Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan


  • This topic is locked This topic is locked
19 replies to this topic

#1 Sandcrawler

Sandcrawler

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 07 January 2008 - 09:13 PM

Well I scaned with Avast Antivirus, and it found a few, I didn't get a log file...sorry I can rescan but it took 17 hours the last time. I have also scaned with Spybot, Ad-Aware, and Stinger...and the House call one. Spybot found some Vondo stuff...Didn't get a log file of it either, but I fixed them all...and Ad-Aware found mostly Cookies.

Now a friend of mine has had the same problum and recommended me to here. What happens is explorer.exe dies shortly after startup, and even after you restart the process it just crashes again.

Here is the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:06 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Ryan\Application Data\Opera\Opera\profile\cache4\temporary_download\stinger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljg.exe
O1 - Hosts: 64.34.77.24 l2authd.lineage2.com
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: War Rock Toolbar - {5D956A61-05E7-427B-A2B1-BF32FB18B1BE} - C:\Program Files\War Rock Toolbar\v3.2.0.0\War_Rock_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ydmrqlsb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ydmrqlsb.dll"
O4 - HKLM\..\Run: [drmsrv32] c:\fypl.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA7295] command /c del "C:\WINDOWS\system32\xpdx.sys_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1535] cmd /c del "C:\WINDOWS\system32\xpdx.sys_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKLM\..\Policies\Explorer\Run: [arM1AvH6Hk] rundll32.exe "C:\WINDOWS\bkjmfcdu.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 8373 bytes


Thanks for your help.

BC AdBot (Login to Remove)

 


#2 Sandcrawler

Sandcrawler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 08 January 2008 - 09:28 PM

Well...I ran the Vundo Fix tool, and it deleted around 5 files, it couldn't delte a dll named vtuvuww.dll, I tried going in and delting it manualy, but there is no files by that name...

Here is a new fresh Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:40 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ideazon\ZEngine\Zboard .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljg.exe
O1 - Hosts: 64.34.77.24 l2authd.lineage2.com
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: War Rock Toolbar - {5D956A61-05E7-427B-A2B1-BF32FB18B1BE} - C:\Program Files\War Rock Toolbar\v3.2.0.0\War_Rock_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ydmrqlsb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ydmrqlsb.dll"
O4 - HKLM\..\Run: [drmsrv32] c:\fypl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKLM\..\Policies\Explorer\Run: [arM1AvH6Hk] rundll32.exe "C:\WINDOWS\bkjmfcdu.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 8450 bytes

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 AM

Posted 09 January 2008 - 10:07 PM

Hello Sandcrawler,

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljg.exe
O4 - HKLM\..\Run: [ydmrqlsb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ydmrqlsb.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [drmsrv32] c:\fypl.exe
O4 - HKLM\..\Policies\Explorer\Run: [arM1AvH6Hk] rundll32.exe "C:\WINDOWS\bkjmfcdu.dll",DllCleanServer
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)


*******************************************

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\mlljg.exe
    C:\Documents and Settings\All Users\Application Data\ydmrqlsb.dll
    C:\WINDOWS\bkjmfcdu.dll
    c:\fypl.exe


  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, the OTMoveIt log, and tell me how your computer is running.

Edited by SifuMike, 09 January 2008 - 10:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Sandcrawler

Sandcrawler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 10 January 2008 - 12:00 AM

Um as for how my computer is running...I can't really notice a diffrence, I still have no start menu, or desktop. Also I dunno if I mentioned it, but when I start my computer a postgres user process starts up, and some programs, I can get you the names. It doesn't show in the HijackThis log, I usualy shut it down shortly after my computer starts up. Its nothing I have installed or seen before.

Here is the OTMoveIt Log:

C:\WINDOWS\system32\mlljg.exe

This was removed it said, but I didn't keep a log of it.

C:\Documents and Settings\All Users\Application Data\ydmrqlsb.dll

The program locked up when it got to this one, so I took it off and did the last two:

DllUnregisterServer procedure not found in C:\WINDOWS\bkjmfcdu.dll
C:\WINDOWS\bkjmfcdu.dll NOT unregistered.
C:\WINDOWS\bkjmfcdu.dll moved successfully.
File/Folder c:\fypl.exe not found.

OTMoveIt2 v1.0.5 log created on 01092008_202605

and a new Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:45 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 64.34.77.24 l2authd.lineage2.com
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: War Rock Toolbar - {5D956A61-05E7-427B-A2B1-BF32FB18B1BE} - C:\Program Files\War Rock Toolbar\v3.2.0.0\War_Rock_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 7398 bytes

Thanks for your help with this Mike.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 AM

Posted 10 January 2008 - 01:34 AM

Hello Sandcrawler,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Go to Add or Remove Programs, make sure the Show Updates box at the top left is checked and remove (i.e. uninstall) ErrorSmart. You have no reason to use this application.


Reboot your computer and post a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Sandcrawler

Sandcrawler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 11 January 2008 - 01:25 AM

Well I updated Java, but I can't get into the control panel to remove anything. As for the ErrorSmart thing I have it because I wasn't playing attention when I was downloading CCleaner I think and clicked that link instead.

Here is a new HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:13 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 64.34.77.24 l2authd.lineage2.com
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: War Rock Toolbar - {5D956A61-05E7-427B-A2B1-BF32FB18B1BE} - C:\Program Files\War Rock Toolbar\v3.2.0.0\War_Rock_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ryan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O24 - Desktop Component 0: My Current Home Page - About:Home

--
End of file - 7552 bytes

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 AM

Posted 11 January 2008 - 01:31 AM

Hi Sandcrawler,

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Be sure to disable your Avast antivirus before running ComboFix.

To disable avast antivirus:
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Sandcrawler

Sandcrawler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 12 January 2008 - 02:05 PM

ComboFix 08-01-11.3 - Ryan 2008-01-12 10:04:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.663 [GMT -8:00]
Running from: C:\Documents and Settings\Ryan\Application Data\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\ydmrqlsb.dll
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Helper
C:\Program Files\Helper\superfindout.dll
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\WINDOWS\kxkxmrut.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\arM1AvH6Hkwp.exe
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\mlljg.exe
C:\WINDOWS\system32\vtuvvww.dll
C:\WINDOWS\system32\xpdx.sys

<pre>
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe ---> AdobeUpdateManager.exe
C:\Program Files\Alwil Software\Avast4\ashDisp .exe ---> QooBox
C:\Program Files\Ideazon\ZEngine\Zboard .exe ---> Zboard.exe
C:\Program Files\Logitech\Profiler\lwemon .exe ---> lwemon.exe
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\symavc32
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-12 10:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 18:30 . 2008-01-10 18:30 <DIR> d-------- C:\Program Files\Sun
2008-01-10 18:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-09 20:35 . 2008-01-09 20:35 <DIR> d-------- C:\Program Files\CCleaner
2008-01-09 20:32 . 2008-01-09 20:32 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\ErrorSmart
2008-01-09 20:03 . 2008-01-09 20:49 <DIR> d-------- C:\Program Files\ErrorSmart
2008-01-08 06:16 . 2008-01-08 18:00 <DIR> d-------- C:\VundoFix Backups
2008-01-07 17:55 . 2008-01-07 17:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 20:54 . 2008-01-03 20:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-03 20:52 . 2008-01-03 22:08 <DIR> d-------- C:\Documents and Settings\Ryan\.housecall6.6
2007-12-30 22:59 . 2007-12-30 22:59 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-30 21:59 . 2007-12-30 21:59 <DIR> d-------- C:\WINDOWS\brkutjvk
2007-12-30 21:59 . 2007-12-30 21:59 2 --a------ C:\1681983773
2007-12-30 21:58 . 2007-12-30 21:59 <DIR> d-------- C:\WINDOWS\KB628926
2007-12-30 21:58 . 2007-12-30 21:58 58,368 --a------ C:\itqrga.exe
2007-12-30 21:58 . 2007-12-30 21:58 37,376 --a------ C:\WINDOWS\divabsrq.exe
2007-12-26 15:21 . 2007-12-26 15:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-26 15:21 . 2007-12-26 15:21 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 16:12 . 2007-12-22 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2007-12-16 18:50 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-12-16 18:22 . 2007-12-16 18:22 <DIR> d-------- C:\Program Files\CCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 02:30 --------- d-----w C:\Program Files\Java
2008-01-10 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-02 04:29 --------- d-----w C:\Program Files\QuickTime
2008-01-02 02:53 --------- d-----w C:\Program Files\Silkroad
2007-12-31 07:00 --------- d-----w C:\Program Files\iTunes
2007-12-31 06:05 --------- d-----w C:\Program Files\Xfire
2007-12-31 05:54 --------- d-----w C:\Program Files\PopCap Games
2007-12-24 02:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-23 00:13 --------- d-----w C:\Program Files\Last.fm
2007-12-22 20:25 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Xfire
2007-12-20 14:16 --------- d-----w C:\Program Files\Lx_cats
2007-12-19 07:47 --------- d-----w C:\Documents and Settings\Ryan\Application Data\vmntoolbar
2007-12-19 02:56 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Sites
2007-12-19 02:56 --------- d-----w C:\Documents and Settings\Ryan\Application Data\SiteClasses
2007-12-18 02:21 --------- d-----w C:\Documents and Settings\Ryan\Application Data\OpenOffice.org2
2007-12-14 03:26 --------- d-----w C:\Program Files\StarWarsGalaxies
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-02 06:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-12-02 06:45 --------- d-----w C:\Program Files\HP
2007-12-01 16:03 --------- d-----w C:\Program Files\Winamp
2007-12-01 16:03 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Winamp
2007-11-29 14:15 --------- d-----w C:\Program Files\SpacialAudio
2007-11-29 14:13 --------- d-----w C:\Program Files\PostgreSQL
2007-11-28 08:51 --------- d-----w C:\Program Files\Text2Speech
2006-11-26 06:26 3,580 ----a-w C:\Program Files\INSTALL.LOG
2001-09-29 01:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.
<pre>
----a-w		 3,739,648 2007-12-31 07:00:18  C:\Program Files\Google\Google Talk\googletalk .exe
----a-w		   278,528 2007-12-31 07:00:07  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			36,975 2007-12-31 07:00:06  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		   155,648 2007-12-31 06:59:59  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2008-01-08 18:10 73728]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-08 18:10 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-12-14 18:06 577536 C:\WINDOWS\soundman.exe]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 01:21 69632]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2008-01-08 18:10 57344]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 22:25 28160 C:\WINDOWS\KHALMNPR.Exe]
"Xfire Music"="C:\Program Files\Xfire\xfiremusic.exe" [ ]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [ ]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.exe" [2006-08-11 13:42 25600 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-22 16:13:07]
NYKO Gamepad Mapping Tools.lnk - C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2007-08-11 13:13:32]
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-12-04 18:25:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-08-21 22:52:25]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 17:35 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-12-14 18:06 577536 C:\WINDOWS\soundman.exe

R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 09:56]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 11:49]
S3 gUSBSTOi;gUSBSTOi;C:\DOCUME~1\Ryan\LOCALS~1\Temp\gUSBSTOi.sys []
S3 XDva032;XDva032;C:\WINDOWS\system32\XDva032.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 11:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 10:40:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 10:47:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-12 18:47:18

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 AM

Posted 12 January 2008 - 02:35 PM

Looks like you screwed up the fix. :wacko:

The instructions specificly told you to download ComobFix to your desktop and no where else.

Why are you running from your Opera temp file??? :thumbsup:

Running from: C:\Documents and Settings\Ryan\Application Data\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe


Delete that version of ComboFix in C:\Documents and Settings\Ryan\Application Data\Opera\Opera\profile\cache4\temporary_download

Now we start over. :blink:
Download it again and run it.
Visit this webpage for instructions for downloading and running ComboFix:
Make sure you follow the directions this time.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Be sure to disable your Avast antivirus before running ComboFix.

Edited by SifuMike, 12 January 2008 - 03:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Sandcrawler

Sandcrawler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 12 January 2008 - 06:54 PM

well its running pretty good for a screwed up fix, I have a startbar, and a desktop again. I'll run it again now that I have time. As for Avast, I don't have any icon for it, and i'm not sure what process it is. So if its running again I can try again, but there are only 3 icons in the bar, the Zboard, Sound, and the windows protection/warning thing.

ComboFix 08-01-13.1 - Ryan 2008-01-12 15:56:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.569 [GMT -8:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 10:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 18:30 . 2008-01-10 18:30 <DIR> d-------- C:\Program Files\Sun
2008-01-10 18:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-09 20:35 . 2008-01-09 20:35 <DIR> d-------- C:\Program Files\CCleaner
2008-01-09 20:32 . 2008-01-09 20:32 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\ErrorSmart
2008-01-09 20:03 . 2008-01-09 20:49 <DIR> d-------- C:\Program Files\ErrorSmart
2008-01-08 06:16 . 2008-01-08 18:00 <DIR> d-------- C:\VundoFix Backups
2008-01-07 17:55 . 2008-01-07 17:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 20:54 . 2008-01-03 20:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-03 20:52 . 2008-01-03 22:08 <DIR> d-------- C:\Documents and Settings\Ryan\.housecall6.6
2007-12-30 22:59 . 2007-12-30 22:59 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-30 21:59 . 2007-12-30 21:59 <DIR> d-------- C:\WINDOWS\brkutjvk
2007-12-30 21:59 . 2007-12-30 21:59 2 --a------ C:\1681983773
2007-12-30 21:58 . 2007-12-30 21:59 <DIR> d-------- C:\WINDOWS\KB628926
2007-12-30 21:58 . 2007-12-30 21:58 58,368 --a------ C:\itqrga.exe
2007-12-30 21:58 . 2007-12-30 21:58 37,376 --a------ C:\WINDOWS\divabsrq.exe
2007-12-26 15:21 . 2007-12-26 15:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-26 15:21 . 2007-12-26 15:21 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 16:12 . 2007-12-22 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2007-12-16 18:50 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-12-16 18:22 . 2007-12-16 18:22 <DIR> d-------- C:\Program Files\CCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 02:30 --------- d-----w C:\Program Files\Java
2008-01-10 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-02 04:29 --------- d-----w C:\Program Files\QuickTime
2008-01-02 02:53 --------- d-----w C:\Program Files\Silkroad
2007-12-31 07:00 --------- d-----w C:\Program Files\iTunes
2007-12-31 06:05 --------- d-----w C:\Program Files\Xfire
2007-12-31 05:54 --------- d-----w C:\Program Files\PopCap Games
2007-12-24 02:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-24 02:55 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-23 00:13 --------- d-----w C:\Program Files\Last.fm
2007-12-22 23:58 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-22 20:25 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Xfire
2007-12-20 14:16 --------- d-----w C:\Program Files\Lx_cats
2007-12-19 07:47 --------- d-----w C:\Documents and Settings\Ryan\Application Data\vmntoolbar
2007-12-19 02:56 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Sites
2007-12-19 02:56 --------- d-----w C:\Documents and Settings\Ryan\Application Data\SiteClasses
2007-12-18 02:21 --------- d-----w C:\Documents and Settings\Ryan\Application Data\OpenOffice.org2
2007-12-14 03:26 --------- d-----w C:\Program Files\StarWarsGalaxies
2007-12-09 19:43 172,544 ----a-w C:\WINDOWS\system32\cncs32.dll
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-02 06:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-12-02 06:45 --------- d-----w C:\Program Files\HP
2007-12-01 16:03 --------- d-----w C:\Program Files\Winamp
2007-12-01 16:03 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Winamp
2007-11-29 14:15 --------- d-----w C:\Program Files\SpacialAudio
2007-11-29 14:13 --------- d-----w C:\Program Files\PostgreSQL
2007-11-28 08:51 --------- d-----w C:\Program Files\Text2Speech
2006-11-26 06:26 3,580 ----a-w C:\Program Files\INSTALL.LOG
2001-09-29 01:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.
<pre>
----a-w		 3,739,648 2007-12-31 07:00:18  C:\Program Files\Google\Google Talk\googletalk .exe
----a-w		   278,528 2007-12-31 07:00:07  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			36,975 2007-12-31 07:00:06  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		   155,648 2007-12-31 06:59:59  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-12_10.46.59.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-12 18:03:41 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 23:56:08 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-12 18:03:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 23:56:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-12 18:03:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-12 23:56:08 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-12 18:03:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 23:56:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-12 18:03:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-12 23:56:08 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-12 18:03:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 23:56:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-12 18:03:43 9,416,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\ntuser.dat
+ 2008-01-12 23:56:11 9,433,088 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\ntuser.dat
- 2008-01-12 18:03:43 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000008\UsrClass.dat
+ 2008-01-12 23:56:11 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000008\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2008-01-08 18:10 73728]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-08 18:10 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-12-14 18:06 577536 C:\WINDOWS\soundman.exe]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 01:21 69632]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2008-01-08 18:10 57344]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 22:25 28160 C:\WINDOWS\KHALMNPR.Exe]
"Xfire Music"="C:\Program Files\Xfire\xfiremusic.exe" [ ]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [ ]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.exe" [2006-08-11 13:42 25600 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-22 16:13:07]
NYKO Gamepad Mapping Tools.lnk - C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2007-08-11 13:13:32]
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-12-04 18:25:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-08-21 22:52:25]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 17:35 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-12-14 18:06 577536 C:\WINDOWS\soundman.exe

R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 09:56]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 11:49]
S3 gUSBSTOi;gUSBSTOi;C:\DOCUME~1\Ryan\LOCALS~1\Temp\gUSBSTOi.sys []
S3 XDva032;XDva032;C:\WINDOWS\system32\XDva032.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 11:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 15:58:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 15:59:39
ComboFix-quarantined-files.txt 2008-01-13 23:59:18
ComboFix2.txt 2008-01-12 18:47:22

Edited by Sandcrawler, 12 January 2008 - 07:09 PM.


#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 AM

Posted 12 January 2008 - 09:29 PM

You still have lots of files we need to remove.

Your log shows that forgot to install the Recovery Console. :thumbsup:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


You need to install the Windows Recovery Console or create a bootable CD of NTFS4Dos..
Either of these programs will allow you to boot up into a special recovery mode that will allow me to help you in the case that your computer has a problem after an attempted removal of malware.

Please visit this webpage for instructions for installing RECOVERY CONSOLE:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/

Edited by SifuMike, 12 January 2008 - 09:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Sandcrawler

Sandcrawler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 12 January 2008 - 10:53 PM

O Woops, its set now, do I need to rescan?

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 AM

Posted 12 January 2008 - 10:56 PM

Hi Sandcrawler,


Yes, please do the ComboFix scan again and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Sandcrawler

Sandcrawler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 13 January 2008 - 02:28 AM

ComboFix 08-01-13.1 - Ryan 2008-01-13 23:19:30.3 - NTFSx86
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 19:52 . 2004-08-04 04:00 260,272 -r-hs---- C:\cmldr
2008-01-13 19:52 . 2005-11-17 15:14 211 --ahs---- C:\BOOT.BAK
2008-01-12 10:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 18:30 . 2008-01-10 18:30 <DIR> d-------- C:\Program Files\Sun
2008-01-10 18:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-09 20:35 . 2008-01-09 20:35 <DIR> d-------- C:\Program Files\CCleaner
2008-01-09 20:32 . 2008-01-09 20:32 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\ErrorSmart
2008-01-09 20:03 . 2008-01-09 20:49 <DIR> d-------- C:\Program Files\ErrorSmart
2008-01-08 06:16 . 2008-01-08 18:00 <DIR> d-------- C:\VundoFix Backups
2008-01-07 17:55 . 2008-01-07 17:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 20:54 . 2008-01-03 20:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-03 20:52 . 2008-01-03 22:08 <DIR> d-------- C:\Documents and Settings\Ryan\.housecall6.6
2007-12-30 22:59 . 2007-12-30 22:59 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-30 21:59 . 2007-12-30 21:59 <DIR> d-------- C:\WINDOWS\brkutjvk
2007-12-30 21:59 . 2007-12-30 21:59 2 --a------ C:\1681983773
2007-12-30 21:58 . 2007-12-30 21:59 <DIR> d-------- C:\WINDOWS\KB628926
2007-12-30 21:58 . 2007-12-30 21:58 58,368 --a------ C:\itqrga.exe
2007-12-30 21:58 . 2007-12-30 21:58 37,376 --a------ C:\WINDOWS\divabsrq.exe
2007-12-26 15:21 . 2007-12-26 15:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-26 15:21 . 2007-12-26 15:21 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 16:12 . 2007-12-22 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2007-12-16 18:50 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-12-16 18:22 . 2007-12-16 18:22 <DIR> d-------- C:\Program Files\CCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 07:18 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Xfire
2008-01-14 02:03 --------- d-----w C:\Program Files\StarWarsGalaxies
2008-01-11 02:30 --------- d-----w C:\Program Files\Java
2008-01-10 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-02 04:29 --------- d-----w C:\Program Files\QuickTime
2008-01-02 02:53 --------- d-----w C:\Program Files\Silkroad
2007-12-31 07:00 --------- d-----w C:\Program Files\iTunes
2007-12-31 06:05 --------- d-----w C:\Program Files\Xfire
2007-12-31 05:54 --------- d-----w C:\Program Files\PopCap Games
2007-12-24 02:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-24 02:55 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-23 00:13 --------- d-----w C:\Program Files\Last.fm
2007-12-22 23:58 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-20 14:16 --------- d-----w C:\Program Files\Lx_cats
2007-12-19 07:47 --------- d-----w C:\Documents and Settings\Ryan\Application Data\vmntoolbar
2007-12-19 02:56 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Sites
2007-12-19 02:56 --------- d-----w C:\Documents and Settings\Ryan\Application Data\SiteClasses
2007-12-18 02:21 --------- d-----w C:\Documents and Settings\Ryan\Application Data\OpenOffice.org2
2007-12-09 19:43 172,544 ----a-w C:\WINDOWS\system32\cncs32.dll
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-02 06:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-12-02 06:45 --------- d-----w C:\Program Files\HP
2007-12-01 16:03 --------- d-----w C:\Program Files\Winamp
2007-12-01 16:03 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Winamp
2007-11-29 14:15 --------- d-----w C:\Program Files\SpacialAudio
2007-11-29 14:13 --------- d-----w C:\Program Files\PostgreSQL
2007-11-28 08:51 --------- d-----w C:\Program Files\Text2Speech
2006-11-26 06:26 3,580 ----a-w C:\Program Files\INSTALL.LOG
2001-09-29 01:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.
<pre>
----a-w		 3,739,648 2007-12-31 07:00:18  C:\Program Files\Google\Google Talk\googletalk .exe
----a-w		   278,528 2007-12-31 07:00:07  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			36,975 2007-12-31 07:00:06  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		   155,648 2007-12-31 06:59:59  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-12_10.46.59.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-12 18:03:41 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-12 23:56:08 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-12 18:03:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-12 23:56:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-12 18:03:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-12 23:56:08 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-12 18:03:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-12 23:56:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-12 18:03:41 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-12 23:56:08 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-12 18:03:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 23:56:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-12 18:03:43 9,416,704 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\ntuser.dat
+ 2008-01-12 23:56:11 9,433,088 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000007\ntuser.dat
- 2008-01-12 18:03:43 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000008\UsrClass.dat
+ 2008-01-12 23:56:11 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000008\UsrClass.dat
+ 2001-07-15 01:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2008-01-08 18:10 73728]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-08 18:10 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-12-14 18:06 577536 C:\WINDOWS\soundman.exe]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 01:21 69632]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2008-01-08 18:10 57344]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 22:25 28160 C:\WINDOWS\KHALMNPR.Exe]
"Xfire Music"="C:\Program Files\Xfire\xfiremusic.exe" [ ]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [ ]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.exe" [2006-08-11 13:42 25600 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-22 16:13:07]
NYKO Gamepad Mapping Tools.lnk - C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe [2007-08-11 13:13:32]
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-12-04 18:25:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-08-21 22:52:25]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 17:35 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-12-14 18:06 577536 C:\WINDOWS\soundman.exe

R3 Alpham1;Ideazon ZBoard USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham1.sys [2007-07-23 09:56]
R3 Alpham2;Ideazon ZBoard MM USB Human Interface Device;C:\WINDOWS\system32\DRIVERS\Alpham2.sys [2007-03-20 11:49]
S3 gUSBSTOi;gUSBSTOi;C:\DOCUME~1\Ryan\LOCALS~1\Temp\gUSBSTOi.sys []
S3 XDva032;XDva032;C:\WINDOWS\system32\XDva032.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 11:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.exe
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 23:25:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 23:26:27
ComboFix-quarantined-files.txt 2008-01-14 07:26:05
ComboFix2.txt 2008-01-13 23:59:40
ComboFix3.txt 2008-01-12 18:47:22

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 AM

Posted 13 January 2008 - 01:29 PM

Hello Sandcrawler,

Download http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
to your Desktop.

Double click RenV.exe to run it
It will produce a log for you, please post it.


****************************************

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\itqrga.exe
C:\WINDOWS\divabsrq.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\gUSBSTOi.sys
C:\Program Files\ErrorSmart\ErrorSmart.ex

Folder:: 
C:\Documents and Settings\Ryan\Application Data\ErrorSmart
C:\Program Files\ErrorSmart
C:\VundoFix Backups
C:\WINDOWS\brkutjvk

Registry:: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ErrorSmart"=-

Driver:: 
gUSBSTOi

FileLook:: 
C:\1681983773

DirLook:: 
C:\WINDOWS\brkutjvk
C:\WINDOWS\KB628926


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users