Win32/Adware.Virtumonde & Win32/PrivacyRemover.M64 [RESOLVED]

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

Win32/Adware.Virtumonde & Win32/PrivacyRemover.M64 [RESOLVED]

Options

steve_rogers View Member Profile	Aug 17 2008, 05:41 PM Post #1
New Member Posts: 8 OS: XP	[08/17/2008, 19:28:36] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steve Rogers\Desktop\VirtumundoBeGone.exe" ) [08/17/2008, 19:28:43] - Detected System Information: [08/17/2008, 19:28:43] - Windows Version: 5.1.2600, Service Pack 2 [08/17/2008, 19:28:43] - Current Username: Steve Rogers (Admin) [08/17/2008, 19:28:43] - Windows is in NORMAL mode. [08/17/2008, 19:28:43] - Searching for Browser Helper Objects: [08/17/2008, 19:28:43] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [08/17/2008, 19:28:43] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess) [08/17/2008, 19:28:43] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class) [08/17/2008, 19:28:43] - Finished Searching Browser Helper Objects [08/17/2008, 19:28:43] - Finishing up... [08/17/2008, 19:28:43] - Nothing found! Exiting... [08/17/2008, 19:35:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steve Rogers\Desktop\VirtumundoBeGone.exe" ) [08/17/2008, 19:35:52] - User choose NOT to continue. Exiting... [08/17/2008, 19:36:02] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steve Rogers\Desktop\VirtumundoBeGone.exe" ) [08/17/2008, 19:36:04] - Detected System Information: [08/17/2008, 19:36:04] - Windows Version: 5.1.2600, Service Pack 2 [08/17/2008, 19:36:04] - Current Username: Steve Rogers (Admin) [08/17/2008, 19:36:04] - Windows is in NORMAL mode. [08/17/2008, 19:36:04] - Searching for Browser Helper Objects: [08/17/2008, 19:36:04] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [08/17/2008, 19:36:04] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess) [08/17/2008, 19:36:04] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class) [08/17/2008, 19:36:04] - Finished Searching Browser Helper Objects [08/17/2008, 19:36:04] - Finishing up... [08/17/2008, 19:36:04] - Nothing found! Exiting... [08/17/2008, 19:39:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Steve Rogers\Desktop\VirtumundoBeGone.exe" ) [08/17/2008, 19:39:48] - Detected System Information: [08/17/2008, 19:39:48] - Windows Version: 5.1.2600, Service Pack 2 [08/17/2008, 19:39:48] - Current Username: Steve Rogers (Admin) [08/17/2008, 19:39:48] - Windows is in NORMAL mode. [08/17/2008, 19:39:48] - Searching for Browser Helper Objects: [08/17/2008, 19:39:48] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class) [08/17/2008, 19:39:48] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess) [08/17/2008, 19:39:48] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class) [08/17/2008, 19:39:48] - Finished Searching Browser Helper Objects [08/17/2008, 19:39:48] - Finishing up... [08/17/2008, 19:39:48] - Nothing found! Exiting... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:38:01 PM, on 8/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O20 - Winlogon Notify: __c008AD9 - C:\WINDOWS\system32\__c008AD9.dat (file missing) O20 - Winlogon Notify: __c00A0464 - C:\WINDOWS\system32\__c00A0464.dat (file missing) O20 - Winlogon Notify: __c00FE19E - C:\WINDOWS\system32\__c00FE19E.dat O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rtejeja.html -- End of file - 5538 bytes Thanks!

IndiGenus View Member Profile	Aug 20 2008, 02:11 PM Post #2
Anti-Malware Buddha Posts: 1,112 From: New England, USA OS: XP Pro SP2 ~ Vista Ultimate ~ Ubuntu	Hi and welcome to the forums here at G2G! First, use Use ATF Cleaner to remove temp files, cookies, cache, ect... Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply along with a Hijackthis log.

steve_rogers View Member Profile	Aug 20 2008, 02:35 PM Post #3
New Member Posts: 8 OS: XP	just so you know I was reading some other threads with my problem and I followed the same instructions. I see that you are helping Helpmeee with the same problem...Well he double posted and is being helped by Sarah... http://www.geekstogo.com/forum/Help-PLEASE...64-t208626.html I followed all of those instructions...here is the latest Hijack log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:34:58 PM, on 8/20/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rtejeja.html -- End of file - 5530 bytes Thanks!!!!!!!

IndiGenus View Member Profile	Aug 20 2008, 02:41 PM Post #4
Anti-Malware Buddha Posts: 1,112 From: New England, USA OS: XP Pro SP2 ~ Vista Ultimate ~ Ubuntu	Hi and thanks for the heads up on the double post, I'll close mine. Can you post the log from MBAM too and let me know how it's running. Thanks

IndiGenus View Member Profile	Aug 20 2008, 02:46 PM Post #5
Anti-Malware Buddha Posts: 1,112 From: New England, USA OS: XP Pro SP2 ~ Vista Ultimate ~ Ubuntu	Also post your log from combofix.

steve_rogers View Member Profile	Aug 20 2008, 03:10 PM Post #6
New Member Posts: 8 OS: XP	1601-01-01 00:00:00 0 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\MCROSO~1\M?crosoft\ 1980-08-17 00:00:00 25,088 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00B0A3B.dat.vir 2003-08-13 16:08:12 36,864 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\packet.dll.vir 2003-08-13 16:08:15 135,168 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wpcap.dll.vir 2005-09-02 22:48:30 178,718 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.bak1.vir 2005-09-07 22:05:26 180,046 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.tmp.vir 2005-09-07 23:08:06 180,046 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.ini.vir 2005-09-23 00:21:39 422,751 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.bak2.vir 2005-09-23 00:25:02 423,189 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjjlm.ini2.vir 2007-04-26 05:30:14 29,184 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\MSINET.oca.vir 2007-08-19 02:10:43 93 C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir 2007-08-19 02:11:22 1,289 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Application Data\WinAntiSpyware 2006\Logs\update.log.vir 2007-08-19 14:12:51 1,599,402 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\npqss.bak2.vir 2007-08-20 14:12:59 1,603,306 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\npqss.bak1.vir 2007-08-20 20:20:23 424 C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir 2007-08-20 21:00:36 1,229,852 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\aqnxbgnt.ini.vir 2007-08-20 22:00:22 1,606,135 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\npqss.ini.vir 2008-02-10 19:53:48 84 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol.vir 2008-03-28 03:23:57 139 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Application Data\Macromedia\Flash Player\#SharedObjects\65RCKT6H\interclick.com\ud.sol.vir 2008-08-17 05:11:12 195,072 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lphc3kej0epf1.exe.vir 2008-08-17 21:10:22 32,768 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\UserData\index.dat.vir 2008-08-17 21:12:15 625,208 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\phc3kej0epf1.bmp.vir 2008-08-17 21:12:17 118,784 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\blphc3kej0epf1.scr.vir 2008-08-18 21:15:48 25,088 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00FE19E.dat.vir 2008-08-19 00:59:12 1,164 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Cookies\steve_rogers@main.ebayrtm[1].txt.vir 2008-08-19 01:00:12 1,805 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Cookies\steve_rogers@ebay[2].txt.vir 2008-08-19 01:29:38 1,629 C:\Qoobox\Quarantine\C\Documents and Settings\Steve Rogers\Cookies\steve_rogers@ad.yieldmanager[2].txt.vir 2008-08-19 01:52:36 2,262 C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat 2008-08-19 01:52:46 54 C:\Qoobox\Quarantine\catchme.log 2008-08-19 01:55:34 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-08-19 01:55:34 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-08-19 01:55:34 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-08-19 01:55:38 550 C:\Qoobox\Quarantine\Registry_backups\Notify-__c008AD9.reg.dat 2008-08-19 01:55:38 554 C:\Qoobox\Quarantine\Registry_backups\Notify-__c00A0464.reg.dat 2008-08-19 01:55:38 554 C:\Qoobox\Quarantine\Registry_backups\Notify-__c00FE19E.reg.dat 2008-08-19 01:55:39 568 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ctfmon.reg.dat 2008-08-19 01:55:39 568 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-WinPop.reg.dat 2008-08-19 01:55:39 600 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ExploreUpdSched.reg.dat 2008-08-19 01:55:39 602 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-{C5-5D-D3-30-ZN}.reg.dat 2008-08-19 01:55:39 606 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Uaol.reg.dat 2008-08-19 01:55:39 618 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-meveqazi.reg.dat 2008-08-19 01:55:39 640 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MsnMsgr.reg.dat 2008-08-19 01:55:39 732 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-runner1.reg.dat Malwarebytes' Anti-Malware 1.25 Database version: 1068 Windows 5.1.2600 Service Pack 2 10:31:22 PM 8/18/2008 mbam-log-08-18-2008 (22-31-22).txt Scan type: Full Scan (C:\\|) Objects scanned: 94172 Time elapsed: 19 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 5 Registry Values Infected: 5 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 12 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\blphc3kej0epf1.scr (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\umwdf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\umwdf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\umwdf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc3kej0epf1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\wdfmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\blphc3kej0epf1.scr (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\SYSTEM32\lphc3kej0epf1.exe (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\SYSTEM32\phc3kej0epf1.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\NetworkService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\NetworkService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot. C:\Documents and Settings\Steve Rogers\Local Settings\temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\NetworkService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot. Thanks!!!!

IndiGenus View Member Profile	Aug 20 2008, 03:35 PM Post #7
Anti-Malware Buddha Posts: 1,112 From: New England, USA OS: XP Pro SP2 ~ Vista Ultimate ~ Ubuntu	If you have the combofix log that would help too. It should be located at: C:\combofix.txt Let me know if you can't find it.

steve_rogers View Member Profile	Aug 20 2008, 03:53 PM Post #8
New Member Posts: 8 OS: XP	ComboFix 08-08-18.01 - Steve Rogers 2008-08-18 21:51:55.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2569 [GMT -4:00] Running from: C:\Documents and Settings\Steve Rogers\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Steve Rogers\Application Data\macromedia\Flash Player\#SharedObjects\65RCKT6H\interclick.com C:\Documents and Settings\Steve Rogers\Application Data\macromedia\Flash Player\#SharedObjects\65RCKT6H\interclick.com\ud.sol C:\Documents and Settings\Steve Rogers\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Steve Rogers\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Steve Rogers\Application Data\WinAntiSpyware 2006 C:\Documents and Settings\Steve Rogers\Application Data\WinAntiSpyware 2006\Logs\update.log C:\Documents and Settings\Steve Rogers\Cookies\steve_rogers@ad.yieldmanager[2].txt C:\Documents and Settings\Steve Rogers\Cookies\steve_rogers@ebay[2].txt C:\Documents and Settings\Steve Rogers\Cookies\steve_rogers@main.ebayrtm[1].txt C:\Documents and Settings\Steve Rogers\UserData C:\Documents and Settings\Steve Rogers\UserData\index.dat C:\WINDOWS\cookies.ini C:\WINDOWS\mbols~1 C:\WINDOWS\system32\__c00B0A3B.dat C:\WINDOWS\system32\__c00FE19E.dat C:\WINDOWS\system32\aqnxbgnt.ini C:\WINDOWS\system32\blphc3kej0epf1.scr C:\WINDOWS\system32\f02WtR C:\WINDOWS\SYSTEM32\gjjlm.bak1 C:\WINDOWS\SYSTEM32\gjjlm.bak2 C:\WINDOWS\SYSTEM32\gjjlm.ini C:\WINDOWS\SYSTEM32\gjjlm.ini2 C:\WINDOWS\SYSTEM32\gjjlm.tmp C:\WINDOWS\system32\lphc3kej0epf1.exe C:\WINDOWS\system32\mcroso~1 C:\WINDOWS\system32\mcroso~1\M?crosoft\ C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\SYSTEM32\npqss.bak1 C:\WINDOWS\SYSTEM32\npqss.bak2 C:\WINDOWS\SYSTEM32\npqss.ini C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\phc3kej0epf1.bmp C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\wr.txt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 ))))))))))))))))))))))))))))))) . 2008-08-17 19:37 . 2008-08-17 19:37 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-17 19:25 . 2008-08-17 19:25 <DIR> d-------- C:\VundoFix Backups 2008-08-14 13:29 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll 2008-08-11 23:05 . 2008-08-11 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes 2008-08-11 20:13 . 2008-08-11 20:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-11 20:13 . 2008-08-11 20:13 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-08 21:48 . 2008-08-08 21:48 <DIR> d-------- C:\Documents and Settings\Steve Rogers\Application Data\Uniblue . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-18 12:35 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\AVG7 2008-08-14 19:10 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\Corel 2008-07-05 00:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-07-01 03:18 --------- d-----w C:\Program Files\Lavasoft 2008-07-01 03:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-07-01 02:39 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-01 02:39 --------- d-----w C:\Program Files\ToniArts 2008-07-01 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-07-01 02:13 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\Lavasoft 2008-07-01 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-07 13:54 6731312] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-27 15:37 580096] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:28 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\ComPlus Applications\rtejeja.html FriendlyName= [HKLM\~\startupfolder\C:^Documents and Settings^Steve Rogers^Start Menu^Programs^Startup^TA_Start.lnk] path=C:\Documents and Settings\Steve Rogers\Start Menu\Programs\Startup\TA_Start.lnk backup=C:\WINDOWS\pss\TA_Start.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Steve Rogers^Start Menu^Programs^Startup^Think-Adz.lnk] path=C:\Documents and Settings\Steve Rogers\Start Menu\Programs\Startup\Think-Adz.lnk backup=C:\WINDOWS\pss\Think-Adz.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blqakbqi] C:\WINDOWS\??mbols\l?gonui.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] --a------ 2004-08-13 02:05 122939 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] --a------ 2004-08-10 05:04 59392 C:\WINDOWS\EHOME\EHTRAY.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] --a------ 2004-06-29 12:23 135168 C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2004-09-14 09:50 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2005-05-18 03:21 26112 C:\Program Files\Real\RealPlayer\realplay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] --a------ 2004-03-11 10:50 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\The All-Seeing Eye\\eye.exe"= "C:\\Return to Castle Wolfenstein\\WolfMP.exe"= "C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"= "C:\\Wolfenstein - Enemy Territorybackup\\ET.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\MidTen Media\\Comic Collector Live\\CCL.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\Return to Castle Wolfenstein\\WolfMP.exe"= "C:\\Documents and Settings\\Steve Rogers\\Desktop\\Crap\\Wolfenstein - Enemy Territory\\ETDED.exe"= . Contents of the 'Scheduled Tasks' folder 2008-08-17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57] 2008-08-19 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe [] 2008-08-14 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe [] . - - - - ORPHANS REMOVED - - - - Notify-__c008AD9 - C:\WINDOWS\system32\__c008AD9.dat Notify-__c00A0464 - C:\WINDOWS\system32\__c00A0464.dat Notify-__c00FE19E - C:\WINDOWS\system32\__c00FE19E.dat MSConfigStartUp-ctfmon - C:\WINDOWS\system32\ctfmon.exe MSConfigStartUp-ExploreUpdSched - C:\WINDOWS\system32\lwinomdt.exe MSConfigStartUp-meveqazi - C:\Program Files\MSN Gaming Zone\meveqazi22011.exe MSConfigStartUp-MsnMsgr - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe MSConfigStartUp-runner1 - C:\WINDOWS\retadpu1000106.exe MSConfigStartUp-Uaol - C:\WINDOWS\system32\MCROSO~1\wowexec.exe MSConfigStartUp-WinPop - C:\Program Files\WinPop\winpop.exe MSConfigStartUp-{C5-5D-D3-30-ZN} - c:\windows\system32\dwdsrngt.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://google.com/ R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-18 21:54:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\SYSTEM32\LEXBCES.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE C:\WINDOWS\EHOME\ehRecvr.exe C:\WINDOWS\EHOME\ehSched.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe C:\WINDOWS\SYSTEM32\PnkBstrA.exe C:\WINDOWS\SYSTEM32\PnkBstrB.exe C:\WINDOWS\SYSTEM32\DLLHOST.EXE . ************************************************************************ . Completion time: 2008-08-18 21:55:50 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-19 01:55:48 Pre-Run: 286,684,102,656 bytes free Post-Run: 286,731,984,896 bytes free 200 --- E O F --- 2008-08-15 02:15:54

IndiGenus View Member Profile	Aug 20 2008, 03:58 PM Post #9
Anti-Malware Buddha Posts: 1,112 From: New England, USA OS: XP Pro SP2 ~ Vista Ultimate ~ Ubuntu	Hi Steve, Just one entry that is disabled with msconfig. Just don't want to see it get mistakenly re-enabled. 1. Please open Notepad Click Start , then Run Type notepad.exe in the Run Box. 2. Now copy/paste the entire content of the codebox below into the Notepad window: CODE Folder:: C:\WINDOWS\??mbols Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blqakbqi] 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.

steve_rogers

Aug 20 2008, 04:29 PM

Post #10

New Member

Posts: 8
OS: XP

ComboFix 08-08-19.05 - Steve Rogers 2008-08-20 18:26:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2498 [GMT -4:00]
Running from: C:\Documents and Settings\Steve Rogers\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve Rogers\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-19 21:47 . 2008-08-19 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-19 21:37 . 2008-08-19 21:37 <DIR> d-------- C:\SDFix.exe
2008-08-19 21:36 . 2008-08-19 21:54 <DIR> d-------- C:\SDFix
2008-08-18 22:32 . 2008-08-18 22:32 <DIR> d--hs---- C:\Documents and Settings\Steve Rogers\UserData
2008-08-18 22:08 . 2008-08-19 17:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 22:08 . 2008-08-18 22:08 <DIR> d-------- C:\Documents and Settings\Steve Rogers\Application Data\Malwarebytes
2008-08-18 22:08 . 2008-08-18 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 22:08 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-18 22:08 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-17 19:37 . 2008-08-17 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 19:25 . 2008-08-17 19:25 <DIR> d-------- C:\VundoFix Backups
2008-08-14 13:29 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-11 23:05 . 2008-08-11 23:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-08-11 20:13 . 2008-08-11 20:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-11 20:13 . 2008-08-11 20:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-08 21:48 . 2008-08-08 21:48 <DIR> d-------- C:\Documents and Settings\Steve Rogers\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 12:48 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\AVG7
2008-08-14 19:10 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\Corel
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-07-05 22:47 107,832 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2008-07-05 00:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-04 01:11 43,520 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2008-07-03 00:25 66,872 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2008-07-01 03:18 --------- d-----w C:\Program Files\Lavasoft
2008-07-01 03:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 02:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-01 02:39 --------- d-----w C:\Program Files\ToniArts
2008-07-01 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-01 02:13 --------- d-----w C:\Documents and Settings\Steve Rogers\Application Data\Lavasoft
2008-07-01 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-18_21.55.34.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-20 01:47:28 3,678,208 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-08-20 01:47:28 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-20 01:47:28 3,678,208 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-08-20 01:47:28 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-08-05 15:11:02 15,888,504 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-07 13:54 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-27 15:37 580096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 09:28 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\rtejeja.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Rogers^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Steve Rogers\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve Rogers^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Steve Rogers\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-08-13 02:05 122939 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 17:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 05:04 59392 C:\WINDOWS\EHOME\EHTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2004-06-29 12:23 135168 C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 09:50 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-05-18 03:21 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig&