Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde For Sure, Maybe More Trojans Too


  • This topic is locked This topic is locked
10 replies to this topic

#1 Rookie0014

Rookie0014

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 29 July 2008 - 06:52 PM

Greetings fellow techies.

As the title says it, I'm a common problem at the moment. Here's the situation. I picked up a trojan, looking for a UFC fight on a contaminated site (never been on that site before). And since then, I got rid of 1 virus, 3 trojans and about 240+ spywares.

Now I have tried using AVG, AVAST, Bit Defender, Spy Bot, Adaware 2008, Smitfraudfix, Vundo, and a few more that I forget now.

I have cleaned up a good portion of the contamination, however, I think Virtumonde has made it's way in my registry. I feel comfortable deleting some entries there, but I don't want to miss any. So, now I turn to you for help.

Symptoms were at the beginning, Antivirus XP 2008. Big desktop icon (click anywhere, you brought up the icon) pop ups advertising their product....... I believe, going through suggestions on some forums, that those symptoms are gone completely. But Spy Bot and Adaware are still picking up Virtumonde. And they are not deleting it.

Here are the scans,

Kaspersky first

Monday, July 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 28, 2008 21:49:02
Records in database: 1017968
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Program Files
E:\Documents and Settings\All Users\Start Menu\Programs\Startup
E:\Documents and Settings\Ray\Start Menu\Programs\Startup
E:\Program Files
E:\WINDOWS
Scan statistics
Files scanned 39600
Threat name 3
Infected objects 4
Suspicious objects 0
Duration of the scan 01:31:42

File name Threat name Threats count
E:\Program Files\Navilog1\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
E:\WINDOWS\SysNotifier.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
E:\WINDOWS\system32\ocdywnao.dll Infected: Trojan.Win32.Monder.axn 1
E:\WINDOWS\system32\sxgxvo.dll Infected: Trojan.Win32.Monder.axn 1
The selected area was scanned.

DSS next

Deckard's System Scanner v20071014.68
Run by Ray on 2008-07-29 20:35:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-07-30 00:35:10 UTC - RP18 - Deckard's System Scanner Restore Point
17: 2008-07-29 02:26:11 UTC - RP17 - Installed Ad-Aware
16: 2008-07-28 03:16:22 UTC - RP16 - System Checkpoint
15: 2008-07-27 02:43:34 UTC - RP15 - Installed Call of Duty® 2 Patch 1.3
14: 2008-07-27 02:42:47 UTC - RP14 - Removed Call of Duty® 2 Patch 1.3


-- First Restore Point --
1: 2008-07-23 23:13:07 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive E: has 2.42 GiB (less than 15%) free.


-- HijackThis (run as Ray.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:35:58, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\CDBurnerXP\NMSAccessU.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\DNA\btdna.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
F:\Xfire\xfire.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Documents and Settings\Ray\Desktop\dss.exe
E:\PROGRA~1\TRENDM~1\HIJACK~1\Ray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primericaonline.com/Login
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {6230596F-3A44-4CDF-815B-372FA03C75D6} - E:\WINDOWS\system32\tuvuTkhF.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {CC628875-53FE-4DE3-9CA8-E61652820398} - E:\WINDOWS\system32\usmt\vsracc.dll (file missing)
O2 - BHO: (no name) - {CCDEF853-4EA2-4263-A33A-E6616C4EF3AA} - E:\WINDOWS\system32\fccaAPFv.dll (file missing)
O2 - BHO: (no name) - {D35500D2-99B7-4D22-9D73-1842233EE6DB} - (no file)
O2 - BHO: {a9e85f87-222b-f9eb-c234-ce35cfeabd3f} - {f3dbaefc-53ec-432c-be9f-b22278f58e9a} - E:\WINDOWS\system32\hsblrm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [1cb15a69] rundll32.exe "E:\WINDOWS\system32\hdlrhuxc.dll",b
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Mp4 Player] "E:\Program Files\Mp4 Player\Mp4Player.exe" hmw
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] E:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - Startup: Xfire.lnk = F:\Xfire\xfire.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O20 - Winlogon Notify: tuvuTkhF - E:\WINDOWS\SYSTEM32\tuvuTkhF.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - E:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5716 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Afc (PPdus ASPI Shell) - e:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>

S3 catchme - e:\docume~1\ray\locals~1\temp\catchme.sys (file missing)
S3 NPF (Netgroup Packet Filter) - e:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 Profos - e:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 Trufos - e:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_00801462&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_00801462&REV_02\3&13C0B0C5&0&FD
Service:


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-28 22:25:50 0 d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 15:29:30 0 d-------- E:\Program Files\Trend Micro
2008-07-26 22:20:31 0 d-------- E:\VundoFix Backups
2008-07-26 11:56:17 0 d-------- E:\Program Files\MSN Messenger
2008-07-26 11:02:31 0 d-------- E:\Program Files\Teamspeak2_RC2
2008-07-26 10:43:33 2676 --a------ E:\WINDOWS\system32\tmp.reg
2008-07-26 08:59:42 95360 --a------ E:\WINDOWS\system32\hdlrhuxc.dll
2008-07-26 08:57:28 116864 --a------ E:\WINDOWS\system32\jfoadgke.dll
2008-07-26 08:57:28 116864 --a------ E:\WINDOWS\system32\hsblrm.dll
2008-07-26 08:56:42 406012 --a------ E:\WINDOWS\system32\hkjSBJlm.ini2
2008-07-26 08:04:15 0 d-------- E:\Program Files\Safer Networking
2008-07-26 06:35:20 0 dr-h----- E:\Documents and Settings\Ray\Recent
2008-07-25 21:50:36 0 d-------- E:\Documents and Settings\All Users\Application Data\ESET
2008-07-25 01:16:44 200704 --a------ E:\WINDOWS\SysNotifier.exe
2008-07-25 01:16:20 303104 --a------ E:\WINDOWS\system32\yyykuewq.exe
2008-07-25 01:16:18 94848 --a------ E:\WINDOWS\system32\ptqwfnec.dll
2008-07-25 01:16:13 116864 --a------ E:\WINDOWS\system32\sxgxvo.dll
2008-07-25 01:16:12 116864 --a------ E:\WINDOWS\system32\ocdywnao.dll
2008-07-24 20:24:14 0 d--h----- E:\WINDOWS\PIF
2008-07-24 20:19:15 0 dr------- E:\Documents and Settings\LocalService\My Documents
2008-07-24 20:05:23 0 d-------- E:\Documents and Settings\Ray\Application Data\Aliant
2008-07-24 20:05:13 0 d-------- E:\Documents and Settings\All Users\Application Data\Aliant
2008-07-24 19:58:12 0 d-------- E:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-24 19:56:38 0 d--h----- E:\Documents and Settings\Administrator\Templates
2008-07-24 19:56:38 0 dr------- E:\Documents and Settings\Administrator\Start Menu
2008-07-24 19:56:38 0 dr-h----- E:\Documents and Settings\Administrator\SendTo
2008-07-24 19:56:38 0 d--h----- E:\Documents and Settings\Administrator\Recent
2008-07-24 19:56:38 0 d--h----- E:\Documents and Settings\Administrator\PrintHood
2008-07-24 19:56:38 524288 --ah----- E:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-24 19:56:38 0 d--h----- E:\Documents and Settings\Administrator\NetHood
2008-07-24 19:56:38 0 d-------- E:\Documents and Settings\Administrator\My Documents
2008-07-24 19:56:38 0 d--h----- E:\Documents and Settings\Administrator\Local Settings
2008-07-24 19:56:38 0 d-------- E:\Documents and Settings\Administrator\Favorites
2008-07-24 19:56:38 0 d-------- E:\Documents and Settings\Administrator\Desktop
2008-07-24 19:56:38 0 d---s---- E:\Documents and Settings\Administrator\Cookies
2008-07-24 19:56:38 0 dr-h----- E:\Documents and Settings\Administrator\Application Data
2008-07-24 19:56:38 0 d---s---- E:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-24 19:55:27 0 d-------- E:\Documents and Settings\All Users\Application Data\Avg8
2008-07-24 18:36:35 0 d--hs---- E:\WINDOWS\CSC
2008-07-24 18:18:40 0 d-------- E:\Program Files\RogueRemover FREE
2008-07-24 06:13:28 77824 --a------ E:\WINDOWS\system32\xcomm.dll <Not Verified; BitDefender; BitDefender Communicator>
2008-07-24 05:54:20 0 d-a------ E:\Documents and Settings\All Users\Application Data\TEMP
2008-07-24 01:17:49 116864 --a------ E:\WINDOWS\system32\npcfjh.dll
2008-07-24 01:17:48 116864 --a------ E:\WINDOWS\system32\yqbxxskr.dll
2008-07-23 19:13:43 116864 --a------ E:\WINDOWS\system32\hpdvri.dll
2008-07-23 19:13:42 116864 --a------ E:\WINDOWS\system32\jusrkjbt.dll
2008-07-23 19:12:57 481684 --a------ E:\WINDOWS\system32\vFPAaccf.ini2
2008-07-23 19:08:03 552 --a------ E:\WINDOWS\system32\d3d8caps.dat
2008-07-23 07:53:06 33152 -----n--- E:\WINDOWS\system32\tuvuTkhF.dll
2008-07-23 07:52:44 0 d-------- E:\Documents and Settings\Ray\Application Data\TmpRecentIcons
2008-07-23 07:52:18 0 d-------- E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be
2008-07-19 15:18:15 110080 --a------ E:\WINDOWS\system32\lphcecdj0e3be.exe
2008-07-13 14:54:09 0 d-------- E:\Program Files\DNA
2008-07-13 14:54:09 0 d-------- E:\Documents and Settings\Ray\Application Data\DNA
2008-07-06 19:06:52 0 d-------- E:\Documents and Settings\Ray\Application Data\ArcSoft
2008-07-06 19:06:04 0 d-------- E:\Program Files\Common Files\ArcSoft
2008-07-06 19:06:03 11776 --a------ E:\WINDOWS\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
2008-07-06 19:05:04 212480 --a------ E:\WINDOWS\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2008-07-06 19:05:04 0 d-------- E:\Program Files\ArcSoft
2008-07-06 19:03:19 0 d-------- E:\WINDOWS\Options
2008-07-06 19:03:18 0 d-------- E:\Program Files\Digital Video
2008-07-06 19:03:00 0 d-------- E:\Documents and Settings\Ray\Application Data\InstallShield
2008-07-05 09:47:17 180224 --a------ E:\WINDOWS\system32\xvidvfw.dll
2008-07-05 09:47:17 765952 --a------ E:\WINDOWS\system32\xvidcore.dll
2008-07-05 09:47:17 413760 --a------ E:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2008-07-05 09:47:17 261632 --a------ E:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2008-07-05 09:47:17 638976 --a------ E:\WINDOWS\system32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2008-07-05 09:47:17 0 d-------- E:\Program Files\Common Files\AVSMedia
2008-07-05 09:47:16 0 d-------- E:\Program Files\AVSMedia
2008-07-02 20:22:30 0 d-------- E:\Program Files\JL_Cmder
2008-07-02 19:19:01 256 --a------ E:\Documents and Settings\Ray\pool.bin
2008-07-02 19:11:12 0 d-------- E:\Program Files\Roxio
2008-07-02 19:11:12 0 d-------- E:\Program Files\Common Files\Sonic Shared
2008-07-02 19:06:30 0 d-------- E:\Documents and Settings\Ray\Application Data\Blackberry Desktop
2008-07-02 18:56:58 0 d-------- E:\Documents and Settings\Ray\Application Data\Research In Motion
2008-07-02 18:56:42 0 d-------- E:\Program Files\Common Files\Research In Motion


-- Find3M Report ---------------------------------------------------------------

2008-07-29 07:37:13 53 --a------ E:\Documents and Settings\Ray\Application Data\AVSDVDPlayer.m3u
2008-07-28 22:26:15 0 d-------- E:\Program Files\Lavasoft
2008-07-28 22:25:50 0 d-------- E:\Program Files\Common Files
2008-07-28 22:01:53 0 d-------- E:\Documents and Settings\Ray\Application Data\teamspeak2
2008-07-26 22:43:11 0 d-------- E:\Program Files\InstallShield Installation Information
2008-07-26 12:32:01 0 d-------- E:\Program Files\Messenger
2008-07-24 18:31:44 81984 --a------ E:\WINDOWS\system32\bdod.bin
2008-07-23 21:29:39 0 d-------- E:\Documents and Settings\Ray\Application Data\Xfire
2008-07-23 21:27:56 0 d-------- E:\Program Files\Common Files\BitDefender
2008-07-23 19:08:03 1324 --a------ E:\WINDOWS\system32\d3d9caps.dat
2008-07-23 07:55:33 0 d-------- E:\Documents and Settings\Ray\Application Data\LimeWire
2008-07-22 21:41:16 0 d-------- E:\Program Files\copy of cod2
2008-07-20 08:19:55 0 d-------- E:\Program Files\Java
2008-07-17 18:39:01 256 --a------ E:\WINDOWS\system32\pool.bin
2008-07-06 19:04:13 0 d-------- E:\Program Files\Common Files\InstallShield
2008-07-02 19:11:50 0 d-------- E:\Program Files\Common Files\Roxio Shared
2008-06-21 22:58:35 0 d-------- E:\Documents and Settings\Ray\Application Data\Canneverbe_Limited
2008-06-21 22:58:19 0 d-------- E:\Program Files\CDBurnerXP


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6230596F-3A44-4CDF-815B-372FA03C75D6}]
07/23/2008 07:53 33152 --------- E:\WINDOWS\system32\tuvuTkhF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC628875-53FE-4DE3-9CA8-E61652820398}]
E:\WINDOWS\system32\usmt\vsracc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCDEF853-4EA2-4263-A33A-E6616C4EF3AA}]
E:\WINDOWS\system32\fccaAPFv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D35500D2-99B7-4D22-9D73-1842233EE6DB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f3dbaefc-53ec-432c-be9f-b22278f58e9a}]
07/26/2008 08:57 116864 --a------ E:\WINDOWS\system32\hsblrm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [12/05/2007 01:41]
"nwiz"="nwiz.exe" [12/05/2007 01:41 E:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 01:41]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27]
"TkBellExe"="E:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/14/2008 06:59]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [03/28/2008 23:37]
"@"="" []
"RoxWatchTray"="E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [03/26/2007 07:07]
"1cb15a69"="E:\WINDOWS\system32\hdlrhuxc.dll" [07/26/2008 08:59]
"egui"="E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [06/10/2008 18:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mp4 Player"="E:\Program Files\Mp4 Player\Mp4Player.exe" []
"Uniblue RegistryBooster 2"="E:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"BitTorrent DNA"="E:\Program Files\DNA\btdna.exe" [07/13/2008 14:54]

E:\Documents and Settings\Ray\Start Menu\Programs\Startup\
Xfire.lnk - F:\Xfire\xfire.exe [7/15/2008 19:09:02]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/19/2007 04:33:46]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 17:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6230596F-3A44-4CDF-815B-372FA03C75D6}"= E:\WINDOWS\system32\tuvuTkhF.dll [07/23/2008 07:53 33152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuTkhF]
tuvuTkhF.dll 07/23/2008 07:53 33152 E:\WINDOWS\system32\tuvuTkhF.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 E:\WINDOWS\system32\mlJBSjkh

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-29 20:36:45 ------------

Hijack This now

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:29:51, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\CDBurnerXP\NMSAccessU.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\DNA\btdna.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
F:\Xfire\xfire.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primericaonline.com/Login
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {6230596F-3A44-4CDF-815B-372FA03C75D6} - E:\WINDOWS\system32\tuvuTkhF.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {CC628875-53FE-4DE3-9CA8-E61652820398} - E:\WINDOWS\system32\usmt\vsracc.dll (file missing)
O2 - BHO: (no name) - {CCDEF853-4EA2-4263-A33A-E6616C4EF3AA} - E:\WINDOWS\system32\fccaAPFv.dll (file missing)
O2 - BHO: (no name) - {D35500D2-99B7-4D22-9D73-1842233EE6DB} - (no file)
O2 - BHO: {a9e85f87-222b-f9eb-c234-ce35cfeabd3f} - {f3dbaefc-53ec-432c-be9f-b22278f58e9a} - E:\WINDOWS\system32\hsblrm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [1cb15a69] rundll32.exe "E:\WINDOWS\system32\hdlrhuxc.dll",b
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Mp4 Player] "E:\Program Files\Mp4 Player\Mp4Player.exe" hmw
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] E:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - Startup: Xfire.lnk = F:\Xfire\xfire.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O20 - Winlogon Notify: tuvuTkhF - E:\WINDOWS\SYSTEM32\tuvuTkhF.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - E:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5899 bytes


Any help would be awesome

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:26 PM

Posted 01 August 2008 - 04:37 AM

Hello Rookie0014 and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Rookie0014

Rookie0014
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 August 2008 - 06:29 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:23:43, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\DNA\btdna.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
F:\Xfire\xfire.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\CDBurnerXP\NMSAccessU.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primericaonline.com/Login
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {CC628875-53FE-4DE3-9CA8-E61652820398} - E:\WINDOWS\system32\usmt\vsracc.dll (file missing)
O2 - BHO: (no name) - {CCDEF853-4EA2-4263-A33A-E6616C4EF3AA} - E:\WINDOWS\system32\fccaAPFv.dll (file missing)
O2 - BHO: (no name) - {D35500D2-99B7-4D22-9D73-1842233EE6DB} - (no file)
O2 - BHO: (no name) - {D7B3FAD2-894B-42DF-A4A8-A4EFA13EA1E7} - E:\WINDOWS\system32\tuvWopnm.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Mp4 Player] "E:\Program Files\Mp4 Player\Mp4Player.exe" hmw
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] E:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - Startup: Xfire.lnk = F:\Xfire\xfire.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - E:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5355 bytes



Malwarebytes' Anti-Malware 1.24
Database version: 1014
Windows 5.1.2600 Service Pack 2

07:53:54 8/1/2008
mbam-log-8-1-2008 (07-53-54).txt

Scan type: Quick Scan
Objects scanned: 42668
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 17
Registry Values Infected: 2
Registry Data Items Infected: 9
Folders Infected: 11
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
E:\WINDOWS\system32\ligmnvhb.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\orkmclog.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\tuvWopnm.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\tuvuTkhF.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\hfcedt.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4f10d3ff-0fbf-40fb-830a-5f55760aa223} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4f10d3ff-0fbf-40fb-830a-5f55760aa223} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf149fc8-dda3-4db0-8d27-6baeb1f7b35a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{bf149fc8-dda3-4db0-8d27-6baeb1f7b35a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6230596f-3a44-4cdf-815b-372fa03c75d6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6230596f-3a44-4cdf-815b-372fa03c75d6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvutkhf (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{002f3680-8f9a-4b8e-baf6-4dec68b58f01} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcacdj0e3be (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XPShield (Rogue.XPShield) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cb15a69 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6230596f-3a44-4cdf-815b-372fa03c75d6} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: e:\windows\system32\tuvwopnm -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: e:\windows\system32\tuvwopnm -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-649-6478953-23950) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Application Data\rhcacdj0e3be\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
E:\WINDOWS\system32\pfylap.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\tuvWopnm.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\mnpoWvut.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\mnpoWvut.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\hdlrhuxc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\cxuhrldh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ligmnvhb.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\bhvnmgil.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\orkmclog.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\golcmkro.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ptqwfnec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\cenfwqtp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\tuvuTkhF.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\hfcedt.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\irtffkyg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\jfoadgke.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\npcfjh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\hpdvri.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\hsblrm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\jusrkjbt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\yqbxxskr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\nuxrqldd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\fpaxtkvo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Local Settings\Temporary Internet Files\Content.IE5\KXWZEBIB\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\Documents and Settings\Ray\Local Settings\Temporary Internet Files\Content.IE5\R7SGEO13\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\SysNotifier.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Now the only issue I have is that I do not have a Windows XP cd, and I believe the last time my computer was formated, the person that did it, didn't have a legit key. Which I plan on rectifying in the next couple of months. It's affecting my business and day to day transactions that I can't get updates and format as I used to do every couple of months. I read in the combo fix that I need a legit copy to run it. For now, I can't do it.

I do believe however, according to this log, that the problems are fixed.

Waiting your reply

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:26 PM

Posted 01 August 2008 - 09:40 AM

Hello Rookie0014,

You can use the WinXp SP2 file, found at the bottom of this page :
http://support.microsoft.com/kb/310994
to install the Recovery Console by dragging it on ComboFix.exe. :thumbsup:
(Just verify you download the correct version, Home or Pro)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Rookie0014

Rookie0014
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 August 2008 - 08:28 PM

ComboFix 08-07-31.04 - Ray 2008-08-01 22:16:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.608 [GMT -4:00]
Running from: E:\Documents and Settings\Ray\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Ray\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\desktopA.sys
E:\WINDOWS\system32\drivers\npf.sys
E:\WINDOWS\system32\hkjSBJlm.ini
E:\WINDOWS\system32\hkjSBJlm.ini2
E:\WINDOWS\system32\jencihde.ini
E:\WINDOWS\system32\keezyi.dll
E:\WINDOWS\system32\mcrh.tmp
E:\WINDOWS\system32\mwrkheas.ini
E:\WINDOWS\system32\Packet.dll
E:\WINDOWS\system32\pthreadVC.dll
E:\WINDOWS\system32\vFPAaccf.ini
E:\WINDOWS\system32\vFPAaccf.ini2
E:\WINDOWS\system32\wiokmvkn.dll
E:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Malwarebytes
2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 07:43 . 2008-07-30 20:07 38,472 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 07:43 . 2008-07-30 20:07 17,144 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 20:34 . 2008-07-29 20:34 <DIR> d-------- E:\Deckard
2008-07-28 22:25 . 2008-07-28 22:25 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 15:29 . 2008-07-27 15:29 <DIR> d-------- E:\Program Files\Trend Micro
2008-07-26 22:20 . 2008-07-26 22:20 <DIR> d-------- E:\VundoFix Backups
2008-07-26 11:56 . 2008-07-26 11:56 <DIR> d-------- E:\Program Files\MSN Messenger
2008-07-26 11:02 . 2008-07-26 11:02 <DIR> d-------- E:\Program Files\Teamspeak2_RC2
2008-07-26 11:02 . 2008-07-26 11:02 34,064 --a------ E:\WINDOWS\system32\lhacm.acm
2008-07-26 10:43 . 2008-07-26 10:43 2,676 --a------ E:\WINDOWS\system32\tmp.reg
2008-07-26 10:14 . 2008-07-26 10:14 7,499,056 --a------ E:\Firefox Setup 3.0.1.exe
2008-07-26 08:04 . 2008-07-26 08:04 <DIR> d-------- E:\Program Files\Safer Networking
2008-07-25 21:50 . 2008-07-25 21:50 <DIR> d-------- E:\Program Files\ESET
2008-07-25 21:50 . 2008-07-25 21:50 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\ESET
2008-07-25 01:16 . 2008-07-25 01:16 303,104 --a------ E:\WINDOWS\system32\yyykuewq.exe
2008-07-24 20:24 . 2008-07-24 20:24 <DIR> d--h----- E:\WINDOWS\PIF
2008-07-24 20:05 . 2008-07-25 21:38 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Aliant
2008-07-24 20:05 . 2008-07-25 21:38 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Aliant
2008-07-24 19:56 . 2008-07-24 19:56 <DIR> d-------- E:\Documents and Settings\Administrator
2008-07-24 19:55 . 2008-07-24 19:55 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Avg8
2008-07-24 18:18 . 2008-07-25 21:39 <DIR> d-------- E:\Program Files\RogueRemover FREE
2008-07-24 06:13 . 2008-07-24 06:13 77,824 --a------ E:\WINDOWS\system32\xcomm.dll
2008-07-24 05:54 . 2008-07-26 01:10 <DIR> d-a------ E:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 19:23 . 2008-07-29 05:07 409 --a------ E:\WINDOWS\wininit.ini
2008-07-23 19:08 . 2008-07-23 19:08 552 --a------ E:\WINDOWS\system32\d3d8caps.dat
2008-07-15 19:09 . 2008-07-15 19:09 42,320 --a------ E:\WINDOWS\system32\xfcodec.dll
2008-07-13 14:54 . 2008-07-13 14:54 <DIR> d-------- E:\Program Files\DNA
2008-07-13 14:54 . 2008-08-01 22:18 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\DNA
2008-07-06 19:06 . 2008-07-06 19:06 <DIR> d-------- E:\Program Files\Common Files\ArcSoft
2008-07-06 19:06 . 2008-07-06 19:06 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\ArcSoft
2008-07-06 19:06 . 2005-02-22 22:58 11,776 --a------ E:\WINDOWS\system32\drivers\afc.sys
2008-07-06 19:05 . 2008-07-06 19:05 <DIR> d-------- E:\Program Files\ArcSoft
2008-07-06 19:05 . 2004-12-06 18:11 258,352 --a------ E:\WINDOWS\system32\unicows.dll
2008-07-06 19:05 . 1995-07-31 12:44 212,480 --a------ E:\WINDOWS\PCDLIB32.DLL
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\WINDOWS\Options
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\Program Files\Digital Video
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\InstallShield
2008-07-05 09:47 . 2008-07-05 09:47 <DIR> d-------- E:\Program Files\Common Files\AVSMedia
2008-07-05 09:47 . 2008-07-05 09:47 <DIR> d-------- E:\Program Files\AVSMedia
2008-07-02 19:19 . 2008-07-02 19:19 256 --a------ E:\Documents and Settings\Ray\pool.bin
2008-07-02 19:11 . 2008-07-02 19:11 <DIR> d-------- E:\Program Files\Roxio
2008-07-02 19:11 . 2008-07-02 19:13 <DIR> d-------- E:\Program Files\Common Files\Sonic Shared
2008-07-02 19:06 . 2008-07-02 19:06 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Blackberry Desktop
2008-07-02 18:56 . 2008-07-02 19:06 <DIR> d-------- E:\Program Files\Common Files\Research In Motion
2008-07-02 18:56 . 2008-07-02 18:56 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 01:40 --------- d-----w E:\Documents and Settings\Ray\Application Data\teamspeak2
2008-08-01 12:03 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 02:26 --------- d-----w E:\Program Files\Lavasoft
2008-07-28 02:43 22,328 ----a-w E:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-27 02:43 --------- d-----w E:\Program Files\InstallShield Installation Information
2008-07-26 12:14 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-07-24 01:29 --------- d-----w E:\Documents and Settings\Ray\Application Data\Xfire
2008-07-24 01:27 --------- d-----w E:\Program Files\Common Files\BitDefender
2008-07-23 11:55 --------- d-----w E:\Documents and Settings\Ray\Application Data\LimeWire
2008-07-23 01:41 --------- d-----w E:\Program Files\copy of cod2
2008-07-20 12:19 --------- d-----w E:\Program Files\Java
2008-07-19 22:43 --------- d-----w E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-06 23:04 --------- d-----w E:\Program Files\Common Files\InstallShield
2008-07-02 23:11 --------- d-----w E:\Program Files\Common Files\Roxio Shared
2008-07-02 23:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\Roxio
2008-06-22 02:58 --------- d-----w E:\Program Files\CDBurnerXP
2008-06-22 02:58 --------- d-----w E:\Documents and Settings\Ray\Application Data\Canneverbe_Limited
2008-06-10 22:56 34,312 ----a-w E:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 22:48 53,256 ----a-w E:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 22:47 39,944 ----a-w E:\WINDOWS\system32\drivers\eamon.sys
2007-12-26 04:44 22,328 -c--a-w E:\Documents and Settings\Ray\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="E:\Program Files\DNA\btdna.exe" [2008-07-13 14:54 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="E:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-14 06:59 185896]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"RoxWatchTray"="E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 07:07 228088]
"egui"="E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 E:\WINDOWS\system32\nwiz.exe]

E:\Documents and Settings\Ray\Start Menu\Programs\Startup\
Xfire.lnk - F:\Xfire\xfire.exe [2008-07-15 19:09:02 3050832]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\WINDOWS\\system32\\PnkBstrA.exe"=
"E:\\WINDOWS\\system32\\PnkBstrB.exe"=
"F:\\Xfire\\xfire.exe"=
"E:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"E:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\kav\\kav7\\setup.exe"=
"E:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\pfs\\callatl\\rteng9.exe"=
"E:\\Program Files\\copy of cod2\\CoD2MPcopy_s.exe"=
"E:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"E:\\Program Files\\DNA\\btdna.exe"=
"E:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Activision\\Call of Duty 2\\Copy of CoD2MP_s1.0.exe"=

R1 epfwtdir;epfwtdir;E:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
R2 NMSAccessU;NMSAccessU;E:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-06-15 15:34]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;E:\WINDOWS\system32\drivers\Envy24HF.sys [2004-11-25 23:55]
S3 RimSerPort;RIM Virtual Serial Port;E:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{CC628875-53FE-4DE3-9CA8-E61652820398} - E:\WINDOWS\system32\usmt\vsracc.dll
BHO-{CCDEF853-4EA2-4263-A33A-E6616C4EF3AA} - E:\WINDOWS\system32\fccaAPFv.dll
BHO-{D7B3FAD2-894B-42DF-A4A8-A4EFA13EA1E7} - E:\WINDOWS\system32\tuvWopnm.dll
HKCU-Run-Mp4 Player - E:\Program Files\Mp4 Player\Mp4Player.exe
HKCU-Run-Uniblue RegistryBooster 2 - E:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Ray\Application Data\Mozilla\Firefox\Profiles\eegzgcal.default\
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - E:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - E:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 22:19:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-08-01 22:22:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-02 02:22:43

Pre-Run: 5,573,611,520 bytes free
Post-Run: 5,576,908,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

201
ComboFix 08-07-31.04 - Ray 2008-08-01 22:16:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.608 [GMT -4:00]
Running from: E:\Documents and Settings\Ray\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Ray\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\desktopA.sys
E:\WINDOWS\system32\drivers\npf.sys
E:\WINDOWS\system32\hkjSBJlm.ini
E:\WINDOWS\system32\hkjSBJlm.ini2
E:\WINDOWS\system32\jencihde.ini
E:\WINDOWS\system32\keezyi.dll
E:\WINDOWS\system32\mcrh.tmp
E:\WINDOWS\system32\mwrkheas.ini
E:\WINDOWS\system32\Packet.dll
E:\WINDOWS\system32\pthreadVC.dll
E:\WINDOWS\system32\vFPAaccf.ini
E:\WINDOWS\system32\vFPAaccf.ini2
E:\WINDOWS\system32\wiokmvkn.dll
E:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-07-02 to 2008-08-02 )))))))))))))))))))))))))))))))
.

2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Malwarebytes
2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 07:43 . 2008-07-30 20:07 38,472 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 07:43 . 2008-07-30 20:07 17,144 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 20:34 . 2008-07-29 20:34 <DIR> d-------- E:\Deckard
2008-07-28 22:25 . 2008-07-28 22:25 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 15:29 . 2008-07-27 15:29 <DIR> d-------- E:\Program Files\Trend Micro
2008-07-26 22:20 . 2008-07-26 22:20 <DIR> d-------- E:\VundoFix Backups
2008-07-26 11:56 . 2008-07-26 11:56 <DIR> d-------- E:\Program Files\MSN Messenger
2008-07-26 11:02 . 2008-07-26 11:02 <DIR> d-------- E:\Program Files\Teamspeak2_RC2
2008-07-26 11:02 . 2008-07-26 11:02 34,064 --a------ E:\WINDOWS\system32\lhacm.acm
2008-07-26 10:43 . 2008-07-26 10:43 2,676 --a------ E:\WINDOWS\system32\tmp.reg
2008-07-26 10:14 . 2008-07-26 10:14 7,499,056 --a------ E:\Firefox Setup 3.0.1.exe
2008-07-26 08:04 . 2008-07-26 08:04 <DIR> d-------- E:\Program Files\Safer Networking
2008-07-25 21:50 . 2008-07-25 21:50 <DIR> d-------- E:\Program Files\ESET
2008-07-25 21:50 . 2008-07-25 21:50 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\ESET
2008-07-25 01:16 . 2008-07-25 01:16 303,104 --a------ E:\WINDOWS\system32\yyykuewq.exe
2008-07-24 20:24 . 2008-07-24 20:24 <DIR> d--h----- E:\WINDOWS\PIF
2008-07-24 20:05 . 2008-07-25 21:38 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Aliant
2008-07-24 20:05 . 2008-07-25 21:38 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Aliant
2008-07-24 19:56 . 2008-07-24 19:56 <DIR> d-------- E:\Documents and Settings\Administrator
2008-07-24 19:55 . 2008-07-24 19:55 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Avg8
2008-07-24 18:18 . 2008-07-25 21:39 <DIR> d-------- E:\Program Files\RogueRemover FREE
2008-07-24 06:13 . 2008-07-24 06:13 77,824 --a------ E:\WINDOWS\system32\xcomm.dll
2008-07-24 05:54 . 2008-07-26 01:10 <DIR> d-a------ E:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 19:23 . 2008-07-29 05:07 409 --a------ E:\WINDOWS\wininit.ini
2008-07-23 19:08 . 2008-07-23 19:08 552 --a------ E:\WINDOWS\system32\d3d8caps.dat
2008-07-15 19:09 . 2008-07-15 19:09 42,320 --a------ E:\WINDOWS\system32\xfcodec.dll
2008-07-13 14:54 . 2008-07-13 14:54 <DIR> d-------- E:\Program Files\DNA
2008-07-13 14:54 . 2008-08-01 22:18 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\DNA
2008-07-06 19:06 . 2008-07-06 19:06 <DIR> d-------- E:\Program Files\Common Files\ArcSoft
2008-07-06 19:06 . 2008-07-06 19:06 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\ArcSoft
2008-07-06 19:06 . 2005-02-22 22:58 11,776 --a------ E:\WINDOWS\system32\drivers\afc.sys
2008-07-06 19:05 . 2008-07-06 19:05 <DIR> d-------- E:\Program Files\ArcSoft
2008-07-06 19:05 . 2004-12-06 18:11 258,352 --a------ E:\WINDOWS\system32\unicows.dll
2008-07-06 19:05 . 1995-07-31 12:44 212,480 --a------ E:\WINDOWS\PCDLIB32.DLL
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\WINDOWS\Options
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\Program Files\Digital Video
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\InstallShield
2008-07-05 09:47 . 2008-07-05 09:47 <DIR> d-------- E:\Program Files\Common Files\AVSMedia
2008-07-05 09:47 . 2008-07-05 09:47 <DIR> d-------- E:\Program Files\AVSMedia
2008-07-02 19:19 . 2008-07-02 19:19 256 --a------ E:\Documents and Settings\Ray\pool.bin
2008-07-02 19:11 . 2008-07-02 19:11 <DIR> d-------- E:\Program Files\Roxio
2008-07-02 19:11 . 2008-07-02 19:13 <DIR> d-------- E:\Program Files\Common Files\Sonic Shared
2008-07-02 19:06 . 2008-07-02 19:06 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Blackberry Desktop
2008-07-02 18:56 . 2008-07-02 19:06 <DIR> d-------- E:\Program Files\Common Files\Research In Motion
2008-07-02 18:56 . 2008-07-02 18:56 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 01:40 --------- d-----w E:\Documents and Settings\Ray\Application Data\teamspeak2
2008-08-01 12:03 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 02:26 --------- d-----w E:\Program Files\Lavasoft
2008-07-28 02:43 22,328 ----a-w E:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-27 02:43 --------- d-----w E:\Program Files\InstallShield Installation Information
2008-07-26 12:14 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-07-24 01:29 --------- d-----w E:\Documents and Settings\Ray\Application Data\Xfire
2008-07-24 01:27 --------- d-----w E:\Program Files\Common Files\BitDefender
2008-07-23 11:55 --------- d-----w E:\Documents and Settings\Ray\Application Data\LimeWire
2008-07-23 01:41 --------- d-----w E:\Program Files\copy of cod2
2008-07-20 12:19 --------- d-----w E:\Program Files\Java
2008-07-19 22:43 --------- d-----w E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-06 23:04 --------- d-----w E:\Program Files\Common Files\InstallShield
2008-07-02 23:11 --------- d-----w E:\Program Files\Common Files\Roxio Shared
2008-07-02 23:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\Roxio
2008-06-22 02:58 --------- d-----w E:\Program Files\CDBurnerXP
2008-06-22 02:58 --------- d-----w E:\Documents and Settings\Ray\Application Data\Canneverbe_Limited
2008-06-10 22:56 34,312 ----a-w E:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 22:48 53,256 ----a-w E:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 22:47 39,944 ----a-w E:\WINDOWS\system32\drivers\eamon.sys
2007-12-26 04:44 22,328 -c--a-w E:\Documents and Settings\Ray\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="E:\Program Files\DNA\btdna.exe" [2008-07-13 14:54 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="E:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-14 06:59 185896]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"RoxWatchTray"="E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 07:07 228088]
"egui"="E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 E:\WINDOWS\system32\nwiz.exe]

E:\Documents and Settings\Ray\Start Menu\Programs\Startup\
Xfire.lnk - F:\Xfire\xfire.exe [2008-07-15 19:09:02 3050832]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\WINDOWS\\system32\\PnkBstrA.exe"=
"E:\\WINDOWS\\system32\\PnkBstrB.exe"=
"F:\\Xfire\\xfire.exe"=
"E:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"E:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\kav\\kav7\\setup.exe"=
"E:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\pfs\\callatl\\rteng9.exe"=
"E:\\Program Files\\copy of cod2\\CoD2MPcopy_s.exe"=
"E:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"E:\\Program Files\\DNA\\btdna.exe"=
"E:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Activision\\Call of Duty 2\\Copy of CoD2MP_s1.0.exe"=

R1 epfwtdir;epfwtdir;E:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
R2 NMSAccessU;NMSAccessU;E:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-06-15 15:34]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;E:\WINDOWS\system32\drivers\Envy24HF.sys [2004-11-25 23:55]
S3 RimSerPort;RIM Virtual Serial Port;E:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{CC628875-53FE-4DE3-9CA8-E61652820398} - E:\WINDOWS\system32\usmt\vsracc.dll
BHO-{CCDEF853-4EA2-4263-A33A-E6616C4EF3AA} - E:\WINDOWS\system32\fccaAPFv.dll
BHO-{D7B3FAD2-894B-42DF-A4A8-A4EFA13EA1E7} - E:\WINDOWS\system32\tuvWopnm.dll
HKCU-Run-Mp4 Player - E:\Program Files\Mp4 Player\Mp4Player.exe
HKCU-Run-Uniblue RegistryBooster 2 - E:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Ray\Application Data\Mozilla\Firefox\Profiles\eegzgcal.default\
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - E:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - E:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 22:19:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-08-01 22:22:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-02 02:22:43

Pre-Run: 5,573,611,520 bytes free
Post-Run: 5,576,908,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

201


----------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:25:32, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\DNA\btdna.exe
E:\Program Files\CDBurnerXP\NMSAccessU.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
E:\WINDOWS\system32\nvsvc32.exe
F:\Xfire\xfire.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primericaonline.com/Login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - Startup: Xfire.lnk = F:\Xfire\xfire.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - E:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5057 bytes


---------------------------------------------------------------------------------------------------------------------------------------------

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:26 PM

Posted 02 August 2008 - 05:18 AM

Hello Rookie0014,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/160461/virtumonde-for-sure-maybe-more-trojans-too/
Collect::[9]
E:\WINDOWS\system32\yyykuewq.exe
Folder::
E:\VundoFix Backups

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Rookie0014

Rookie0014
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 02 August 2008 - 06:10 PM

So far, no pop ups or anything, what we have done so far has really, really cleaned up, and sped things up big time.

#8 Rookie0014

Rookie0014
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 02 August 2008 - 06:22 PM

ComboFix 08-07-31.04 - Ray 2008-08-02 20:11:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -4:00]
Running from: E:\Documents and Settings\Ray\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Ray\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\VundoFix Backups
E:\WINDOWS\system32\yyykuewq.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Malwarebytes
2008-08-01 07:43 . 2008-08-01 07:43 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 07:43 . 2008-07-30 20:07 38,472 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 07:43 . 2008-07-30 20:07 17,144 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 20:34 . 2008-07-29 20:34 <DIR> d-------- E:\Deckard
2008-07-28 22:25 . 2008-07-28 22:25 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-07-27 15:29 . 2008-07-27 15:29 <DIR> d-------- E:\Program Files\Trend Micro
2008-07-26 11:56 . 2008-07-26 11:56 <DIR> d-------- E:\Program Files\MSN Messenger
2008-07-26 11:02 . 2008-07-26 11:02 <DIR> d-------- E:\Program Files\Teamspeak2_RC2
2008-07-26 11:02 . 2008-07-26 11:02 34,064 --a------ E:\WINDOWS\system32\lhacm.acm
2008-07-26 10:43 . 2008-07-26 10:43 2,676 --a------ E:\WINDOWS\system32\tmp.reg
2008-07-26 10:14 . 2008-07-26 10:14 7,499,056 --a------ E:\Firefox Setup 3.0.1.exe
2008-07-26 08:04 . 2008-07-26 08:04 <DIR> d-------- E:\Program Files\Safer Networking
2008-07-25 21:50 . 2008-07-25 21:50 <DIR> d-------- E:\Program Files\ESET
2008-07-25 21:50 . 2008-07-25 21:50 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\ESET
2008-07-24 20:24 . 2008-07-24 20:24 <DIR> d--h----- E:\WINDOWS\PIF
2008-07-24 20:05 . 2008-07-25 21:38 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\Aliant
2008-07-24 20:05 . 2008-07-25 21:38 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Aliant
2008-07-24 19:56 . 2008-07-24 19:56 <DIR> d-------- E:\Documents and Settings\Administrator
2008-07-24 19:55 . 2008-07-24 19:55 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Avg8
2008-07-24 18:18 . 2008-07-25 21:39 <DIR> d-------- E:\Program Files\RogueRemover FREE
2008-07-24 06:13 . 2008-07-24 06:13 77,824 --a------ E:\WINDOWS\system32\xcomm.dll
2008-07-24 05:54 . 2008-07-26 01:10 <DIR> d-a------ E:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 19:23 . 2008-07-29 05:07 409 --a------ E:\WINDOWS\wininit.ini
2008-07-23 19:08 . 2008-07-23 19:08 552 --a------ E:\WINDOWS\system32\d3d8caps.dat
2008-07-15 19:09 . 2008-07-15 19:09 42,320 --a------ E:\WINDOWS\system32\xfcodec.dll
2008-07-13 14:54 . 2008-07-13 14:54 <DIR> d-------- E:\Program Files\DNA
2008-07-13 14:54 . 2008-08-02 20:11 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\DNA
2008-07-06 19:06 . 2008-07-06 19:06 <DIR> d-------- E:\Program Files\Common Files\ArcSoft
2008-07-06 19:06 . 2008-07-06 19:06 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\ArcSoft
2008-07-06 19:06 . 2005-02-22 22:58 11,776 --a------ E:\WINDOWS\system32\drivers\afc.sys
2008-07-06 19:05 . 2008-07-06 19:05 <DIR> d-------- E:\Program Files\ArcSoft
2008-07-06 19:05 . 2004-12-06 18:11 258,352 --a------ E:\WINDOWS\system32\unicows.dll
2008-07-06 19:05 . 1995-07-31 12:44 212,480 --a------ E:\WINDOWS\PCDLIB32.DLL
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\WINDOWS\Options
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\Program Files\Digital Video
2008-07-06 19:03 . 2008-07-06 19:03 <DIR> d-------- E:\Documents and Settings\Ray\Application Data\InstallShield
2008-07-05 09:47 . 2008-07-05 09:47 <DIR> d-------- E:\Program Files\Common Files\AVSMedia
2008-07-05 09:47 . 2008-07-05 09:47 <DIR> d-------- E:\Program Files\AVSMedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 11:55 107,832 ----a-w E:\WINDOWS\system32\PnkBstrB.exe
2008-08-02 01:40 --------- d-----w E:\Documents and Settings\Ray\Application Data\teamspeak2
2008-08-01 12:03 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 02:26 --------- d-----w E:\Program Files\Lavasoft
2008-07-28 02:43 22,328 ----a-w E:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-27 02:43 --------- d-----w E:\Program Files\InstallShield Installation Information
2008-07-26 12:14 --------- d-----w E:\Program Files\Spybot - Search & Destroy
2008-07-24 22:31 81,984 ----a-w E:\WINDOWS\system32\bdod.bin
2008-07-24 01:29 --------- d-----w E:\Documents and Settings\Ray\Application Data\Xfire
2008-07-24 01:27 --------- d-----w E:\Program Files\Common Files\BitDefender
2008-07-23 11:55 --------- d-----w E:\Documents and Settings\Ray\Application Data\LimeWire
2008-07-23 01:41 --------- d-----w E:\Program Files\copy of cod2
2008-07-20 12:19 --------- d-----w E:\Program Files\Java
2008-07-19 22:43 --------- d-----w E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-06 23:04 --------- d-----w E:\Program Files\Common Files\InstallShield
2008-07-02 23:19 256 ----a-w E:\Documents and Settings\Ray\pool.bin
2008-07-02 23:13 --------- d-----w E:\Program Files\Common Files\Sonic Shared
2008-07-02 23:11 --------- d-----w E:\Program Files\Roxio
2008-07-02 23:11 --------- d-----w E:\Program Files\Common Files\Roxio Shared
2008-07-02 23:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\Roxio
2008-07-02 23:06 --------- d-----w E:\Program Files\Common Files\Research In Motion
2008-07-02 23:06 --------- d-----w E:\Documents and Settings\Ray\Application Data\Blackberry Desktop
2008-07-02 22:56 --------- d-----w E:\Documents and Settings\Ray\Application Data\Research In Motion
2008-06-22 02:58 --------- d-----w E:\Program Files\CDBurnerXP
2008-06-22 02:58 --------- d-----w E:\Documents and Settings\Ray\Application Data\Canneverbe_Limited
2008-06-10 22:56 34,312 ----a-w E:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 22:48 53,256 ----a-w E:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 22:47 39,944 ----a-w E:\WINDOWS\system32\drivers\eamon.sys
2008-05-16 15:58 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2007-12-26 04:44 22,328 -c--a-w E:\Documents and Settings\Ray\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="E:\Program Files\DNA\btdna.exe" [2008-07-13 14:54 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="E:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-14 06:59 185896]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"RoxWatchTray"="E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 07:07 228088]
"egui"="E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 E:\WINDOWS\system32\nwiz.exe]

E:\Documents and Settings\Ray\Start Menu\Programs\Startup\
Xfire.lnk - F:\Xfire\xfire.exe [2008-07-15 19:09:02 3050832]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\WINDOWS\\system32\\PnkBstrA.exe"=
"E:\\WINDOWS\\system32\\PnkBstrB.exe"=
"F:\\Xfire\\xfire.exe"=
"E:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"E:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\kav\\kav7\\setup.exe"=
"E:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\pfs\\callatl\\rteng9.exe"=
"E:\\Program Files\\copy of cod2\\CoD2MPcopy_s.exe"=
"E:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"E:\\Program Files\\DNA\\btdna.exe"=
"E:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Activision\\Call of Duty 2\\Copy of CoD2MP_s1.0.exe"=

R1 epfwtdir;epfwtdir;E:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
R2 NMSAccessU;NMSAccessU;E:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-06-15 15:34]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;E:\WINDOWS\system32\drivers\Envy24HF.sys [2004-11-25 23:55]
R3 MBAMSwissArmy;MBAMSwissArmy;E:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-30 20:07]
S3 RimSerPort;RIM Virtual Serial Port;E:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]

*Newly Created Service* - MBAMSWISSARMY
*Newly Created Service* - PNKBSTRB
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 20:12:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-02 20:13:58
ComboFix-quarantined-files.txt 2008-08-03 00:13:46
ComboFix2.txt 2008-08-02 02:22:47

Pre-Run: 5,545,373,696 bytes free
Post-Run: 5,566,676,992 bytes free

156


-------------------------------------------------------------------------------------------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:01, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\DNA\btdna.exe
E:\Program Files\CDBurnerXP\NMSAccessU.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
E:\WINDOWS\system32\nvsvc32.exe
F:\Xfire\xfire.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.primericaonline.com/Login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - Startup: Xfire.lnk = F:\Xfire\xfire.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - E:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - E:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 5111 bytes




----------------------------------------------------------------------------------------------------------------------------------------------

And by the way, I have submitted the log file through the prompt as well.

Hope you are liking what you are seeing.

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:26 PM

Posted 02 August 2008 - 06:23 PM

Excellent, Rookie0014 :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

And that's about it.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 Rookie0014

Rookie0014
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 02 August 2008 - 06:35 PM

If this is it, thanks for the help!!!!!!!!!!!!!!!!!!!!!!


I know I'm going to contribute to the other threads as much as I know what they are talking about (O/S and a few more topics) This has by far been the best use out of a forum that I have seen yet!!!!!!!!!!!!!!!11

Keep up the good work Thunder.

:) :spacer: :spacer: :thumbsup: :) :)

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:26 PM

Posted 03 August 2008 - 06:00 AM

Glad we could help, Rookie0014 :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users