Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hard To Remove Virus / Spyware


  • Please log in to reply
5 replies to this topic

#1 lMeRCiLeSSl

lMeRCiLeSSl

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 AM

Posted 01 August 2007 - 06:25 PM

No matter how many times I do spyware and virus scans and remove everything, everything just keeps coming back.

Name: kcehc_eicooc20070702[1]
Location: C:\Documents and settings\Angelo\Local Settings\Temporary Internet Files\Cookies
Type: W32/Downldr2.ALUX

Name: retadpu1000106.exe
Location: C:\WINDOWS
Type: W32/Downldr2.APDD

Name: WinAntiVirusPro2007 FreeInstall[1].cab
Location: C:\Documents and settings\Angelo\Local Settings\Temporary Internet Files\Cookies
Type: W32/downldr2.HCI

Name: Masiyxanidi[1]
Location: C:\Documents and settings\Angelo\Local Settings\Temporary Internet Files\Cookies
Type: W32/Trojan.AYPP

Name: jhwxjkcv.dll
Location: C:\WINDOWS\system32
Type: W32/Trojan.BKUC

I believe I got rid of WinAntiVirusPro2007 FreeInstall[1].cab, but the other 4+ keep coming back...

Here's the Hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:47 PM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Trend Micro\HijackThis\noname.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Servi...omeLeftPane.htm
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {251CF54C-6DC9-4715-88C2-6C0FD8000731} - C:\WINDOWS\system32\gebyy.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: (no name) - {5BC9A107-59FB-494B-8DE2-6E820F2CDE28} - C:\Program Files\MSN Gaming Zone\meqot83122.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 0 - {C589D5B3-7831-4FAC-7B94-CF7A382FA404} - C:\Program Files\MSN\qucanob.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\nheccbey.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [JAMktV3] C:\Program Files\JAM KT v3\JAMktv3.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dcsm] "C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\B3\iasdll.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\bvljnjgq.dll",forkonce
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Windows Live Messenger.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Angelo\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {47B863BD-9069-43B1-A1BA-C7B73953697A} (SDD2MS Control) - http://partners.sonypictures.com/activex/m...1108/SDD2MS.CAB
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1104557235546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1104557228687
O20 - Winlogon Notify: gebyy - C:\WINDOWS\system32\gebyy.dll
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtelecirt.html

--
End of file - 8506 bytes

And the Vundo scan results:


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 5:54:34 PM 8/1/2007

Listing files found while scanning....

C:\WINDOWS\system32\gebyy.dll
C:\windows\system32\jkkjigg.dll
C:\WINDOWS\system32\khfghij.dll
C:\windows\system32\krweshjl.dll
C:\windows\system32\ljhsewrk.ini
C:\WINDOWS\system32\yndjywys.dll
C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.bak2
C:\WINDOWS\system32\yybeg.ini

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\gebyy.dll Could not be deleted.

Attempting to delete C:\windows\system32\jkkjigg.dll
C:\windows\system32\jkkjigg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfghij.dll
C:\WINDOWS\system32\khfghij.dll Has been deleted!

Attempting to delete C:\windows\system32\krweshjl.dll
C:\windows\system32\krweshjl.dll Has been deleted!

Attempting to delete C:\windows\system32\ljhsewrk.ini
C:\windows\system32\ljhsewrk.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yybeg.bak1
C:\WINDOWS\system32\yybeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yybeg.bak2
C:\WINDOWS\system32\yybeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...
Posted Image

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 02 August 2007 - 02:29 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum lMeRCiLeSSl :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

First click on Start/Control Panel/Add or Remove Programs and remove/uninstall any of the following if listed:
DriveCleaner
DriveCleaner Free


Then restart your pc.
---------------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 lMeRCiLeSSl

lMeRCiLeSSl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 AM

Posted 02 August 2007 - 06:45 PM

As requested, ComboFix and HJT logs...

ComboFix 07-08-03.2 - "Angelo" 2007-08-02 19:33:57.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Angelo\APPLIC~1\..\err.log>>d-delA.cf
C:\Program Files\MSN\rtelecirt.html
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070802-144334-208.dll
C:\Redemption.ECF
C:\WINDOWS\b103.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\hqfsepjc.dll
C:\WINDOWS\system32\nheccbey.dll
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\ApiMon
-------\core


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-02 19:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 14:48 <DIR> d-------- C:\VundoFix Backups
2007-08-02 14:04 169,147 --a------ C:\WINDOWS\TTC-4444.exe
2007-08-01 18:10 125,504 --a------ C:\WINDOWS\system32\bvljnjgq.dll
2007-08-01 17:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-31 14:17 125,504 --a------ C:\WINDOWS\system32\lcgethum.dll
2007-07-30 20:17 <DIR> d-------- C:\Temp\tn3
2007-07-30 14:19 125,504 --a------ C:\WINDOWS\system32\bmbkjtgo.dll
2007-07-29 14:22 126,016 --a------ C:\WINDOWS\system32\rlvaverh.dll
2007-07-28 01:08 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-07-28 00:58 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-25 14:20 126,016 --a------ C:\WINDOWS\system32\hlkyhvqa.dll
2007-07-22 17:29 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-07-22 17:28 <DIR> d--h----- C:\DOCUME~1\Angelo\APPLIC~1\ijjigame
2007-07-22 17:17 <DIR> d-------- C:\ijji
2007-07-14 14:52 <DIR> d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\driver
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\B3
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\B2
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\B1
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\B0
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\??stem
2007-07-14 14:41 <DIR> d-------- C:\WINDOWS\system32\b02FdUe
2007-07-03 15:00 1,213 --a------ C:\WINDOWS\checkip.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 14:53 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\Xfire
2007-08-02 14:43 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-29 00:34 --------- d-------- C:\Program Files\Download Manager
2007-07-28 01:09 --------- d---s---- C:\Program Files\Xfire
2007-07-25 01:18 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\IMVU
2007-07-23 17:48 --------- d-------- C:\Program Files\Ultra Utility
2007-07-22 17:02 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\IGN_DLM
2007-07-04 11:54 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-04 11:42 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-06-27 04:15 --------- d-------- C:\Program Files\Ultra Utility v3
2007-06-26 00:27 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-06-25 23:48 --------- d-------- C:\Program Files\RealArcade
2007-06-23 00:58 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\MySpace
2007-06-22 19:34 --------- d-------- C:\Program Files\Common Files\Authentium Shared
2007-06-22 19:34 --------- d-------- C:\Program Files\Common Files\Authentium
2007-06-14 00:28 2041 --a------ C:\WINDOWS\mozver.dat
2007-06-07 18:30 --------- d-------- C:\Program Files\QuickTime
2007-06-07 02:01 --------- d-------- C:\Program Files\World of Warcraft
2007-06-07 02:00 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-05 23:23 --------- d-------- C:\Program Files\LimeWire
2007-06-02 23:51 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\AdobeAUM
2007-06-02 23:50 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\AdobeUM
2007-05-16 11:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-07 16:32 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-04 08:29 3058688 -----c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-05-03 19:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 09:20 C:\WINDOWS\SOUNDMAN.EXE]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-02-24 18:26]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-08-12 00:43]
"nwiz"="nwiz.exe" [2006-08-12 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-08-12 00:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"JAMktV3"="C:\Program Files\JAM KT v3\JAMktv3.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2006-12-11 08:31]
"bantool"="C:\WINDOWS\system32\B3\iasdll.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 13:57]
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-07-19 08:02]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-13 15:01]

C:\Documents and Settings\Angelo\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-07-10 21:07:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2004-04-06 16:49:02]
Windows Live Messenger.lnk - C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe [2007-03-23 00:56:19]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\rtelecirt.html
FriendlyName=

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys
R1 AmdK8;AMD Athlon64 Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys
R2 CSS DVP;Dynamic Virus Protection;C:\WINDOWS\system32\DRIVERS\css-dvp.sys
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys
R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys
S3 EagleNT;EagleNT;\??\C:\WINDOWS\system32\drivers\EagleNT.sys
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 19:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-02 19:40:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-02 19:40

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:30 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\noname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [JAMktV3] C:\Program Files\JAM KT v3\JAMktv3.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\B3\iasdll.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Windows Live Messenger.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Angelo\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {47B863BD-9069-43B1-A1BA-C7B73953697A} (SDD2MS Control) - http://partners.sonypictures.com/activex/m...1108/SDD2MS.CAB
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1104557235546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1104557228687
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtelecirt.html

--
End of file - 7600 bytes
Posted Image

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 02 August 2007 - 07:10 PM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\bvljnjgq.dll
C:\WINDOWS\system32\lcgethum.dll
C:\WINDOWS\system32\bmbkjtgo.dll
C:\WINDOWS\system32\rlvaverh.dll
C:\WINDOWS\system32\hlkyhvqa.dll

Folders::
C:\Temp\tn3
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\WINDOWS\system32\B3
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\b02FdUe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bantool"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 lMeRCiLeSSl

lMeRCiLeSSl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:56 AM

Posted 14 August 2007 - 10:25 AM

ComboFix 07-08-03.2 - "Angelo" 2007-08-14 11:21:22.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Angelo\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bmbkjtgo.dll
C:\WINDOWS\system32\bvljnjgq.dll
C:\WINDOWS\system32\hlkyhvqa.dll
C:\WINDOWS\system32\lcgethum.dll
C:\WINDOWS\system32\rlvaverh.dll


((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))


2007-08-09 10:08 <DIR> d-------- C:\WINDOWS\pss
2007-08-02 19:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 14:48 <DIR> d-------- C:\VundoFix Backups
2007-08-02 14:04 169,147 --a------ C:\WINDOWS\TTC-4444.exe
2007-08-01 17:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-30 20:17 <DIR> d-------- C:\Temp\tn3
2007-07-28 01:08 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-07-28 00:58 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-22 17:29 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-07-22 17:28 <DIR> d--h----- C:\DOCUME~1\Angelo\APPLIC~1\ijjigame
2007-07-22 17:17 <DIR> d-------- C:\ijji
2007-07-14 14:52 <DIR> d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\driver
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\B3
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\B2
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\B1
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\B0
2007-07-14 14:42 <DIR> d-------- C:\WINDOWS\system32\??stem
2007-07-14 14:41 <DIR> d-------- C:\WINDOWS\system32\b02FdUe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-03 11:16 --------- d-------- C:\Program Files\RealArcade
2007-08-02 19:41 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\Xfire
2007-08-02 14:43 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-29 00:34 --------- d-------- C:\Program Files\Download Manager
2007-07-28 01:09 --------- d---s---- C:\Program Files\Xfire
2007-07-25 01:18 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\IMVU
2007-07-23 17:48 --------- d-------- C:\Program Files\Ultra Utility
2007-07-22 17:02 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\IGN_DLM
2007-07-04 11:54 22584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-04 11:42 99904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-07-03 15:01 1213 --a------ C:\WINDOWS\checkip.dat
2007-06-27 04:15 --------- d-------- C:\Program Files\Ultra Utility v3
2007-06-26 00:27 63040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-06-23 00:58 --------- d-------- C:\DOCUME~1\Angelo\APPLIC~1\MySpace
2007-06-22 19:34 --------- d-------- C:\Program Files\Common Files\Authentium Shared
2007-06-22 19:34 --------- d-------- C:\Program Files\Common Files\Authentium
2007-06-14 00:28 2041 --a------ C:\WINDOWS\mozver.dat
2007-05-16 11:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 09:20 C:\WINDOWS\SOUNDMAN.EXE]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-02-24 18:26]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-08-12 00:43]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-08-12 00:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2006-12-11 08:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 13:57]
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" [2007-07-19 08:02]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-13 15:01]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2004-04-06 16:49:02]
Windows Live Messenger.lnk - C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe [2007-03-23 00:56:19]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\rtelecirt.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Angelo^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Angelo\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JAMktV3]
C:\Program Files\JAM KT v3\JAMktv3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys
R1 AmdK8;AMD Athlon64 Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 NVTCP;NVIDIA TCP/IP Protocol Driver;C:\WINDOWS\system32\DRIVERS\NVTcp.sys
R2 CSS DVP;Dynamic Virus Protection;C:\WINDOWS\system32\DRIVERS\css-dvp.sys
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM);C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys
R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys
S3 EagleNT;EagleNT;\??\C:\WINDOWS\system32\drivers\EagleNT.sys
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 11:23:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 11:23:44
C:\ComboFix-quarantined-files.txt ... 2007-08-14 11:23
C:\ComboFix2.txt ... 2007-08-02 19:40

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:06 AM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\noname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Windows Live Messenger.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Angelo\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {47B863BD-9069-43B1-A1BA-C7B73953697A} (SDD2MS Control) - http://partners.sonypictures.com/activex/m...1108/SDD2MS.CAB
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1104557235546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1104557228687
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtelecirt.html

--
End of file - 7207 bytes
Posted Image

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 14 August 2007 - 02:44 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Temp\tn3
C:\WINDOWS\system32\B3
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B0
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\system32\b02FdUe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
C:\Program Files\Common Files\WinAntiSpyware 2007


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

----------------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

---------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users