Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major Virtuemonde Infection Help Needed Win 2000


  • Please log in to reply
9 replies to this topic

#1 pinefarmgirl

pinefarmgirl

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 18 June 2008 - 04:09 AM

Hi- I really need your help please. This thing is making my computer almost unusable, it will not function in normal mode, cannot go online or do anything except in safe mode. I have tried: Spybot S&D, AdAware, AVG, Malwarebytes, Virtumondobegone and vundofix- this thing will not go away. I tried to follow the instructions pinned for this thing, but could not Kaspersky scan to work in safe mode, and DSS keeps giving errors and will not work on this machine. So all I have left is my latest hijack this log- HJT would not work in normal mode either, but did a scan in safe mode. I really hope somebody can help me with this-


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:48 AM, on 6/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\maureen\Desktop\virus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13104CE1-DF78-4893-811E-2B2E59293C02} - (no file)
O2 - BHO: (no name) - {3355227D-6AB7-4243-9CAD-F607217C45B5} - (no file)
O2 - BHO: (no name) - {461DC981-2E9C-4C03-8322-5BBE19881D25} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57A52E74-004C-464B-96CC-4DFE5366EA02} - (no file)
O2 - BHO: (no name) - {6CE8A5A5-1955-46AA-8454-E026E112F764} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {78401B2D-143C-4FC8-AE76-6B953543DC1A} - (no file)
O2 - BHO: (no name) - {8C221F44-0893-4496-8355-CD43661E0011} - (no file)
O2 - BHO: (no name) - {A652F520-E119-4C40-A159-1F5714A6F93C} - (no file)
O2 - BHO: (no name) - {b53a6b1d-000b-475c-85f3-1c5425d8cb16} - (no file)
O2 - BHO: (no name) - {C3E1383F-FD36-425C-AB0B-FF98EF992720} - C:\WINNT\system32\fccbXrSi.dll
O2 - BHO: {b26b23ac-5f6c-ea8a-f264-c9c3d3a5d00d} - {d00d5a3d-3c9c-462f-a8ae-c6f5ca32b62b} - C:\WINNT\system32\hxknyxej.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BMe7f68fa0] Rundll32.exe "C:\WINNT\system32\gwdmaiik.dll",s
O4 - HKLM\..\Run: [e4c5bc3c] rundll32.exe "C:\WINNT\system32\cfshuthb.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O20 - Winlogon Notify: xxyvssqn - C:\WINNT\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 5332 bytes

BC AdBot (Login to Remove)

 


m

#2 pinefarmgirl

pinefarmgirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 18 June 2008 - 08:11 PM

ok, so with malwarebytes help in safe mode I was able to spot this entry-
C:\WINNT\system32\fccbXrSi.dll
which could not be deleted- I was able to rename it and changed the extension to .nnn, which made it possible for mwb to delete it on reboot. For now I am able to access the net in normal mode, but this thing is still inserting itself into the registry, is still hiding somewhere. I know it will flare up again because it is still being detected by mwb. new hjt log-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:39 PM, on 6/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\maureen\Desktop\virus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D51DEFA1-DB9B-4405-B073-334769A01CD6} - (no file)
O2 - BHO: (no name) - {E62F1BF9-A829-4B84-A1A2-9B3EA299B71D} - C:\WINNT\system32\fccbXrSi.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BMe7f68fa0] Rundll32.exe "C:\WINNT\system32\gwdmaiik.dll",s
O4 - HKLM\..\Run: [e4c5bc3c] rundll32.exe "C:\WINNT\system32\vkjyejft.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O20 - Winlogon Notify: xxyvssqn - C:\WINNT\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 5181 bytes

#3 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 June 2008 - 06:37 AM

Hi and Welcome to the forums.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#4 pinefarmgirl

pinefarmgirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 19 June 2008 - 07:02 PM

Hi and thanks for responding so fast- I ran combofix as stated, here is the log from that and the hjt log after combofix ran-I know that entry 020 on the hjt log is still there and is part of this vundo junk- can I do more to get this stuff to go away?

ComboFix 08-06-19.1 - maureen 06/19/2008 16:45:24.1 - NTFSx86
Running from: C:\Documents and Settings\maureen\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\isgTi19
C:\Temp\sanR24
C:\WINNT\BMe7f68fa0.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\acgtxkou.dll
C:\WINNT\system32\ayoenuni.dll
C:\WINNT\system32\bhtuhsfc.ini
C:\WINNT\system32\brputsak.dll
C:\WINNT\system32\fmlopmry.dll
C:\WINNT\system32\hxknyxej.dll
C:\WINNT\system32\jcknajty.dll
C:\WINNT\system32\manfcyny.ini
C:\WINNT\system32\MSINET.oca
C:\WINNT\system32\qyxksujk.dll
C:\WINNT\system32\rcahuhql.dll
C:\WINNT\system32\rybrxits.dll
C:\WINNT\system32\sqohfjca.dll
C:\WINNT\system32\tfjeyjkv.ini
C:\WINNT\system32\wmxogskk.dll
C:\WINNT\system32\xalepilb.dll
C:\WINNT\system32\xdeyoyln.dll
C:\WINNT\system32\xlsdxdvs.ini
C:\WINNT\system32\xwwjvrsd.ini
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-18 15:07 . 08-06-18 15:07 <DIR> dr-h----- C:\$VAULT$.AVG
2008-06-18 01:39 . 08-06-18 01:39 <DIR> d-------- C:\Deckard
2008-06-18 00:28 . 08-06-18 00:28 0 --a------ C:\WINNT\system32\REN28E.tmp
2008-06-18 00:27 . 08-06-18 00:27 0 --a------ C:\WINNT\system32\REN38.tmp
2008-06-18 00:26 . 08-06-18 00:26 0 --a------ C:\WINNT\system32\REN31.tmp
2008-06-18 00:22 . 08-06-18 00:22 <DIR> d-------- C:\VundoFix Backups
2008-06-17 23:22 . 08-06-17 23:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 23:22 . 08-06-17 23:22 <DIR> d-------- C:\Documents and Settings\maureen\Application Data\Malwarebytes
2008-06-17 23:22 . 08-06-17 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 23:22 . 08-06-10 19:02 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-06-17 23:22 . 08-06-10 19:02 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-06-15 01:13 . 08-06-15 01:13 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2008-06-14 20:23 . 08-06-14 20:29 <DIR> d-a------ C:\Program Files\NetZero
2008-06-14 00:22 . 08-06-19 16:44 <DIR> d-------- C:\Documents and Settings\maureen\Application Data\Azureus
2008-06-14 00:22 . 08-06-14 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-14 00:21 . 08-06-14 00:22 <DIR> d-------- C:\Program Files\Azureus
2008-05-24 09:40 . 07-11-01 01:02 <DIR> d-------- C:\Documents and Settings\wes\Application Data\AVG7
2008-05-24 09:40 . 08-06-15 01:13 <DIR> d-------- C:\Documents and Settings\wes
2008-05-23 02:22 . 08-05-23 02:22 81,321 --a------ C:\WINNT\SGTBox.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 08:27 --------- d-----w C:\Program Files\Java
2008-06-16 04:25 --------- d-----w C:\Program Files\eMule
2008-06-15 22:36 --------- d-----w C:\Documents and Settings\maureen\Application Data\AVG7
2008-06-15 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-15 09:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-24 10:43 --------- d-----w C:\Program Files\Artweaver 0.5
2008-05-23 03:06 --------- d-----w C:\Program Files\Canon
2008-05-21 06:05 --------- d-----w C:\Program Files\iTunes
2008-05-15 23:00 --------- d-----w C:\Program Files\Apple Software Update
2008-05-15 11:53 --------- d-----w C:\Program Files\EphPod
2008-05-15 11:03 --------- d-----w C:\Program Files\iPod
2008-05-15 11:03 --------- d-----w C:\Documents and Settings\maureen\Application Data\Apple Computer
2008-05-15 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-15 10:43 --------- d-----w C:\Program Files\Winamp
2008-05-15 10:43 --------- d-----w C:\Documents and Settings\maureen\Application Data\Winamp
2008-05-15 09:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-15 09:49 --------- d-----w C:\Program Files\QuickTime
2008-05-07 14:59 --------- d-----w C:\Program Files\Nvu
2008-05-07 14:59 --------- d-----w C:\Documents and Settings\maureen\Application Data\Nvu
2007-11-01 07:53 271 ---h--w C:\Program Files\desktop.ini
2007-11-01 07:53 21,952 ---h--w C:\Program Files\folder.htt
2001-11-23 04:08 712,704 ----a-w C:\WINNT\inf\OTHER\AUDIO3D.DLL
1999-12-07 10:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D51DEFA1-DB9B-4405-B073-334769A01CD6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E62F1BF9-A829-4B84-A1A2-9B3EA299B71D}]
C:\WINNT\system32\fccbXrSi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05-05-31 01:04 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"C-Media Mixer"="Mixer.exe" [02-06-11 23:23 1495040 C:\WINNT\mixer.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 282624]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [06-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [06-10-22 12:22 1622016 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [06-10-22 12:22 86016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 271672]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-06-15 03:21 579072]
"BMe7f68fa0"="C:\WINNT\system32\gwdmaiik.dll" [ ]
"e4c5bc3c"="C:\WINNT\system32\vkjyejft.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-06-15 01:13 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvssqn]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"e4c5bc3c"=rundll32.exe "C:\WINNT\system32\vkjyejft.dll",b
"BMe7f68fa0"=Rundll32.exe "C:\WINNT\system32\gwdmaiik.dll",s

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-06-15 01:13 ]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [03-06-18 16:48 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 16:49:48
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\system32\wbem\Repository\CIM.#EC
C:\WINNT\system32\wbem\Repository\CIM.$EC

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-06-19 16:52:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-20 00:52:39

Pre-Run: 302,256,128 bytes free
Post-Run: 441,958,400 bytes free

138
=============================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:08 PM, on 6/19/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Mixer.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\maureen\Desktop\virus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {E62F1BF9-A829-4B84-A1A2-9B3EA299B71D} - C:\WINNT\system32\fccbXrSi.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BMe7f68fa0] Rundll32.exe "C:\WINNT\system32\gwdmaiik.dll",s
O4 - HKLM\..\Run: [e4c5bc3c] rundll32.exe "C:\WINNT\system32\vkjyejft.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O20 - Winlogon Notify: xxyvssqn - C:\WINNT\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 5353 bytes
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 June 2008 - 12:25 PM

It may work better to run ComboFix this time from Safe Mode if possible or just totally disable Tea Timer using the link below.
http://www.malwarehelp.org/how-to-enabledi...t-teatimer.html
or
http://wiki.castlecops.com/Malware_Removal...toring_Programs


Copy the text below to notepad and save it to the desktop with the name CFScript

File::
C:\WINNT\system32\REN28E.tmp
C:\WINNT\system32\REN38.tmp
C:\WINNT\system32\REN31.tmp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D51DEFA1-DB9B-4405-B073-334769A01CD6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E62F1BF9-A829-4B84-A1A2-9B3EA299B71D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMe7f68fa0"=-
"e4c5bc3c"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvssqn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.

#6 pinefarmgirl

pinefarmgirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 20 June 2008 - 04:33 PM

Ok-yes, teatimer was kinda freakin out when I ran combo fix and I was not sure how to turn it off.

Edited by pinefarmgirl, 20 June 2008 - 08:07 PM.


#7 pinefarmgirl

pinefarmgirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 20 June 2008 - 08:18 PM

OK- Did exactly what you said, I even turned off AVG to be sure it wouldn't interfere.Here are my new logs:


ComboFix 08-06-19.1 - maureen 06/20/2008 18:01:52.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.342 [GMT -8:00]
Running from: C:\Documents and Settings\maureen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\maureen\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\REN28E.tmp
C:\WINNT\system32\REN31.tmp
C:\WINNT\system32\REN38.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\REN28E.tmp
C:\WINNT\system32\REN31.tmp
C:\WINNT\system32\REN38.tmp

.
((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-20 18:01 . 06/20/08 06:01p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_344.dat
2008-06-20 17:43 . 06/20/08 05:43p 463,940 ---h----- C:\WINNT\ShellIconCache
2008-06-18 15:07 . 06/18/08 03:07p <DIR> dr-h----- C:\$VAULT$.AVG
2008-06-18 00:22 . 06/18/08 12:22a <DIR> d-------- C:\VundoFix Backups
2008-06-17 23:22 . 06/17/08 11:22p <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 23:22 . 06/17/08 11:22p <DIR> d-------- C:\Documents and Settings\maureen\Application Data\Malwarebytes
2008-06-17 23:22 . 06/17/08 11:22p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 23:22 . 06/10/08 07:02p 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-06-17 23:22 . 06/10/08 07:02p 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-06-15 01:13 . 06/15/08 01:13a 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2008-06-14 00:22 . 06/20/08 05:30p <DIR> d-------- C:\Documents and Settings\maureen\Application Data\Azureus
2008-06-14 00:22 . 06/14/08 12:22a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-14 00:21 . 06/14/08 12:22a <DIR> d-------- C:\Program Files\Azureus
2008-05-24 09:40 . 11/01/07 01:02a <DIR> d-------- C:\Documents and Settings\wes\Application Data\AVG7
2008-05-24 09:40 . 06/15/08 01:13a <DIR> d-------- C:\Documents and Settings\wes
2008-05-23 02:22 . 05/23/08 02:22a 81,321 --a------ C:\WINNT\SGTBox.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 08:27 --------- d-----w C:\Program Files\Java
2008-06-16 04:25 --------- d-----w C:\Program Files\eMule
2008-06-15 22:36 --------- d-----w C:\Documents and Settings\maureen\Application Data\AVG7
2008-06-15 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-15 09:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-24 10:43 --------- d-----w C:\Program Files\Artweaver 0.5
2008-05-23 03:06 --------- d-----w C:\Program Files\Canon
2008-05-21 06:05 --------- d-----w C:\Program Files\iTunes
2008-05-15 23:00 --------- d-----w C:\Program Files\Apple Software Update
2008-05-15 11:53 --------- d-----w C:\Program Files\EphPod
2008-05-15 11:03 --------- d-----w C:\Program Files\iPod
2008-05-15 11:03 --------- d-----w C:\Documents and Settings\maureen\Application Data\Apple Computer
2008-05-15 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-15 10:43 --------- d-----w C:\Program Files\Winamp
2008-05-15 10:43 --------- d-----w C:\Documents and Settings\maureen\Application Data\Winamp
2008-05-15 09:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-15 09:49 --------- d-----w C:\Program Files\QuickTime
2008-05-07 14:59 --------- d-----w C:\Program Files\Nvu
2008-05-07 14:59 --------- d-----w C:\Documents and Settings\maureen\Application Data\Nvu
2007-11-01 07:53 271 ---h--w C:\Program Files\desktop.ini
2007-11-01 07:53 21,952 ---h--w C:\Program Files\folder.htt
2001-11-23 04:08 712,704 ----a-w C:\WINNT\inf\OTHER\AUDIO3D.DLL
1999-12-07 10:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p 111376 C:\WINNT\system32\mobsync.exe]
"C-Media Mixer"="Mixer.exe" [06/11/02 11:23p 1495040 C:\WINNT\mixer.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/01 11:50a 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a 282624]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [10/22/06 12:22p 7700480]
"nwiz"="nwiz.exe" [10/22/06 12:22p 1622016 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [10/22/06 12:22p 86016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/27/07 08:14p 271672]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [06/15/08 03:21a 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [06/15/08 01:13a 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [06/15/08 01:13a]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [06/19/03 12:05p]
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys [06/18/03 04:48p]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 18:03:01
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 06/20/2008 18:03:29
ComboFix-quarantined-files.txt 2008-06-21 02:03:26

Pre-Run: 446,521,344 bytes free
Post-Run: 441,298,944 bytes free

102


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:51 PM, on 6/20/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\maureen\Desktop\virus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 4709 bytes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=++
Well, it looks so much cleaner to my amatuer eyes- thank you so much! I have been able to use this comp in normal mode since yesterday, it has been wonderful- although there were still a few annoying teatimer fights yesterday. Would you have any idea what that noname BHO might be at 02 on HJT? I think that is the only thing on this log I don't recognize. You are wonderful, whoever you are!

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 June 2008 - 10:01 AM

It does indeed look much better,if you will...

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#9 pinefarmgirl

pinefarmgirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 22 June 2008 - 07:44 PM

want a good laugh? Yesterday evening I was online, enjoying my nice functioning computer, and CLINK!- thats it- my hard drive is doa... locked up, no function, blue screen, dead. And it was so nice and clean. :thumbsup: I put another hard drive in so I can get back online. If by some miracle it ever works again for a few minutes, I am going to pull everything off that I had not backed up, then if it continues I will do your last suggestion. Thank you so much for all your help- The fates are against me this month tho-

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 June 2008 - 04:50 AM

O wow...thats just stinks!

Do let me know what happens,im very sorry to hear the drive decided to take vacation at this point. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users