Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boy I'm Hosed... Internet Non-accessable Through Normal Boot-up


  • This topic is locked This topic is locked
10 replies to this topic

#1 JeepinCJ

JeepinCJ

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:09:51 AM

Posted 05 August 2008 - 09:36 PM

First off, thanks for having a forum like this!

I'm a pretty computer saavy guy, but this one's got me bad. I've been building and breaking and fixingf PC's since 1985 with an old PC clone my dad bought. I still remeber the first time he couldn't run a business app as I'd set DOS to load extended mem instead of himem. HA! Short story... NOD32 and SpySweeper are going off non-stop, and my hard drive spins every 3-5 seconds as this thing tries to load itself.

Internet Explorer is useless. Seriously, my yahoo homepage opens up, and if I'm fast enough I can get 1 page to load up, then it locks as a host of other windows pop from anti virus and free scans to the latest busty amateurs that want to meet ME.

Anyway, through safe mode, things act normal. I DID try a system restore, to no avail. I downed the scanner, and ran it regular mode, then booted to safe mode so I could use the net to post the results. Best info I've got is the inflitration happened on Saturday 8-2. Also, I can no longer activate Automatic updates. I try, but it just stays red. Also in normal mode, I'm so infiltrated that Hijakcthis wouldn't download.

Thansk again!

Deckard's System Scanner v20071014.68
Run by JeepinCJ on 2008-08-05 22:18:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
21: 2008-08-06 02:18:35 UTC - RP21 - Deckard's System Scanner Restore Point
20: 2008-08-05 22:06:34 UTC - RP20 - System Checkpoint
19: 2008-08-04 21:26:14 UTC - RP19 - Installed DirectX
18: 2008-08-04 21:24:54 UTC - RP18 - Installed DirectX
17: 2008-08-04 10:30:18 UTC - RP17 - Restore Operation


-- First Restore Point --
1: 2008-08-02 21:35:14 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-05 22:20:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRSVC01A.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Util\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\713xRMT.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Util\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\TV Expert\ADTVScheduleAgent.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Util\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Util\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Util\Spy Sweeper\ssu.exe
C:\Documents and Settings\JeepinCJ\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\opnmJDUo.dll
O2 - BHO: (no name) - {D3046FD0-57DC-45BE-82EE-D3C974689BD7} - C:\WINDOWS\system32\opnooMcA.dll (file missing)
O2 - BHO: (no name) - {EB0C0C34-A3A3-4C9E-BBC9-2FED4D40BAFE} - (no file)
O4 - HKLM\..\Run: [PtiuPbmd] "Rundll32.exe" ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Util\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Util\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMT.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Gaming Software\LWEMon.exe" /noui
O4 - HKLM\..\Run: [BMd3074bab] "Rundll32.exe" "C:\WINDOWS\system32\eatfqvqw.dll",s
O4 - HKLM\..\Run: [d0347837] "rundll32.exe" "C:\WINDOWS\system32\nyppkwie.dll",b
O4 - HKLM\..\Run: [SpySweeper] C:\Util\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TV Expert Schedule Agent.lnk = C:\Program Files\TV Expert\ADTVScheduleAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202578664579
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://java.sun.com/update/1.6.0/jinstall-...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: opnmJDUo - C:\WINDOWS\system32\opnmJDUo.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\BRSVC01A.EXE
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Util\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Util\Spy Sweeper\SpySweeper.exe


--
End of file - 7577 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\ati\catalyst media center\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\ati\catalyst media center\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
R2 CyberLink Media Library Service - "c:\program files\ati\catalyst media center\kernel\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server>
R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 21:57:31 0 d-------- C:\WINDOWS\CSC
2008-08-05 21:55:24 188416 --a------ C:\WINDOWS\system32\tuvWoOFy.dll
2008-08-05 19:40:53 278528 --a------ C:\WINDOWS\system32\ddcbCtTn.dll
2008-08-05 17:26:08 2048 --a------ C:\WINDOWS\system32\eqjtfcot.exe
2008-08-04 17:26:08 0 d-------- C:\WINDOWS\system32\xlive
2008-08-04 17:09:54 2048 --a------ C:\WINDOWS\system32\sxtpiiha.exe
2008-08-04 17:07:03 105472 --a------ C:\WINDOWS\system32\agexnm.dll
2008-08-04 17:07:02 105472 --a------ C:\WINDOWS\system32\rnfsncda.dll
2008-08-04 17:05:00 91648 --a------ C:\WINDOWS\system32\lgffdair.dll
2008-08-04 06:29:24 114176 --a------ C:\WINDOWS\system32\uelorz(2).dll
2008-08-03 12:56:56 0 d-------- C:\Program Files\AntiMalwareGuard
2008-08-02 23:33:22 0 d-------- C:\Program Files\DIFX
2008-08-02 23:33:13 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-08-02 23:26:05 0 d-------- C:\WINDOWS\system32\Lang
2008-08-02 20:15:06 0 d-------- C:\Program Files\Empire Interactive
2008-08-02 17:35:17 7340032 --a------ C:\Documents and Settings\JeepinCJ\ntuser.dat
2008-08-02 17:35:04 880828 --ahs---- C:\WINDOWS\system32\AcMoonpo.ini2
2008-08-02 17:30:45 40955 --a------ C:\WINDOWS\17PHolmes572.exe
2008-08-02 17:29:55 26112 --a------ C:\WINDOWS\system32\opnmJDUo.dll
2008-08-02 17:29:55 26112 --a------ C:\WINDOWS\system32\mlJCTJAr.dll
2008-08-02 17:28:20 0 d-------- C:\Program Files\ARCA Remax
2008-08-02 15:34:20 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-08-02 15:33:56 0 d-------- C:\Program Files\Logitech
2008-08-02 15:33:56 0 d-------- C:\Program Files\Common Files\Logitech
2008-08-02 12:18:41 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-02 12:16:43 466944 -ra------ C:\WINDOWS\713xRMT.exe <Not Verified; ; TV Card>
2008-08-02 12:16:21 0 d-------- C:\Program Files\TV Expert
2008-08-02 12:15:59 0 d-------- C:\WINDOWS\MyInstall
2008-08-02 11:39:29 0 d-------- C:\WINDOWS\nview
2008-08-02 11:39:09 0 d-------- C:\NVIDIA
2008-08-02 07:20:57 49152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2008-08-02 07:20:39 0 d-------- C:\WINDOWS\system32\RTCOM
2008-08-02 07:19:33 0 d-------- C:\Program Files\Realtek
2008-08-02 07:19:28 520192 -r------- C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-08-02 07:19:28 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-08-02 07:12:32 0 d-------- C:\WINDOWS\ASUSInstAll
2008-08-02 07:10:08 22 --a------ C:\WINDOWS\FileName
2008-08-02 07:09:57 0 d-------- C:\Program Files\NVIDIA Corporation
2008-08-02 07:08:51 1732 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-08-02 07:08:38 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\InstallShield
2008-08-02 07:01:10 0 d-------- C:\WINDOWS\Prefetch


-- Find3M Report ---------------------------------------------------------------

2008-08-04 06:31:15 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\uTorrent
2008-08-02 15:44:06 8464 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-02 15:33:56 0 d-------- C:\Program Files\Common Files
2008-08-02 12:16:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-02 06:53:47 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-28 21:21:21 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\Juniper Networks
2008-07-18 17:53:14 0 d-------- C:\Program Files\Yahoo!
2008-07-03 18:47:11 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\Yahoo!
2008-06-18 07:23:04 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\U3
2008-06-16 20:19:23 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\EBookSys
2008-05-16 14:01:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-16 14:01:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-16 14:01:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-16 14:01:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-16 14:01:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-16 14:01:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-16 14:01:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-16 14:01:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42BFABD3-B070-4053-9485-30D7E000D3D3}]
08/02/2008 05:29 PM 26112 --a------ C:\WINDOWS\system32\opnmJDUo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3046FD0-57DC-45BE-82EE-D3C974689BD7}]
C:\WINDOWS\system32\opnooMcA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB0C0C34-A3A3-4C9E-BBC9-2FED4D40BAFE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="Rundll32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [04/26/2002 05:17 AM]
"Cmaudio"="cmicnfg.cpl" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [10/15/2007 05:27 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"CMCService"="C:\Program Files\ATI\Catalyst Media Center\CMCService.exe" [06/29/2006 04:39 PM]
"RemoteControl"="C:\Util\PowerDVD\PDVDServ.exe" [12/07/2005 10:57 PM]
"LanguageShortcut"="C:\Util\PowerDVD\Language\Language.exe" [05/18/2006 11:29 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"RTHDCPL"="RTHDCPL.EXE" [09/27/2007 02:20 AM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [08/03/2007 01:22 AM C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [05/16/2008 02:01 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]
"TV Card Remote Control Device Monitor"="C:\WINDOWS\713xRMT.exe" [03/17/2008 05:14 AM]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [04/04/2008 11:38 AM]
"BMd3074bab"="Rundll32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]
"d0347837"="rundll32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Util\Spy Sweeper\SpySweeperUI.exe" [03/01/2007 07:55 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
TV Expert Schedule Agent.lnk - C:\Program Files\TV Expert\ADTVScheduleAgent.exe [8/2/2008 12:16:23 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{42BFABD3-B070-4053-9485-30D7E000D3D3}"= C:\WINDOWS\system32\opnmJDUo.dll [08/02/2008 05:29 PM 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmJDUo]
opnmJDUo.dll 08/02/2008 05:29 PM 26112 C:\WINDOWS\system32\opnmJDUo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnooMcA

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{260b1de6-7b87-11dc-beb2-000795316acb}]
AutoRun\command- H:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-08-05 22:21:25 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 5000+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 5000+
Percentage of Memory in Use: 16%
Physical Memory (total/avail): 3071.23 MiB / 2569.29 MiB
Pagefile Memory (total/avail): 4956.63 MiB / 4609.33 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.8 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 279.45 GiB total, 65.46 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - - 279.46 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 279.45 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Util\\uTorrent\\utorrent.exe"="C:\\Util\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Util\\BearShare\\BearShare.exe"="C:\\Util\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Util\\SopCast\\SopCast.exe"="C:\\Util\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\JeepinCJ\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\JeepinCJ\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Util\\TVUPlayer\\TVUPlayer.exe"="C:\\Util\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Util\\SopCast\\adv\\SopAdver.exe"="C:\\Util\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\util\\uusee\\UUSeePlayer.exe"="C:\\util\\uusee\\UUSeePlayer.exe:*:Enabled:UUSEE"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Util\\K-Lite Codec Pack\\K-litePro\\k-litepro.exe"="C:\\Util\\K-Lite Codec Pack\\K-litePro\\k-litepro.exe:*:Disabled:K-litePro Ultimate File Sharing"
"C:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe"="C:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe:*:Enabled:FlatOut Ultimate Carnage"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JeepinCJ\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANDYS-PC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JeepinCJ
LOGONSERVER=\\ANDYS-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JeepinCJ\LOCALS~1\Temp
TMP=C:\DOCUME~1\JeepinCJ\LOCALS~1\Temp
USERDOMAIN=ANDYS-PC
USERNAME=JeepinCJ
USERPROFILE=C:\Documents and Settings\JeepinCJ
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

JeepinCJ (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
µTorrent --> "C:\Util\uTorrent\uninstall.exe"
7-Zip 4.57 --> "C:\Util\7-Zip\Uninstall.exe"
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Ahead Nero Burning Rom PlugIn Pack 2.0.2 by MadHacker2k4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2715D1D6-2B81-4DD5-A9DC-6EFF4D5E0993}\setup.exe" -l0x7 -removeonly
ARCA Remax (remove only) --> "C:\Program Files\ARCA Remax\Uninstall.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
BearShare --> C:\Util\BEARSH~1\UNWISE.EXE C:\Util\BEARSH~1\INSTALL.LOG
Brother 1440 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Brother\BRHL1440\DeIsL4.isu" -cbrunin144.dll
C-Media Audio --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\C-Media Audio\Uninst.isu" -c"C:\Program Files\C-Media Audio\CMIUnInstall.DLL"
Catalyst Media Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Catalyst Media Center DVD Authoring Module --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC4F90EC-B1DA-11D9-9D77-000129760D75}\setup.exe" -uninstall
CCleaner (remove only) --> "C:\Util\CCleaner\uninst.exe"
DivX Player --> C:\Util\DivX\DivXPlayerUninstall.exe /PLAYER
DVDFab Platinum 2.9.6.9 --> "C:\Util\DVDFab Platinum\unins000.exe"
FlatOut Ultimate Carnage --> C:\Program Files\Empire Interactive\FlatOut Ultimate Carnage\Uninstall.exe
Free Sound Recorder v6.9.5 --> "C:\util\Free Sound Recorder\unins000.exe"
Free WAV To MP3 Converter 1.0 --> C:\util\WAV To MP3 Converter\Uninst.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HydraVision --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Jasc Paint Shop Pro 8 --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Juniper Networks Host Checker --> "C:\Documents and Settings\JeepinCJ\Application Data\Juniper Networks\Host Checker\uninstall.exe"
K-Lite Codec Pack for KTV --> "C:\Util\K-Lite Codec Pack\unins000.exe"
K-Lite Mega Codec Pack 3.9.0 --> "C:\Util\K-Lite Codec Pack\unins001.exe"
KaraFun 1.16a --> "C:\Util\KaraFun\unins000.exe"
Logitech Gaming Software 5.02 --> MsiExec.exe /X{64B20B36-AEE7-4DD4-897C-C5DA5C218F60}
Magic ISO Maker v5.4 (build 0239) --> C:\Uril\MagicISO\UNWISE.EXE C:\Uril\MagicISO\INSTALL.LOG
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 --> MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1 --> "C:\Program Files\Eset\Eset\unins000.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Recover My Files --> "C:\Util\Recover My Files\unins000.exe"
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe
SopCast 3.0.1 --> C:\Util\SopCast\uninst.exe
Spy Sweeper --> "C:\Util\Spy Sweeper\unins000.exe"
Trophy Bass 2007 --> "C:\Games\Trophy Bass 2007\uninstall.exe"
TV Expert --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68CC21AD-B6EC-4DB8-954D-F27AD0D9A83F}\setup.exe" -l0x9 -removeonly
TVUPlayer 2.3.4.1 --> C:\Util\TVUPlayer\uninst.exe
VistaScan --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E464B20-65A0-11D5-80F8-0050BA493FB5}\SETUP.EXE"
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Util\WinRAR\uninstall.exe
Xilisoft DVD Ripper Platinum --> C:\util\DVD Ripper Platinum 4\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2587 / Error
Event Submitted/Written: 08/04/2008 05:54:31 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module cevideoencoder.dll, version 1.7.13.7301, fault address 0x0000c6c0.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type2586 / Error
Event Submitted/Written: 08/04/2008 05:52:19 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application bearshare.exe, version 5.0.2.3, faulting module cevideoencoder.dll, version 1.7.13.7301, fault address 0x0000be83.
Processing media-specific event for [bearshare.exe!ws!]

Event Record #/Type2585 / Error
Event Submitted/Written: 08/04/2008 05:50:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application bearshare.exe, version 5.0.2.3, faulting module cevideoencoder.dll, version 1.7.13.7301, fault address 0x00016602.
Processing media-specific event for [bearshare.exe!ws!]

Event Record #/Type2582 / Error
Event Submitted/Written: 08/04/2008 05:07:04 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module eatfqvqw.dll, version 0.0.0.0, fault address 0x000017c5.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type2577 / Error
Event Submitted/Written: 08/04/2008 06:29:25 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x07471557.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8388 / Error
Event Submitted/Written: 08/05/2008 10:20:54 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type8373 / Error
Event Submitted/Written: 08/05/2008 10:18:04 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The UMAX Astra 4400 Scanner service failed to start due to the following error:
%%1058

Event Record #/Type8370 / Error
Event Submitted/Written: 08/05/2008 10:17:18 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type8369 / Error
Event Submitted/Written: 08/05/2008 10:17:18 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type8368 / Error
Event Submitted/Written: 08/05/2008 10:17:18 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.



-- End of Deckard's System Scanner: finished at 2008-08-05 22:21:25 ------------

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 06 August 2008 - 05:03 PM

Hi

I need you to run some scans for me & post the logs... in order to get your computer to a point where you can run the scans, I need you tp do the following in safemode first ...

Boot to safemode ...

Run hijackthis from the icon placed on your desktop by DSS ....

Place a checkmark next to the following lines :-

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\opnmJDUo.dll
O2 - BHO: (no name) - {D3046FD0-57DC-45BE-82EE-D3C974689BD7} - C:\WINDOWS\system32\opnooMcA.dll (file missing)
O2 - BHO: (no name) - {EB0C0C34-A3A3-4C9E-BBC9-2FED4D40BAFE} - (no file)

O4 - HKLM\..\Run: [BMd3074bab] "Rundll32.exe" "C:\WINDOWS\system32\eatfqvqw.dll",s
O4 - HKLM\..\Run: [d0347837] "rundll32.exe" "C:\WINDOWS\system32\nyppkwie.dll",b

O20 - Winlogon Notify: opnmJDUo - C:\WINDOWS\system32\opnmJDUo.dll


Click "fix checked"

Now look for the following files & delete them if found :-

C:\WINDOWS\system32\eatfqvqw.dll
C:\WINDOWS\system32\nyppkwie.dll
C:\WINDOWS\system32\tuvWoOFy.dll
C:\WINDOWS\system32\ddcbCtTn.dll
C:\WINDOWS\system32\eqjtfcot.exe
C:\WINDOWS\system32\sxtpiiha.exe
C:\WINDOWS\system32\agexnm.dll
C:\WINDOWS\system32\rnfsncda.dll
C:\WINDOWS\system32\lgffdair.dll
C:\WINDOWS\system32\uelorz(2).dll
C:\WINDOWS\system32\AcMoonpo.ini2
C:\WINDOWS\system32\opnmJDUo.dll
C:\WINDOWS\system32\mlJCTJAr.dll
C:\WINDOWS\17PHolmes572.exe

Then boot into normal mode & run the following scans :-

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:09:51 AM

Posted 18 August 2008 - 07:51 PM

log deleted by steamwiz

Edited by steamwiz, 19 August 2008 - 05:00 PM.
deleted log


#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 19 August 2008 - 04:03 PM

HI JeepinCJ

I've merged your 2 threads ...

Vundo is hiding entries from The new hijackthis log you've posted ...

The instructions in post #2 are still valid ... please folow them :thumbsup:

Please do not start a new thread to reply, use the "add reply" button at the bottom of this thread.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:09:51 AM

Posted 19 August 2008 - 08:44 PM

after DAYS of scanning... (hey I've got 140GB of .rar files) below are the result logs.

Thx,

andy

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 17, 2008 23:49:41
Records in database: 1103275
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 75850
Threat name: 11
Infected objects: 16
Suspicious objects: 0
Duration of the scan: 32:51:52


File name / Threat name / Threats count
C:\Deckard\System Scanner\20080812223615\backup\DOCUME~1\JeepinCJ\LOCALS~1\Temp\winvsnet.exe Infected: Trojan-Downloader.Win32.FraudLoad.vaff 1
C:\Deckard\System Scanner\20080812223615\backup\DOCUME~1\JeepinCJ\LOCALS~1\Temp\xpre.exe Infected: Trojan-Downloader.Win32.VB.geh 1
C:\Documents and Settings\JeepinCJ\My Documents\-=drive d=-\TO BE BURNED\Applications\5 Cucusoft Video Converter Suite ipod zune psp mpeg avi mov rm dvd vcd svcd iphone\Cucusoft DVD to iPhone + iPhone Video Converter Suite.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1
C:\Documents and Settings\JeepinCJ\My Documents\-=drive d=-\TO BE BURNED\Applications\5 Cucusoft Video Converter Suite ipod zune psp mpeg avi mov rm dvd vcd svcd iphone\Cucusoft DVD To iPod + iPod Video Converter Suite.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1
C:\Documents and Settings\JeepinCJ\My Documents\-=drive d=-\TO BE BURNED\Applications\5 Cucusoft Video Converter Suite ipod zune psp mpeg avi mov rm dvd vcd svcd iphone\Cucusoft DVD To PSP + PSP Video Converter Suite.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1
C:\Documents and Settings\JeepinCJ\My Documents\-=drive d=-\TO BE BURNED\Applications\5 Cucusoft Video Converter Suite ipod zune psp mpeg avi mov rm dvd vcd svcd iphone\Cucusoft DVD to Zune + Zune Video Converter Suite.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1
C:\Documents and Settings\JeepinCJ\My Documents\-=drive d=-\TO BE BURNED\Applications\Blaze Media Pro 6.0\Analog X - Internet Sharing\Analog X.exe Infected: not-a-virus:Server-Proxy.Win32.AnalogX.414 1
C:\Program Files\Eset\cache\FND0.NFI Infected: not-a-virus:AdWare.Win32.SuperJuan.clv 1
C:\Program Files\Eset\cache\FND8.NFI Infected: not-a-virus:AdWare.Win32.Virtumonde.afee 1
C:\Program Files\Eset\infected\EBR3PCAA.NQF Infected: Trojan-Clicker.Win32.VB.aar 1
C:\Program Files\Eset\infected\GLWFS5AA.NQF Infected: not-a-virus:AdWare.Win32.SuperJuan.cec 1
C:\Program Files\Eset\infected\TTFDDTDA.NQF Infected: not-a-virus:AdWare.Win32.SuperJuan.ccl 1
C:\Program Files\Eset\infected\UL2WDGCA.NQF Infected: not-a-virus:AdWare.Win32.SuperJuan.cdb 1
C:\Program Files\Eset\infected\YBQK1ABA.NQF Infected: Trojan.Win32.Monder.edi 1
C:\WINDOWS\system32\ihxscydr.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.clv 1
C:\WINDOWS\system32\qigsvc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.clv 1

The selected area was scanned.



---------------------------------------------------------------------------------------------------------------------------------


Malwarebytes' Anti-Malware 1.24
Database version: 1051
Windows 5.1.2600 Service Pack 2

6:26:42 AM 8/14/2008
mbam-log-8-14-2008 (06-26-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 107341
Time elapsed: 1 hour(s), 39 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{1B7D8D59-6F72-4626-93D3-987B53C2D912}\RP17\A0002469.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1B7D8D59-6F72-4626-93D3-987B53C2D912}\RP21\A0007045.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1B7D8D59-6F72-4626-93D3-987B53C2D912}\RP21\A0007046.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1B7D8D59-6F72-4626-93D3-987B53C2D912}\RP21\A0007047.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1B7D8D59-6F72-4626-93D3-987B53C2D912}\RP21\A0007048.exe (Trojan.Vundo) -> Quarantined and deleted successfully.


---------------------------------------------------------------------------------------------------------------------------------


ComboFix 08-08-18.05 - JeepinCJ 2008-08-19 20:23:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2608 [GMT -4:00]
Running from: C:\Documents and Settings\JeepinCJ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JeepinCJ\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\JeepinCJ\Application Data\macromedia\Flash Player\#SharedObjects\D6A56M6W\interclick.com
C:\Documents and Settings\JeepinCJ\Application Data\macromedia\Flash Player\#SharedObjects\D6A56M6W\interclick.com\ud.sol
C:\Documents and Settings\JeepinCJ\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\JeepinCJ\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\JeepinCJ\Cookies\jeepincj@clicktorrent[2].txt
C:\Documents and Settings\JeepinCJ\Cookies\jeepincj@insightexpressai[1].txt
C:\Documents and Settings\JeepinCJ\Cookies\jeepincj@track.bestbuy[2].txt
C:\Documents and Settings\JeepinCJ\Cookies\jeepincj@turn[1].txt
C:\Documents and Settings\JeepinCJ\UserData
C:\Documents and Settings\JeepinCJ\UserData\C12VO9Y7\IsOnIE6tbPromo[1].xml
C:\Documents and Settings\JeepinCJ\UserData\G1EVWT63\oWindowsUpdate[1].xml
C:\Documents and Settings\JeepinCJ\UserData\index.dat
C:\Documents and Settings\JeepinCJ\UserData\OT6RWDIZ\YL[1].xml
C:\install.exe
C:\WINDOWS\system32\AcMoonpo.ini
C:\WINDOWS\system32\eiwkppyn.ini
C:\WINDOWS\system32\lodxnrfs.dll
C:\WINDOWS\system32\sqkkcgbl.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-13 21:49 . 2008-08-13 21:49 <DIR> d-------- C:\Documents and Settings\JeepinCJ\Application Data\Malwarebytes
2008-08-13 21:49 . 2008-08-13 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-13 21:49 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-13 21:49 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 22:24 . 2008-08-05 22:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 22:15 . 2008-08-05 22:15 <DIR> d-------- C:\Deckard
2008-08-04 17:26 . 2008-08-04 17:26 <DIR> d-------- C:\WINDOWS\system32\xlive
2008-08-02 23:33 . 2008-08-02 23:33 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-02 23:33 . 2008-08-02 23:33 <DIR> d-------- C:\Program Files\DIFX
2008-08-02 23:33 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-08-02 23:26 . 2008-08-02 23:26 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-08-02 23:26 . 2008-08-02 23:26 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-08-02 23:26 . 2008-08-02 23:26 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-08-02 20:15 . 2008-08-02 20:15 <DIR> d-------- C:\Program Files\Empire Interactive
2008-08-02 17:28 . 2008-08-02 17:32 <DIR> d-------- C:\Program Files\ARCA Remax
2008-08-02 17:28 . 2008-08-02 17:28 860,391 --a------ C:\Temp\7z457.exe
2008-08-02 15:35 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-02 15:35 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-02 15:34 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-08-02 15:34 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-02 15:33 . 2008-08-02 15:33 <DIR> d-------- C:\Program Files\Logitech
2008-08-02 15:33 . 2008-08-02 15:33 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-08-02 15:32 . 2008-08-02 15:32 13,786,936 --a------ C:\Temp\lgs502.exe
2008-08-02 15:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-02 15:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-02 12:18 . 2008-08-02 12:19 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-02 12:16 . 2008-08-02 12:16 <DIR> d-------- C:\Program Files\TV Expert
2008-08-02 12:16 . 2008-03-17 05:14 466,944 -ra------ C:\WINDOWS\713xRMT.exe
2008-08-02 12:15 . 2008-08-02 12:16 <DIR> d-------- C:\WINDOWS\MyInstall
2008-08-02 12:11 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2008-08-02 12:11 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\mpe.sys
2008-08-02 11:39 . 2008-08-02 11:39 <DIR> d-------- C:\WINDOWS\nview
2008-08-02 11:39 . 2008-08-02 11:39 <DIR> d-------- C:\NVIDIA
2008-08-02 11:39 . 2008-05-16 14:01 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-08-02 11:39 . 2008-08-19 20:28 131,144 --a------ C:\WINDOWS\system32\nvapps.xml
2008-08-02 11:39 . 2008-05-16 14:01 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-08-02 11:38 . 2008-08-02 11:38 38,674,984 --a------ C:\Temp\175.19_geforce_winxp_32bit_english_whql.exe
2008-08-02 07:20 . 2008-08-02 07:20 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-08-02 07:20 . 2006-08-01 03:02 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2008-08-02 07:19 . 2008-08-02 07:19 <DIR> d-------- C:\Program Files\Realtek
2008-08-02 07:12 . 2008-08-02 07:12 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-08-02 07:10 . 2008-08-02 07:10 22 --a------ C:\WINDOWS\FileName
2008-08-02 07:09 . 2008-08-02 07:09 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-08-02 07:09 . 2006-12-18 16:34 446,464 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2008-08-02 07:09 . 2006-10-17 20:31 363,008 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-08-02 07:09 . 2006-10-17 20:31 363,008 -ra------ C:\WINDOWS\system32\idecoi.dll
2008-08-02 07:09 . 2006-10-04 20:35 356,352 --a------ C:\WINDOWS\system32\nvuide.exe
2008-08-02 07:09 . 2006-10-17 20:31 105,472 -ra------ C:\WINDOWS\system32\drivers\nvata.sys
2008-08-02 07:09 . 2006-10-04 20:35 35,840 -ra------ C:\WINDOWS\system32\NVCOI.DLL
2008-08-02 07:09 . 2006-09-10 19:14 1,570 --a------ C:\WINDOWS\system32\nvide.nvu
2008-08-02 07:08 . 2008-08-02 07:08 <DIR> d-------- C:\Documents and Settings\JeepinCJ\Application Data\InstallShield
2008-08-02 07:07 . 2007-07-31 23:39 12,536 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-08-02 06:57 . 2004-08-04 08:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-02 06:56 . 2004-08-04 08:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-02 06:54 . 2008-08-02 06:54 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-01 18:48 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINDOWS\SETA7.tmp
2008-08-01 18:48 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINDOWS\SETA4.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 21:07 --------- d-----w C:\Documents and Settings\JeepinCJ\Application Data\uTorrent
2008-08-18 11:41 --------- d-----w C:\Documents and Settings\JeepinCJ\Application Data\Juniper Networks
2008-08-02 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trophy Bass 2007
2008-08-02 16:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 11:19 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-18 21:53 --------- d-----w C:\Program Files\Yahoo!
2008-07-03 22:47 --------- d-----w C:\Documents and Settings\JeepinCJ\Application Data\Yahoo!
2008-05-04 16:26 16,760 ----a-w C:\Documents and Settings\JeepinCJ\Application Data\GDIPFONTCACHEV1.DAT
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 05:17 102400]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-15 17:27 949376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"CMCService"="C:\Program Files\ATI\Catalyst Media Center\CMCService.exe" [2006-06-29 16:39 167936]
"RemoteControl"="C:\Util\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Util\PowerDVD\Language\Language.exe" [2006-05-18 11:29 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"TV Card Remote Control Device Monitor"="C:\WINDOWS\713xRMT.exe" [2008-03-17 05:14 466944]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 11:38 88584]
"SpySweeper"="C:\Util\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55 4865600]
"PtiuPbmd"="ptipbm.dll" [2003-05-20 11:56 24576 C:\WINDOWS\system32\ptipbm.dll]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 02:20 16844800 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-03 01:22 1826816 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"msacm.fraunhoferacm"= l3codecp.acm
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Util\\uTorrent\\utorrent.exe"=
"C:\\Util\\BearShare\\BearShare.exe"=
"C:\\Util\\SopCast\\SopCast.exe"=
"C:\\Documents and Settings\\JeepinCJ\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Util\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Util\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe"=

R3 3xHybrid;SAA713x TV Card Service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2008-03-17 05:14]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2006-06-21 17:22]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2006-06-21 17:22]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2006-06-21 17:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{260b1de6-7b87-11dc-beb2-000795316acb}]
\Shell\AutoRun\command - H:\LaunchU3.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{D3046FD0-57DC-45BE-82EE-D3C974689BD7} - C:\WINDOWS\system32\opnooMcA.dll
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-opnmJDUo - opnmJDUo.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 20:28:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Util\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Util\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Util\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-08-19 20:31:27 - machine was rebooted [JeepinCJ]
ComboFix-quarantined-files.txt 2008-08-20 00:31:24

Pre-Run: 78,513,561,600 bytes free
Post-Run: 78,528,311,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

212 --- E O F --- 2008-08-19 07:01:03

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 20 August 2008 - 04:04 PM

Hi

Find & delete the following files or empty Eset quarantine, if that's where they are (I'm not familiar with the location of Eset\nod32 quarantine folder. :-

C:\Program Files\Eset\cache\FND0.NFI >Infected: not-a-virus:AdWare.Win32.SuperJuan.clv 1
C:\Program Files\Eset\cache\FND8.NFI >Infected: not-a-virus:AdWare.Win32.Virtumonde.afee 1
C:\Program Files\Eset\infected\EBR3PCAA.NQF >Infected: Trojan-Clicker.Win32.VB.aar 1
C:\Program Files\Eset\infected\GLWFS5AA.NQF >Infected: not-a-virus:AdWare.Win32.SuperJuan.cec 1
C:\Program Files\Eset\infected\TTFDDTDA.NQF >Infected: not-a-virus:AdWare.Win32.SuperJuan.ccl 1
C:\Program Files\Eset\infected\UL2WDGCA.NQF >Infected: not-a-virus:AdWare.Win32.SuperJuan.cdb 1
C:\Program Files\Eset\infected\YBQK1ABA.NQF >Infected: Trojan.Win32.Monder.edi 1

Then...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\ihxscydr.dll
C:\WINDOWS\system32\qigsvc.dll


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How's the computer running now ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:09:51 AM

Posted 20 August 2008 - 08:15 PM

PC is running better. NOD has been popping up occasionally. Actually prior to your last post I had deleted all the garbage out of eset. I only had one tojan load today and it was in a restore temp folder of all places. So far since the last combofix run, NOD hasn't popped up yet again.

here's the logs. And as always, thx for your help!

ComboFix 08-08-19.06 - JeepinCJ 2008-08-20 21:04:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2463 [GMT -4:00]
Running from: C:\Documents and Settings\JeepinCJ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JeepinCJ\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\ihxscydr.dll
C:\WINDOWS\system32\qigsvc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\JeepinCJ\Cookies\jeepincj@ad.yieldmanager[2].txt
C:\Documents and Settings\JeepinCJ\Cookies\jeepincj@revsci[2].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-20 03:00 . 2008-08-20 03:00 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-13 21:49 . 2008-08-13 21:49 <DIR> d-------- C:\Documents and Settings\JeepinCJ\Application Data\Malwarebytes
2008-08-13 21:49 . 2008-08-13 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-13 21:49 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-13 21:49 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 22:24 . 2008-08-05 22:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 22:15 . 2008-08-05 22:15 <DIR> d-------- C:\Deckard
2008-08-04 17:26 . 2008-08-04 17:26 <DIR> d-------- C:\WINDOWS\system32\xlive
2008-08-02 23:33 . 2008-08-02 23:33 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-02 23:33 . 2008-08-02 23:33 <DIR> d-------- C:\Program Files\DIFX
2008-08-02 23:33 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-08-02 23:26 . 2008-08-02 23:26 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-08-02 23:26 . 2008-08-02 23:26 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-08-02 23:26 . 2008-08-02 23:26 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-08-02 20:15 . 2008-08-02 20:15 <DIR> d-------- C:\Program Files\Empire Interactive
2008-08-02 17:28 . 2008-08-02 17:32 <DIR> d-------- C:\Program Files\ARCA Remax
2008-08-02 17:28 . 2008-08-02 17:28 860,391 --a------ C:\Temp\7z457.exe
2008-08-02 15:35 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-02 15:35 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-02 15:34 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-08-02 15:34 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-02 15:33 . 2008-08-02 15:33 <DIR> d-------- C:\Program Files\Logitech
2008-08-02 15:33 . 2008-08-02 15:33 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-08-02 15:32 . 2008-08-02 15:32 13,786,936 --a------ C:\Temp\lgs502.exe
2008-08-02 15:24 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-02 15:24 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-02 12:18 . 2008-08-02 12:19 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-02 12:16 . 2008-08-02 12:16 <DIR> d-------- C:\Program Files\TV Expert
2008-08-02 12:16 . 2008-03-17 05:14 466,944 -ra------ C:\WINDOWS\713xRMT.exe
2008-08-02 12:15 . 2008-08-02 12:16 <DIR> d-------- C:\WINDOWS\MyInstall
2008-08-02 12:11 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2008-08-02 12:11 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\mpe.sys
2008-08-02 11:39 . 2008-08-02 11:39 <DIR> d-------- C:\WINDOWS\nview
2008-08-02 11:39 . 2008-08-02 11:39 <DIR> d-------- C:\NVIDIA
2008-08-02 11:39 . 2008-05-16 14:01 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-08-02 11:39 . 2008-08-19 20:28 131,144 --a------ C:\WINDOWS\system32\nvapps.xml
2008-08-02 11:39 . 2008-05-16 14:01 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-08-02 11:38 . 2008-08-02 11:38 38,674,984 --a------ C:\Temp\175.19_geforce_winxp_32bit_english_whql.exe
2008-08-02 07:20 . 2008-08-02 07:20 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-08-02 07:20 . 2006-08-01 03:02 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2008-08-02 07:19 . 2008-08-02 07:19 <DIR> d-------- C:\Program Files\Realtek
2008-08-02 07:12 . 2008-08-02 07:12 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-08-02 07:10 . 2008-08-02 07:10 22 --a------ C:\WINDOWS\FileName
2008-08-02 07:09 . 2008-08-02 07:09 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-08-02 07:09 . 2006-12-18 16:34 446,464 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2008-08-02 07:09 . 2006-10-17 20:31 363,008 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-08-02 07:09 . 2006-10-17 20:31 363,008 -ra------ C:\WINDOWS\system32\idecoi.dll
2008-08-02 07:09 . 2006-10-04 20:35 356,352 --a------ C:\WINDOWS\system32\nvuide.exe
2008-08-02 07:09 . 2006-10-17 20:31 105,472 -ra------ C:\WINDOWS\system32\drivers\nvata.sys
2008-08-02 07:09 . 2006-10-04 20:35 35,840 -ra------ C:\WINDOWS\system32\NVCOI.DLL
2008-08-02 07:09 . 2006-09-10 19:14 1,570 --a------ C:\WINDOWS\system32\nvide.nvu
2008-08-02 07:08 . 2008-08-02 07:08 <DIR> d-------- C:\Documents and Settings\JeepinCJ\Application Data\InstallShield
2008-08-02 07:07 . 2007-07-31 23:39 12,536 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-08-02 06:57 . 2004-08-04 08:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-02 06:56 . 2004-08-04 08:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-02 06:54 . 2008-08-02 06:54 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-02 06:54 . 2008-08-02 06:54 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-01 18:48 . 2004-08-04 08:00 1,086,058 -ra------ C:\WINDOWS\SETA7.tmp
2008-08-01 18:48 . 2004-08-04 08:00 1,042,903 -ra------ C:\WINDOWS\SETA4.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 21:07 --------- d-----w C:\Documents and Settings\JeepinCJ\Application Data\uTorrent
2008-08-18 11:41 --------- d-----w C:\Documents and Settings\JeepinCJ\Application Data\Juniper Networks
2008-08-02 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trophy Bass 2007
2008-08-02 16:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 11:19 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-18 21:53 --------- d-----w C:\Program Files\Yahoo!
2008-07-03 22:47 --------- d-----w C:\Documents and Settings\JeepinCJ\Application Data\Yahoo!
2008-05-04 16:26 16,760 ----a-w C:\Documents and Settings\JeepinCJ\Application Data\GDIPFONTCACHEV1.DAT
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 05:17 102400]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-15 17:27 949376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"CMCService"="C:\Program Files\ATI\Catalyst Media Center\CMCService.exe" [2006-06-29 16:39 167936]
"RemoteControl"="C:\Util\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Util\PowerDVD\Language\Language.exe" [2006-05-18 11:29 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"TV Card Remote Control Device Monitor"="C:\WINDOWS\713xRMT.exe" [2008-03-17 05:14 466944]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 11:38 88584]
"SpySweeper"="C:\Util\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55 4865600]
"PtiuPbmd"="ptipbm.dll" [2003-05-20 11:56 24576 C:\WINDOWS\system32\ptipbm.dll]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 02:20 16844800 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-03 01:22 1826816 C:\WINDOWS\SkyTel.exe]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll
"msacm.fraunhoferacm"= l3codecp.acm
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Util\\uTorrent\\utorrent.exe"=
"C:\\Util\\BearShare\\BearShare.exe"=
"C:\\Util\\SopCast\\SopCast.exe"=
"C:\\Documents and Settings\\JeepinCJ\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Util\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Util\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe"=

R3 3xHybrid;SAA713x TV Card Service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2008-03-17 05:14]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2006-06-21 17:22]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2006-06-21 17:22]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2006-06-21 17:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{260b1de6-7b87-11dc-beb2-000795316acb}]
\Shell\AutoRun\command - H:\LaunchU3.exe
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 21:05:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 21:06:36
ComboFix-quarantined-files.txt 2008-08-21 01:06:32
ComboFix2.txt 2008-08-20 00:31:28

Pre-Run: 78,489,554,944 bytes free
Post-Run: 78,514,462,720 bytes free

164 --- E O F --- 2008-08-20 07:00:14

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:23 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Util\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\713xRMT.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Util\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Util\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Util\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Util\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Util\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [PtiuPbmd] "Rundll32.exe" ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Util\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Util\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMT.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Gaming Software\LWEMon.exe" /noui
O4 - HKLM\..\Run: [SpySweeper] C:\Util\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TV Expert Schedule Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202578664579
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Util\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Util\Spy Sweeper\SpySweeper.exe

--
End of file - 5945 bytes

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 22 August 2008 - 04:03 PM

HI

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... in your case :-

Java™ 6 Update 3

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 7' and press the 'Download' button.


Running an out-of-date version of java is an infection risk, as they can be exploited by malware.


THEN...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

This will uninstall Combofix, delete any of its related folders and files (Qoobox, VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 JeepinCJ

JeepinCJ
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lebanon, Ohio
  • Local time:09:51 AM

Posted 25 August 2008 - 05:34 PM

So I'm still getting some threats from NOD32....

This guy? "PtiuPbmd"="Rundll32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]

Here's the NOD log of the last three threats...


FYI... the snap stream files have since been deleted.


Thanks!

Andy

Time Module Object Name Threat Action User Information
8/23/2008 20:18:52 PM AMON file C:\Documents and Settings\JeepinCJ\Local Settings\Temporary Internet Files\Content.IE5\IVGJQVQT\updater[1].html a variant of Win32/Adware.Virtumonde.NAE application quarantined - deleted ANDYS-PC\JeepinCJ Event occurred on a newly created file. The file was moved to quarantine. You may close this window.
8/23/2008 20:18:51 PM AMON file C:\Documents and Settings\JeepinCJ\My Documents\Downloads\SnapStream Media Beyond TV v4.6.1.3939\runUpdater.html a variant of Win32/Adware.Virtumonde.NAE application quarantined - deleted ANDYS-PC\JeepinCJ Event occurred on a new file created by the application: C:\Downloader.exe. The file was moved to quarantine. You may close this window.
8/23/2008 20:18:27 PM IMON file h**p://www.hotlinkfiles.com/files/1466446_zuk47/updater.html a variant of Win32/Adware.Virtumonde.NAE application ANDYS-PC\JeepinCJ


Deckard's System Scanner v20071014.68
Run by JeepinCJ on 2008-08-25 18:27:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as JeepinCJ.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:27 PM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Util\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Util\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Util\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\713xRMT.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Util\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Util\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\JeepinCJ\Desktop\dss.exe
C:\Util\HIJACK~1\JeepinCJ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [PtiuPbmd] "Rundll32.exe" ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Util\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Util\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMT.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Gaming Software\LWEMon.exe" /noui
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Util\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202578664579
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Util\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Util\Spy Sweeper\SpySweeper.exe

--
End of file - 6403 bytes

-- Files created between 2008-07-25 and 2008-08-25 -----------------------------

2008-08-25 18:09:33 0 d-------- C:\WINDOWS\LastGood
2008-08-25 17:38:09 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\Intervideo
2008-08-25 17:38:06 10752 -----n--- C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-08-25 17:37:46 1048576 --a------ C:\WINDOWS\system32\DM.dll <Not Verified; Intervideo®, Inc.; Intervideo Foundation Class™>
2008-08-25 17:37:32 155648 --a------ C:\WINDOWS\system32\log4cpp.dll <Not Verified; Bastiaan Bakker, LifeLine Networks bv; Log library for C++>
2008-08-25 17:37:32 499712 --a------ C:\WINDOWS\system32\iviIPLW7.dll <Not Verified; InterVideo Inc.,; InterVideo Inc., iviIPLW7>
2008-08-25 17:37:32 466944 --a------ C:\WINDOWS\system32\iviIPLPX.dll <Not Verified; InterVideo Inc.,; InterVideo Inc., iviIPLPX>
2008-08-25 17:37:32 442368 --a------ C:\WINDOWS\system32\iviIPLP6.dll <Not Verified; InterVideo Inc.,; InterVideo Inc., iviIPLP6>
2008-08-25 17:37:32 434176 --a------ C:\WINDOWS\system32\iviIPLM6.dll <Not Verified; InterVideo Inc.,; InterVideo Inc., iviIPLM6>
2008-08-25 17:37:32 421888 --a------ C:\WINDOWS\system32\iviIPLM5.dll <Not Verified; InterVideo Inc.,; InterVideo Inc., iviIPLM5>
2008-08-25 17:37:32 491520 --a------ C:\WINDOWS\system32\iviIPLA6.dll <Not Verified; InterVideo Inc.,; InterVideo Inc., iviIPLA6>
2008-08-25 17:37:32 466944 --a------ C:\WINDOWS\system32\iviIPL.dll <Not Verified; InterVideo Inc.,; InterVideo Inc., iviIPL>
2008-08-25 17:37:24 0 d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2008-08-25 17:37:16 45056 --a------ C:\WINDOWS\system32\WSTDEC.dll <Not Verified; Philips Semiconductors; Windows Teletext Broser>
2008-08-25 17:37:16 98304 --a------ C:\WINDOWS\system32\VbiCallback.dll <Not Verified; Philips Semiconductors; >
2008-08-25 17:37:14 204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-08-25 17:37:14 188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-08-25 17:37:14 192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-08-25 17:37:14 192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-08-25 17:37:14 200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-08-25 17:37:14 20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-08-25 17:37:09 0 d-------- C:\Program Files\Common Files\InterVideo
2008-08-25 17:37:06 0 d-------- C:\Program Files\InterVideo
2008-08-24 12:38:09 0 d-------- C:\Documents and Settings\All Users\Application Data\SnapStream
2008-08-24 12:32:58 0 d-------- C:\WINDOWS\system32\URTTemp
2008-08-23 20:21:58 0 d---s---- C:\Documents and Settings\JeepinCJ\UserData
2008-08-23 20:18:09 21818 --a------ C:\Downloader.exe
2008-08-22 16:35:11 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-21 18:39:02 0 d-------- C:\Program Files\Common Files\ATI
2008-08-19 20:22:57 0 d-------- C:\cmdcons
2008-08-19 20:22:27 68096 --a------ C:\WINDOWS\zip.exe
2008-08-19 20:22:27 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-19 20:22:27 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-19 20:22:27 98816 --a------ C:\WINDOWS\sed.exe
2008-08-19 20:22:27 80412 --a------ C:\WINDOWS\grep.exe
2008-08-19 20:22:27 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-19 20:22:26 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-19 20:22:26 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-13 21:49:56 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\Malwarebytes
2008-08-13 21:49:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 22:24:48 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-05 22:24:48 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-05 22:24:48 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-05 22:24:48 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-08-05 22:24:48 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-05 22:24:48 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-05 22:24:48 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-05 22:24:48 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-08-05 22:24:48 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-05 22:24:48 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-08-05 22:24:48 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-05 22:24:48 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-05 22:24:48 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-05 22:24:48 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-05 21:57:31 0 d--hs---- C:\WINDOWS\CSC
2008-08-04 17:26:08 0 d-------- C:\WINDOWS\system32\xlive
2008-08-02 23:33:22 0 d-------- C:\Program Files\DIFX
2008-08-02 23:33:13 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-08-02 23:26:05 0 d-------- C:\WINDOWS\system32\Lang
2008-08-02 20:15:06 0 d-------- C:\Program Files\Empire Interactive
2008-08-02 17:35:17 8388608 --a------ C:\Documents and Settings\JeepinCJ\ntuser.dat
2008-08-02 17:28:20 0 d-------- C:\Program Files\ARCA Remax
2008-08-02 15:34:20 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-08-02 15:33:56 0 d-------- C:\Program Files\Logitech
2008-08-02 15:33:56 0 d-------- C:\Program Files\Common Files\Logitech
2008-08-02 12:18:41 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-02 12:16:43 466944 -ra------ C:\WINDOWS\713xRMT.exe <Not Verified; ; TV Card>
2008-08-02 12:15:59 0 d-------- C:\WINDOWS\MyInstall
2008-08-02 11:39:29 0 d-------- C:\WINDOWS\nview
2008-08-02 11:39:09 0 d-------- C:\NVIDIA
2008-08-02 07:20:57 49152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2008-08-02 07:20:39 0 d-------- C:\WINDOWS\system32\RTCOM
2008-08-02 07:19:33 0 d-------- C:\Program Files\Realtek
2008-08-02 07:19:28 520192 -r------- C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-08-02 07:19:28 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-08-02 07:12:32 0 d-------- C:\WINDOWS\ASUSInstAll
2008-08-02 07:10:08 22 --a------ C:\WINDOWS\FileName
2008-08-02 07:09:57 0 d-------- C:\Program Files\NVIDIA Corporation
2008-08-02 07:08:51 1732 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-08-02 07:08:38 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\InstallShield
2008-08-02 07:01:10 0 d-------- C:\WINDOWS\Prefetch


-- Find3M Report ---------------------------------------------------------------

2008-08-25 17:41:22 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\uTorrent
2008-08-25 17:37:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-25 17:37:09 0 d-------- C:\Program Files\Common Files
2008-08-24 22:53:18 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\Juniper Networks
2008-08-21 18:39:00 0 d-------- C:\Program Files\ATI Multimedia
2008-08-02 15:44:06 8464 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-08-02 06:53:47 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-18 17:53:14 0 d-------- C:\Program Files\Yahoo!
2008-07-03 18:47:11 0 d-------- C:\Documents and Settings\JeepinCJ\Application Data\Yahoo!


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="Rundll32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [04/26/2002 05:17 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [10/15/2007 05:27 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"CMCService"="C:\Program Files\ATI\Catalyst Media Center\CMCService.exe" [06/29/2006 04:39 PM]
"RemoteControl"="C:\Util\PowerDVD\PDVDServ.exe" [12/07/2005 10:57 PM]
"LanguageShortcut"="C:\Util\PowerDVD\Language\Language.exe" [05/18/2006 11:29 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"RTHDCPL"="RTHDCPL.EXE" [09/27/2007 02:20 AM C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [08/03/2007 01:22 AM C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [05/16/2008 02:01 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]
"TV Card Remote Control Device Monitor"="C:\WINDOWS\713xRMT.exe" [03/17/2008 05:14 AM]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [04/04/2008 11:38 AM]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [09/20/2004 02:53 AM]
"WINCINEMAMGR"="C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [09/20/2004 02:06 AM]
"SpySweeper"="C:\Util\Spy Sweeper\SpySweeperUI.exe" [03/01/2007 07:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [02/16/2006 01:02 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{260b1de6-7b87-11dc-beb2-000795316acb}]
AutoRun\command- H:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-08-25 18:27:52 ------------

Edited by steamwiz, 26 August 2008 - 05:13 PM.


#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 26 August 2008 - 06:15 PM

HI

At this time 8/23/2008 20:18:27 PM you visited a website which ran an exploit ... ( the one mentioned above)
This file set in motion a series of malware downloads C:\Downloader.exe > SnapStream Media Beyond TV ... >

Make sure this file has been deleted :- C:\Downloader.exe

This guy? "PtiuPbmd"="Rundll32.exe" [08/04/2004 08:00 AM C:\WINDOWS\system32\rundll32.exe]


Installed with the miniport drivers for Promise hard drive controllers in both RAID and non-RAID installations

It's a dll file ... ptipbm.dll

As shown in hijackthis :- O4 - HKLM\..\Run: [PtiuPbmd] "Rundll32.exe" ptipbm.dll,SetWriteBack

dll files (unlike an exe file) need another file to run them ...

they are run by "Rundll32.exe" ... full path C:\WINDOWS\system32\rundll32.exe

This entry just points to the file which is running the dll file ... what is your concern with it ?

Also you haven't updated your java ... vundo (Virtumonde) exploits older versions of java...

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 28 September 2008 - 03:01 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users