..
PLEASE, I need some expert advice and looksies into my log. If someone replies, and you know about this stuff too, please dont hesitate to give a 2nd opinion or back them up with their advice. Thanks so much!! Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 5:18:17 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\dwwin.exe
c:\program files\mcafee\msc\mcshell.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner.JASON\Local Settings\Temp\wz7339\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT5220
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GT5220
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ougbjupu.dll",forkonce
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe



:thumbsup: Thanks again

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 01 August 2007 - 07:56 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum LadyButterfly8i8 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis.exe to a permanent folder on the hard drive such as C:\HJT
Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse the line entry deletion if found to be necessary.
If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

--------------------------------------------------

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

--------------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


--------------------------------------------------

Now go to:
C:\HJT\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 LadyButterfly8i8

LadyButterfly8i8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 02 August 2007 - 08:00 PM

RICHIE YOU ROCK! :thumbsup:

I think it's gone!! But hope you can help me double-check. :flowers:

Here they are:

HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 5:54:18 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\eHome\ehRecvr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcshell.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\SPYWAR~1\Update.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.msn.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe


VUNDOFIX

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 3:16:37 PM 8/2/2007

Listing files found while scanning....

C:\windows\system32\aghpxysx.exe
C:\windows\system32\cclowtnx.exe
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak2
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.tmp
C:\windows\system32\juiyhtbi.exe
C:\windows\system32\kwfcpwif.exe
C:\windows\system32\lchpspre.exe
C:\windows\system32\mfkkexaf.dll
C:\WINDOWS\system32\pmnlj.dll

Beginning removal...

Attempting to delete C:\windows\system32\aghpxysx.exe
C:\windows\system32\aghpxysx.exe Has been deleted!

Attempting to delete C:\windows\system32\cclowtnx.exe
C:\windows\system32\cclowtnx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.bak2
C:\WINDOWS\system32\jlnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlnmp.tmp
C:\WINDOWS\system32\jlnmp.tmp Has been deleted!

Attempting to delete C:\windows\system32\juiyhtbi.exe
C:\windows\system32\juiyhtbi.exe Has been deleted!

Attempting to delete C:\windows\system32\kwfcpwif.exe
C:\windows\system32\kwfcpwif.exe Has been deleted!

Attempting to delete C:\windows\system32\lchpspre.exe
C:\windows\system32\lchpspre.exe Has been deleted!

Attempting to delete C:\windows\system32\mfkkexaf.dll
C:\windows\system32\mfkkexaf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnlj.dll Has been deleted!

Performing Repairs to the registry.
Done!


COMBOFIX

ComboFix 07-08-03.2 - "Owner" 2007-08-02 17:32:32.1 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\OWNER~1.JAS\Desktop\internet.lnk
C:\WINDOWS\system32\aahgehkp.exe
C:\WINDOWS\system32\gwajncbp.exe
C:\WINDOWS\system32\kfqyvfbw.exe
C:\WINDOWS\system32\sxuibspt.dll
C:\WINDOWS\system32\tposyugs.exe
D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 )))))))))))))))))))))))))))))))


2007-08-02 17:27 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 15:36 <DIR> d-------- C:\HJT
2007-08-02 15:32 <DIR> d-------- C:\Program Files\HJT
2007-08-02 15:16 <DIR> d-------- C:\VundoFix Backups
2007-08-02 12:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-02 12:03 <DIR> d-------- C:\Program Files\Bonjour
2007-08-02 11:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-01 23:32 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-01 19:02 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-08-01 19:02 <DIR> d-------- C:\Program Files\AWS
2007-08-01 18:58 <DIR> d-------- C:\Program Files\Sierra
2007-08-01 12:11 125,504 --a------ C:\WINDOWS\system32\mjmidrsq.dll
2007-07-31 22:34 <DIR> d-------- C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
2007-07-31 22:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-31 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-31 22:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-31 21:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-31 18:31 <DIR> d-------- C:\Program Files\Security Task Manager
2007-07-31 18:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-07-26 23:07 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\Roxio
2007-07-26 22:52 <DIR> d-------- C:\Program Files\Roxio
2007-07-26 19:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-26 18:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-07-26 18:45 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-26 18:25 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-07-26 18:25 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-07-26 18:25 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-26 18:25 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\PC Tools
2007-07-25 18:37 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\AdobeAUM
2007-07-25 17:43 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\Jasc Software Inc
2007-07-25 17:42 <DIR> d-------- C:\Program Files\Jasc Software Inc
2007-07-25 16:51 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-07-25 16:29 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2007-07-25 16:03 89,184 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-25 16:03 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-07-25 16:03 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-07-25 16:03 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-07-25 16:03 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-07-25 16:03 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-07-25 16:03 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-25 16:02 <DIR> d-------- C:\Program Files\Ahead
2007-07-25 15:49 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\AdobeUM
2007-07-24 21:54 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-07-24 21:54 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-07-24 21:54 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-07-24 21:54 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-07-24 21:54 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-07-24 21:54 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-07-24 21:54 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-07-24 21:54 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-07-24 21:54 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-07-24 21:54 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-07-24 21:54 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-07-24 21:54 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-07-24 21:54 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-07-24 21:54 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-07-24 21:54 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-07-24 21:54 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-24 21:54 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-07-24 21:54 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-07-24 21:54 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-07-24 21:48 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-07-22 20:22 <DIR> d-------- C:\Games
2007-07-21 22:45 18,816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys
2007-07-21 22:45 <DIR> d-------- C:\Program Files\dvd43
2007-07-21 22:43 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\1ClickDVDCopy
2007-07-21 22:33 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\CopyToDvd
2007-07-21 22:22 <DIR> d-------- C:\Program Files\vso
2007-07-21 22:03 87,608 --a------ C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\ezpinst.exe
2007-07-21 22:03 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-07-21 22:03 47,360 --a------ C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\pcouffin.sys
2007-07-21 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\1Click DVD Copy
2007-07-21 22:02 <DIR> d-------- C:\Program Files\LG Software Innovations
2007-07-21 22:02 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\Vso
2007-07-21 21:52 <DIR> d-------- C:\temp_dvd
2007-07-21 18:05 <DIR> d-------- C:\Program Files\Dvd-cloner
2007-07-20 14:44 <DIR> d-------- C:\DECCHECK
2007-07-20 01:43 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-20 01:43 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-20 01:43 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-20 01:33 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-20 01:33 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-20 01:33 <DIR> d-------- C:\Program Files\Xvid
2007-07-20 01:26 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\DivX
2007-07-20 01:25 <DIR> d-------- C:\Program Files\DivX
2007-07-18 20:06 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-18 10:01 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-18 03:25 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\CyberLink
2007-07-18 03:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-07-18 03:06 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-18 00:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-18 00:08 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-18 00:08 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-17 21:53 23,552 --a------ C:\WINDOWS\system32\drivers\phooks.sys
2007-07-17 21:53 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\Pavark
2007-07-17 20:57 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-17 20:50 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\McAfee
2007-07-17 18:07 <DIR> d-------- C:\DOCUME~1\OWNER~1.JAS\APPLIC~1\OfficeUpdate12
2007-07-17 18:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-07-16 23:29 <DIR> d-------- C:\Program Files\Windows Defender


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-01 00:03 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-31 19:33 502272 --a--c--- C:\WINDOWS\system32\dllcache\winlogon.exe
2007-07-31 19:33 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2007-07-16 22:29 --------- d-------- C:\Program Files\Windows Plus
2007-07-16 19:45 --------- d-------- C:\Program Files\Windows NT
2007-07-16 19:45 --------- d-------- C:\Program Files\Movie Maker
2007-07-16 19:45 --------- d-------- C:\Program Files\Messenger
2007-07-16 19:42 --------- d-------- C:\Program Files\Online Services
2007-07-16 19:42 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-16 19:42 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-16 19:42 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-07-16 19:42 --------- d-------- C:\Program Files\Common Files\ODBC
2007-07-16 19:42 --------- d-------- C:\Program Files\Common Files\New Boundary
2007-07-16 19:42 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-07-09 12:07 36624 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-09 12:07 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-09 12:07 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-16 08:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 16:19 C:\WINDOWS\arpwrmsg.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 18:44]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-09 05:14 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-02 12:43 C:\WINDOWS\Alcmtr.exe]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-30 08:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 02:50]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 14:05]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 10:19]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 09:21]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 21:30]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Spyware Doctor"="C:\PROGRA~1\SPYWAR~1\swdoctor.exe" [2007-07-26 18:30]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2007-07-16 20:05:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 iaStor;iaStor;C:\WINDOWS\system32\DRIVERS\IASTOR.SYS
R0 phooks;phooks;C:\WINDOWS\system32\drivers\phooks.sys
R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys
R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 aracpi;aracpi;C:\WINDOWS\system32\DRIVERS\aracpi.sys
R3 arhidfltr;MS Ar HID Filter Driver;C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
R3 arkbcfltr;Microsoft PS2 Keyboard Filter;C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
R3 armoucfltr;Microsoft PS2 Mouse Filter;C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
R3 ARPolicy;ARPolicy;C:\WINDOWS\system32\DRIVERS\arpolicy.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 dvd43llh;dvd43llh;C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
R3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys
S2 ARSVC;ARSVC;C:\WINDOWS\arservice.exe
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 pcouffin;VSO Software pcouffin;C:\WINDOWS\system32\Drivers\pcouffin.sys
S3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
S3 tql12160;tql12160;\??\C:\DOCUME~1\OWNER~1.JAS\LOCALS~1\Temp\tql12160.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - PGFILTER

Contents of the 'Scheduled Tasks' folder
2007-07-23 16:07:10 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-02 15:00:22 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-02 22:56:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 17:35:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 17:36:29
C:\ComboFix-quarantined-files.txt ... 2007-08-02 17:36

--- E O F ---

That was gonna drive me to an early grave. :huh: I apreciate the fast help!!

#4 LadyButterfly8i8

LadyButterfly8i8
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 02 August 2007 - 08:02 PM

By the way, it wouldnt let me install combofix to the desk top (??) It just started installing immediately and went into allowing me to scan. Maybe you could give me a little direction of how to do it correctly? Hope it worked ok this time! Thanks again!

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 02 August 2007 - 08:12 PM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\system32\mjmidrsq.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

----------------------------------------------------

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
VundoFix.exe
Combofix.exe
KillBox.exe

C:\QOOBOX
C:\!KillBox
C:\VundoFix Backups

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

-----------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users