Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

More Virus Fun [RESOLVED]


  • This topic is locked This topic is locked

#1
akyouser.oner

akyouser.oner

    Member

  • Member
  • PipPip
  • 32 posts
Please help :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:56 PM, on 5/14/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: {c0880f51-c276-cb5a-05f4-a8103f357f60} - {06f753f3-018a-4f50-a5bc-672c15f0880c} - C:\WINDOWS\system32\fysqtrxe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A64160E5-66F4-47A0-AD2D-E829A5B313A0} - C:\WINDOWS\system32\pmnlKBTJ.dll (file missing)
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\ljJYRLFY.dll
O2 - BHO: (no name) - {FD6A66CF-34AD-48E8-9776-19AD262817C4} - C:\WINDOWS\system32\tuvULdcD.dll (file missing)
O2 - BHO: (no name) - {FE14858E-1888-497E-A80A-EDFF86F48E35} - C:\WINDOWS\system32\geBTLbcD.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1445] command /c del "C:\WINDOWS\system32\oqkbgepv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3378] cmd /c del "C:\WINDOWS\system32\oqkbgepv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3232] command /c del "C:\WINDOWS\system32\qerbwltm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1306] cmd /c del "C:\WINDOWS\system32\qerbwltm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA537] command /c del "C:\WINDOWS\system32\qkwyxenm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6751] cmd /c del "C:\WINDOWS\system32\qkwyxenm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2620] command /c del "C:\WINDOWS\system32\swjkrqvp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2866] cmd /c del "C:\WINDOWS\system32\swjkrqvp.dll_old"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1209447015796
O20 - Winlogon Notify: ljJYRLFY - C:\WINDOWS\SYSTEM32\ljJYRLFY.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Display Driver Managerment - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\isasse.exe

--
End of file - 4689 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
  • 0

#3
akyouser.oner

akyouser.oner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thank you so much for your help! I used to use AVG but when I got new hardware I may have forgotten to reinstall it :)

Avira Log:



Avira AntiVir Personal
Report file date: Thursday, May 15, 2008 18:20

Scanning for 1266589 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3, v.3311) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: GHETTOBOX

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 18:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 17:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 17:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 17:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 22:08:58
ANTIVIR2.VDF : 7.0.4.0 1554432 Bytes 5/5/2008 01:18:44
ANTIVIR3.VDF : 7.0.4.39 197120 Bytes 5/14/2008 01:18:46
Engineversion : 8.1.0.42
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 18:58:21
AESCRIPT.DLL : 8.1.0.31 262522 Bytes 5/16/2008 01:19:01
AESCN.DLL : 8.1.0.16 119156 Bytes 5/16/2008 01:19:00
AERDL.DLL : 8.1.0.20 418165 Bytes 5/16/2008 01:18:59
AEPACK.DLL : 8.1.1.4 364918 Bytes 5/16/2008 01:18:58
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 5/16/2008 01:18:56
AEHEUR.DLL : 8.1.0.26 1237366 Bytes 5/16/2008 01:18:55
AEHELP.DLL : 8.1.0.14 115063 Bytes 5/16/2008 01:18:51
AEGEN.DLL : 8.1.0.20 299380 Bytes 5/16/2008 01:18:50
AEEMU.DLL : 8.1.0.6 430451 Bytes 5/16/2008 01:18:48
AECORE.DLL : 8.1.0.28 168310 Bytes 5/16/2008 01:18:47
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/24/2008 02:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 19:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/24/2008 02:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 17:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/24/2008 02:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 23:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 21:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, May 15, 2008 18:20

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'devldr32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '25' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Akyouser\Local Settings\Temp\awaxfuvm.dll
[DETECTION] Is the Trojan horse TR/Monder.105472
[NOTE] The file was moved to '488de204.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\bbreplgx.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.104448.1
[NOTE] The file was moved to '489ee1fe.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\bnkvnsmo.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.96256.2
[NOTE] The file was moved to '4897e20d.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\ccuybrab.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\Documents and Settings\Akyouser\Local Settings\Temp\cpixkesj.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.104512.1
[NOTE] The file was moved to '4895e220.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\djlqovwy.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.96256.1
[NOTE] The file was moved to '4898e21d.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\fkimerpm.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.104448
[NOTE] The file was moved to '4895e223.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\fxnshgxm.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.96256
[NOTE] The file was moved to '489ae231.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\iptdcnxv.dll
[DETECTION] Is the Trojan horse TR/Monder.107008
[NOTE] The file was moved to '48a0e22b.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\lhflxbce.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.107008
[NOTE] The file was moved to '4892e223.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\mhiguqfv.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49e4c9ac.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\pscdonwf.dll
[DETECTION] Is the Trojan horse TR/Monder.96320
[NOTE] The file was moved to '488fe22f.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\qbvgoxxo.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.97792
[NOTE] The file was moved to '48a2e21e.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\qvgdxdyc.dll
[DETECTION] Is the Trojan horse TR/Monder.105536
[NOTE] The file was moved to '4893e233.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\rerxavvp.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\Documents and Settings\Akyouser\Local Settings\Temp\tcsxyefq.exe
[DETECTION] Is the Trojan horse TR/PrivacySet.A
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\Documents and Settings\Akyouser\Local Settings\Temp\tpalbygf.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.107072.1
[NOTE] The file was moved to '488de236.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temp\vdlvgelb.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.105472
[NOTE] The file was moved to '4898e22a.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\M5A9YZA9\glas[2]
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488de23a.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\M5A9YZA9\glas[3]
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '49fed8f3.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\M5A9YZA9\idkfa[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4897e233.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\S3S1QDQB\0419bsz[1].exe
[DETECTION] Is the Trojan horse TR/Inject.GE.23
[NOTE] The file was moved to '485de20a.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\S3S1QDQB\glas[2]
[DETECTION] Is the Trojan horse TR/PCK.Monder.104448.1
[NOTE] The file was moved to '488de248.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\S3S1QDQB\yaypalassamosvala[1]
[DETECTION] Is the Trojan horse TR/PrivacySet.A
[NOTE] The file was moved to '48a5e243.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\UFYD81Q1\CAQZ6N2H
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '487de226.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\UFYD81Q1\CAZQIHBB
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4886e227.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\UFYD81Q1\kriv[1]
[DETECTION] Is the Trojan horse TR/Monder.96320
[NOTE] The file was moved to '4895e25b.qua'!
C:\Documents and Settings\Akyouser\Local Settings\Temporary Internet Files\Content.IE5\WD69UB4H\moorate[1]
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was moved to '489be264.qua'!
C:\Old40G\My Documents\files\College.Wild.Parties.11.English.XXX.DVDRip.XVID.exe
[0] Archive type: RAR SFX (self extracting)
--> 1.exe
[DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
[NOTE] The file was moved to '4898e3bf.qua'!
C:\Program Files\Common Files\Microsoft Shared\MSInfo\isasse.exe
[DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\Program Files\Internet Explorer\Down(1).exe
[DETECTION] Is the Trojan horse TR/Inject.GE.23
[NOTE] The file was moved to '48a3e4e7.qua'!
C:\Program Files\Internet Explorer\Down(2).exe
[DETECTION] Is the Trojan horse TR/Inject.GE.23
[NOTE] The file was moved to '49dceb98.qua'!
C:\RECYCLER\S-1-5-21-1229272821-790525478-839522115-500\Dc1.dll
[DETECTION] Is the Trojan horse TR/Monder.DI
[NOTE] The file was moved to '485de5f8.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP41\A0024035.exe
[DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
[NOTE] The file was moved to '485ce67c.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP43\A0024103.exe
[DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
[NOTE] The file was moved to '485ce67f.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP44\A0025164.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.87104.1
[NOTE] The file was moved to '485ce681.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP44\A0025165.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.97856
[NOTE] The file was moved to '49dcf192.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP45\A0025185.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.106048
[NOTE] The file was moved to '485ce682.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027699.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.95232
[NOTE] The file was moved to '485ce6ac.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027711.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf1bd.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027712.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.107072
[NOTE] The file was moved to '485ce6ae.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027713.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.108544
[NOTE] The file was moved to '485ce6ad.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027714.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.96320
[NOTE] The file was moved to '49dcf1be.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027715.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce6af.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027716.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf1a0.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027719.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf1bf.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP54\A0027720.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce6d0.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP60\A0027838.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce710.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP60\A0027840.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf001.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP60\A0027841.dll
[DETECTION] Is the Trojan horse TR/PCK.Monder.104448.1
[NOTE] The file was moved to '485ce712.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP63\A0028843.dll
[DETECTION] Is the Trojan horse TR/Monder.96320
[NOTE] The file was moved to '485ce713.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP63\A0028844.dll
[DETECTION] Is the Trojan horse TR/Monder.95296
[NOTE] The file was moved to '49dcf004.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP63\A0028845.dll
[DETECTION] Is the Trojan horse TR/Monder.DB
[NOTE] The file was moved to '485ce715.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP63\A0028846.dll
[DETECTION] Is the Trojan horse TR/Monder.96768
[NOTE] The file was moved to '485ce714.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP63\A0028847.dll
[DETECTION] Is the Trojan horse TR/Monder.96832
[NOTE] The file was moved to '49dcf005.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028883.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce716.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028902.dll
[DETECTION] Is the Trojan horse TR/Monder.105024
[NOTE] The file was moved to '49dcf007.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028904.dll
[DETECTION] Is the Trojan horse TR/Monder.104512
[NOTE] The file was moved to '485ce718.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028905.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce717.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028906.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf008.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028907.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce719.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028908.dll
[DETECTION] Is the Trojan horse TR/Monder.107584
[NOTE] The file was moved to '49dcf00a.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028909.dll
[DETECTION] Is the Trojan horse TR/Monder.106560
[NOTE] The file was moved to '49dcf009.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028910.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce71a.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028911.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf00b.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028912.dll
[DETECTION] Is the Trojan horse TR/Monder.108544
[NOTE] The file was moved to '485ce71c.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP64\A0028913.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce71b.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP66\A0029907.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf00c.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP66\A0029909.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce71d.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP66\A0029917.dll
[DETECTION] Is the Trojan horse TR/Monder.DF
[NOTE] The file was moved to '49dcf00d.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP66\A0029918.dll
[DETECTION] Is the Trojan horse TR/Monder.DE
[NOTE] The file was moved to '485ce71e.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP66\A0029919.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf00f.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP67\A0029937.dll
[DETECTION] Is the Trojan horse TR/Monder.DJ
[NOTE] The file was moved to '49dcf00e.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP67\A0029939.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '485ce700.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP67\A0029958.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49dcf011.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP69\A0029978.exe
[0] Archive type: RAR SFX (self extracting)
--> 1.exe
[DETECTION] Is the Trojan horse TR/Crypt.CFI.Gen
[NOTE] The file was moved to '485ce723.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP69\A0029979.exe
[DETECTION] Is the Trojan horse TR/Inject.GE.23
[NOTE] The file was moved to '49dcf034.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP69\A0029980.exe
[DETECTION] Is the Trojan horse TR/Inject.GE.23
[NOTE] The file was moved to '485ce724.qua'!
C:\System Volume Information\_restore{DFF21018-14DE-4B2A-969C-8A56F82DFB32}\RP69\A0029981.dll
[DETECTION] Is the Trojan horse TR/Monder.DI
[NOTE] The file was moved to '485ce725.qua'!
C:\WINDOWS\system32\ciwffxik.exe
[DETECTION] Is the Trojan horse TR/PrivacySet.A
[NOTE] The file was moved to '48a3e8f3.qua'!
C:\WINDOWS\system32\cleshpdb.exe
[DETECTION] Is the Trojan horse TR/PrivacySet.A
[NOTE] The file was moved to '4891e8f6.qua'!
C:\WINDOWS\system32\fhtglhon.exe
[DETECTION] Is the Trojan horse TR/PrivacySet.A
[NOTE] The file was moved to '48a0e8f9.qua'!
C:\WINDOWS\system32\gghrwvcg.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was moved to '4894e8f8.qua'!
C:\WINDOWS\system32\igujbmcd.exe
[DETECTION] Is the Trojan horse TR/PrivacySet.A
[NOTE] The file was moved to '48a1e8fa.qua'!
C:\WINDOWS\system32\issaue.exe
[DETECTION] Is the Trojan horse TR/Inject.GE.23
[NOTE] The file was moved to '489fe908.qua'!
C:\WINDOWS\system32\psdsiixq.exe
[DETECTION] Is the Trojan horse TR/PrivacySet.A
[NOTE] The file was moved to '4890e91a.qua'!
C:\WINDOWS\system32\syeapuvi.exe
[DETECTION] Is the Trojan horse TR/PrivacySet.A
[NOTE] The file was moved to '4891e926.qua'!
C:\WINDOWS\system32\tuvULdcD.dll_old
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!


End of the scan: Thursday, May 15, 2008 18:52
Used time: 31:49 min

The scan has been done completely.

5381 Scanning directories
311654 Files were scanned
88 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
83 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
311566 Files not concerned
2061 Archives were scanned
7 Warnings
83 Notes



HiJack This! Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:13 PM, on 5/15/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: {c0880f51-c276-cb5a-05f4-a8103f357f60} - {06f753f3-018a-4f50-a5bc-672c15f0880c} - C:\WINDOWS\system32\fysqtrxe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A64160E5-66F4-47A0-AD2D-E829A5B313A0} - C:\WINDOWS\system32\pmnlKBTJ.dll (file missing)
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\ljJYRLFY.dll
O2 - BHO: (no name) - {FD6A66CF-34AD-48E8-9776-19AD262817C4} - C:\WINDOWS\system32\tuvULdcD.dll (file missing)
O2 - BHO: (no name) - {FE14858E-1888-497E-A80A-EDFF86F48E35} - C:\WINDOWS\system32\geBTLbcD.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1209447015796
O20 - Winlogon Notify: ljJYRLFY - C:\WINDOWS\SYSTEM32\ljJYRLFY.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Display Driver Managerment - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\isasse.exe (file missing)

--
End of file - 4456 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
akyouser.oner

akyouser.oner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix Log:

ComboFix 08-05-15.2 - Akyouser 2008-05-16 16:41:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.623 [GMT -7:00]
Running from: C:\Documents and Settings\Akyouser\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cbXRkHay.dll
C:\WINDOWS\system32\DcbLTBeg.ini
C:\WINDOWS\system32\DcbLTBeg.ini2
C:\WINDOWS\system32\DcdLUvut.ini
C:\WINDOWS\system32\DcdLUvut.ini2
C:\WINDOWS\system32\ftatwsyr.ini
C:\WINDOWS\system32\gyuwvifd.ini
C:\WINDOWS\system32\hewqlrml.ini
C:\WINDOWS\system32\hrjlacoe.ini
C:\WINDOWS\system32\hsdfxvax.ini
C:\WINDOWS\system32\iglnexmi.ini
C:\WINDOWS\system32\jrfwsnmn.ini
C:\WINDOWS\system32\JTBKlnmp.ini
C:\WINDOWS\system32\JTBKlnmp.ini2
C:\WINDOWS\system32\khfDsQiH.dll
C:\WINDOWS\system32\ljJDSLbb.dll
C:\WINDOWS\system32\ljJYRLFY.dll
C:\WINDOWS\system32\mangpuel.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfmfqrlv.ini
C:\WINDOWS\system32\msyymxqu.ini
C:\WINDOWS\system32\nfllchcx.ini
C:\WINDOWS\system32\nnnnKbCt.dll
C:\WINDOWS\system32\qglkpjjy.ini
C:\WINDOWS\system32\qvexwlwb.ini
C:\WINDOWS\system32\tCbKnnnn.ini
C:\WINDOWS\system32\tCbKnnnn.ini2
C:\WINDOWS\system32\uaqerieb.ini
C:\WINDOWS\system32\wboiabyb.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-15 19:31 . 2004-02-07 01:48 331,263 --a------ C:\WINDOWS\LOOP.exe
2008-05-15 18:17 . 2008-05-15 18:17 <DIR> d-------- C:\Program Files\Avira
2008-05-15 18:17 . 2008-05-15 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-14 20:43 . 2008-05-14 20:43 <DIR> d-------- C:\VundoFix Backups
2008-05-14 20:34 . 2008-05-14 20:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 19:50 . 2008-05-10 19:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 19:50 . 2008-05-10 19:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 19:50 . 2008-05-10 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 12:32 . 2008-05-05 12:32 281,088 --a------ C:\WINDOWS\system32\tuvULdcD.dll_old
2008-04-29 18:21 . 2008-05-14 17:38 1,251 --a------ C:\WINDOWS\wininit.ini
2008-04-29 17:28 . 2008-04-29 17:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-29 17:27 . 2008-04-29 17:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-29 17:27 . 2008-04-29 17:27 2,547 --a------ C:\WINDOWS\unins000.dat
2008-04-29 17:25 . 2008-05-14 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 23:22 . 2008-04-28 23:22 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\Lavasoft
2008-04-28 22:51 . 2008-04-28 22:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-28 22:51 . 2008-02-12 15:59 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-28 22:50 . 2008-04-28 22:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-28 22:48 . 2008-04-28 22:48 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-04-28 22:29 . 2008-04-28 22:29 <DIR> d---s---- C:\Documents and Settings\Akyouser\UserData
2008-04-28 22:29 . 2008-04-28 22:29 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-28 22:29 . 2008-04-28 22:29 5,208 --a------ C:\WINDOWS\system32\pid.PNF
2008-04-27 18:45 . 2008-04-27 18:46 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-27 18:45 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-27 18:45 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-25 21:32 . 2008-04-25 21:32 <DIR> d-------- C:\WINDOWS\Sun
2008-04-25 21:31 . 2008-04-25 21:31 <DIR> d-------- C:\Program Files\Java
2008-04-25 21:31 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-25 21:30 . 2008-04-25 21:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-24 21:47 . 2008-04-24 21:47 <DIR> d-------- C:\Documents and Settings\Akyouser\.exe
2008-04-24 08:21 . 2008-05-13 20:55 109,774 --a------ C:\WINDOWS\BMa3e4191e.xml
2008-04-23 21:27 . 2008-04-23 21:27 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-04-23 21:27 . 2008-04-23 21:27 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-04-23 21:19 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-04-23 20:21 . 2008-04-23 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-04-23 20:20 . 2008-04-23 20:21 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\DAEMON Tools Pro
2008-04-23 20:19 . 2008-04-23 20:24 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-04-23 20:11 . 2008-04-23 20:11 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-23 18:28 . 2008-04-23 18:28 <DIR> d-------- C:\Jakes backup
2008-04-23 17:24 . 2008-04-23 17:25 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-23 17:04 . 2008-04-23 17:04 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\teamspeak2
2008-04-21 13:07 . 2008-04-21 13:07 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-04-18 17:01 . 2008-04-24 18:26 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\Propellerhead Software
2008-04-16 20:31 . 2008-04-16 20:31 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\AdobeUM
2008-04-16 20:30 . 2008-04-23 18:44 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 02:48 --------- d-----w C:\Program Files\Propellerhead
2008-05-16 02:43 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\Azureus
2008-05-07 16:40 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\Ventrilo
2008-04-24 02:47 --------- d-----w C:\Program Files\Azureus
2008-04-19 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2008-04-13 00:40 --------- d-----w C:\Program Files\Native Instruments
2008-04-12 01:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-12 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-12 00:11 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\Sonic Foundry
2008-04-12 00:11 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\Publish Providers
2008-04-12 00:11 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\NetMedia Providers
2008-04-12 00:10 --------- d-----w C:\Program Files\Sonic Foundry
2008-04-09 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-09 19:01 --------- d-----w C:\Program Files\Yahoo!
2008-04-04 21:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-04-03 04:47 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-04-01 01:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 00:28 --------- d-----w C:\Program Files\Maxis
2008-04-01 00:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 05:19 --------- d-----w C:\Program Files\Traktor unzip
2008-03-31 04:39 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-03-31 04:37 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\InstallShield
2008-03-31 04:07 558,142 ----a-w C:\WINDOWS\java\Packages\NDJ139F7.ZIP
2008-03-31 04:07 155,995 ----a-w C:\WINDOWS\java\Packages\B9VFFL75.ZIP
2008-03-31 04:07 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06f753f3-018a-4f50-a5bc-672c15f0880c}]
C:\WINDOWS\system32\fysqtrxe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A64160E5-66F4-47A0-AD2D-E829A5B313A0}]
C:\WINDOWS\system32\pmnlKBTJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD6A66CF-34AD-48E8-9776-19AD262817C4}]
C:\WINDOWS\system32\tuvULdcD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE14858E-1888-497E-A80A-EDFF86F48E35}]
C:\WINDOWS\system32\geBTLbcD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"msnmsgr"="C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 11:05 6856704]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-30 15:35 7634944]
"nwiz"="nwiz.exe" [2006-10-30 15:35 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-30 15:35 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

S2 Windows Display Driver Managerment;Windows Display Driver Managerment;C:\Program Files\Common Files\Microsoft Shared\MSINFO\isasse.exe []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8E980572-EF5E-1819-0CF3-06C43B8543A5}]
C:\WINDOWS\system32\issaue.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 16:45:41
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-16 16:48:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 23:48:17

Pre-Run: 206,468,788,224 bytes free
Post-Run: 206,537,015,296 bytes free

185 --- E O F --- 2008-04-29 05:38:39




HiJAck This! Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:07 PM, on 5/16/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: {c0880f51-c276-cb5a-05f4-a8103f357f60} - {06f753f3-018a-4f50-a5bc-672c15f0880c} - C:\WINDOWS\system32\fysqtrxe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A64160E5-66F4-47A0-AD2D-E829A5B313A0} - C:\WINDOWS\system32\pmnlKBTJ.dll (file missing)
O2 - BHO: (no name) - {FD6A66CF-34AD-48E8-9776-19AD262817C4} - C:\WINDOWS\system32\tuvULdcD.dll (file missing)
O2 - BHO: (no name) - {FE14858E-1888-497E-A80A-EDFF86F48E35} - C:\WINDOWS\system32\geBTLbcD.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1209447015796
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Display Driver Managerment - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\isasse.exe (file missing)

--
End of file - 4633 bytes
  • 0

#6
akyouser.oner

akyouser.oner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Edit: I found my XP CD and have now installed the Recovery Console...
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\tuvULdcD.dll_old
C:\WINDOWS\wininit.ini
C:\WINDOWS\BMa3e4191e.xml
suspect::[8]
C:\WINDOWS\LOOP.exe
C:\WINDOWS\java\Packages\NDJ139F7.ZIP
C:\WINDOWS\java\Packages\B9VFFL75.ZIP
Folder::
C:\VundoFix Backups
Dirlook::
C:\Documents and Settings\Akyouser\.exe
Driver::
Windows Display Driver Managerment
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06f753f3-018a-4f50-a5bc-672c15f0880c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A64160E5-66F4-47A0-AD2D-E829A5B313A0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD6A66CF-34AD-48E8-9776-19AD262817C4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE14858E-1888-497E-A80A-EDFF86F48E35}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8E980572-EF5E-1819-0CF3-06C43B8543A5}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.
If the window didn't open, just submit the [8]-Submit_Date_Time.zip file [url=http://www.bleepingcomputer.com/submit-malware.php?channel=8]here[/ur]
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#8
akyouser.oner

akyouser.oner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
I'll be gone for the weekend, thanks again for all of your help!

ComboFix:

ComboFix 08-05-15.2 - Akyouser 2008-05-17 17:03:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.643 [GMT -7:00]
Running from: C:\Documents and Settings\Akyouser\Desktop\AntiVirus\ComboFix.exe
Command switches used :: C:\Documents and Settings\Akyouser\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMa3e4191e.xml
C:\WINDOWS\system32\tuvULdcD.dll_old
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\BMa3e4191e.xml
C:\WINDOWS\system32\tuvULdcD.dll_old
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_DISPLAY_DRIVER_MANAGERMENT
-------\Service_Windows Display Driver Managerment


((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-15 19:31 . 2004-02-07 01:48 331,263 --a------ C:\WINDOWS\LOOP.exe
2008-05-15 18:17 . 2008-05-15 18:17 <DIR> d-------- C:\Program Files\Avira
2008-05-15 18:17 . 2008-05-15 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-14 20:34 . 2008-05-14 20:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 19:50 . 2008-05-10 19:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 19:50 . 2008-05-10 19:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 19:50 . 2008-05-10 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-29 17:28 . 2008-04-29 17:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-29 17:27 . 2008-04-29 17:26 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-29 17:27 . 2008-04-29 17:27 2,547 --a------ C:\WINDOWS\unins000.dat
2008-04-29 17:25 . 2008-05-14 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 23:22 . 2008-04-28 23:22 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\Lavasoft
2008-04-28 22:51 . 2008-04-28 22:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-28 22:51 . 2008-02-12 15:59 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-28 22:50 . 2008-04-28 22:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-28 22:48 . 2008-04-28 22:48 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-04-28 22:29 . 2008-04-28 22:29 <DIR> d---s---- C:\Documents and Settings\Akyouser\UserData
2008-04-28 22:29 . 2008-04-28 22:29 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-28 22:29 . 2008-04-28 22:29 5,208 --a------ C:\WINDOWS\system32\pid.PNF
2008-04-27 18:45 . 2008-04-27 18:46 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-27 18:45 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-27 18:45 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-25 21:32 . 2008-04-25 21:32 <DIR> d-------- C:\WINDOWS\Sun
2008-04-25 21:31 . 2008-04-25 21:31 <DIR> d-------- C:\Program Files\Java
2008-04-25 21:31 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-25 21:30 . 2008-04-25 21:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-24 21:47 . 2008-04-24 21:47 <DIR> d-------- C:\Documents and Settings\Akyouser\.exe
2008-04-23 21:27 . 2008-04-23 21:27 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-04-23 21:27 . 2008-04-23 21:27 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-04-23 21:19 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-04-23 20:21 . 2008-04-23 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-04-23 20:20 . 2008-04-23 20:21 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\DAEMON Tools Pro
2008-04-23 20:19 . 2008-04-23 20:24 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-04-23 20:11 . 2008-04-23 20:11 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-23 18:28 . 2008-04-23 18:28 <DIR> d-------- C:\Jakes backup
2008-04-23 17:24 . 2008-04-23 17:25 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-23 17:04 . 2008-04-23 17:04 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\teamspeak2
2008-04-21 13:07 . 2008-04-21 13:07 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-04-18 17:01 . 2008-04-24 18:26 <DIR> d-------- C:\Documents and Settings\Akyouser\Application Data\Propellerhead Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 02:48 --------- d-----w C:\Program Files\Propellerhead
2008-05-16 02:43 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\Azureus
2008-05-07 16:40 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\Ventrilo
2008-04-24 02:47 --------- d-----w C:\Program Files\Azureus
2008-04-24 01:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-19 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2008-04-17 03:31 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\AdobeUM
2008-04-13 00:40 --------- d-----w C:\Program Files\Native Instruments
2008-04-12 01:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-12 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-12 00:11 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\Sonic Foundry
2008-04-12 00:11 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\Publish Providers
2008-04-12 00:11 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\NetMedia Providers
2008-04-12 00:10 --------- d-----w C:\Program Files\Sonic Foundry
2008-04-09 19:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-09 19:01 --------- d-----w C:\Program Files\Yahoo!
2008-04-04 21:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-04-03 04:47 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-04-01 01:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 00:28 --------- d-----w C:\Program Files\Maxis
2008-04-01 00:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 05:19 --------- d-----w C:\Program Files\Traktor unzip
2008-03-31 04:39 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-03-31 04:37 --------- d-----w C:\Documents and Settings\Akyouser\Application Data\InstallShield
2008-03-31 04:07 558,142 ----a-w C:\WINDOWS\java\Packages\NDJ139F7.ZIP
2008-03-31 04:07 155,995 ----a-w C:\WINDOWS\java\Packages\B9VFFL75.ZIP
2008-03-31 04:07 --------- d-----w C:\Program Files\microsoft frontpage
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Akyouser\.exe ----



((((((((((((((((((((((((((((( [email protected]_16.48.09.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 23:45:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 00:07:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-07-15 00:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2008-05-09 21:35:06 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"msnmsgr"="C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe" [2005-06-14 11:05 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-30 15:35 7634944]
"nwiz"="nwiz.exe" [2006-10-30 15:35 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-30 15:35 86016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 17:07:56
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-17 17:10:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 00:10:31
ComboFix2.txt 2008-05-16 23:48:21

Pre-Run: 206,791,262,208 bytes free
Post-Run: 206,794,727,424 bytes free

162 --- E O F --- 2008-05-17 10:10:54



HiJack This!:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:49 PM, on 5/17/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Old40G\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1209447015796
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3834 bytes
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please delete the C:\WINDOWS\LOOP.exe file

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#10
akyouser.oner

akyouser.oner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
It appears to be working great, thank you!
  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP